What authenticator apps are you folks using on your Mac and/or iPhone?

I’ve been using Step Two on my Mac along with Authy. But, I just deleted the 2FA from the few websites that I used Authy for and deleted Authy. I noticed a couple of new accounts in Authy today that I never set up. In a web search, I found out that there was a recent breach with Twilio, who owns Authy.

I also had Authy on my iPhone. I deleted that and downloaded Google Authenticator to resetup 2 important accounts. I deleted the other accounts.

  • It’s been a year and a half since authenticators were discussed in this forum.

Until Passkeys are widely adopted, I will keep using Google Authenticator as my main authenticator. My main reasons are:

  • There is very little chance of the developer going bankrupt or abruptly shutting down.
  • Widespread adoption means a broad range and high number of media outlets will cover any bugs, breaches, or exploits.
  • Google (some time ago) finally made it easy to transfer existing data to a new computer, phone, or tablet.
  • Cloud storage is not required.
  • There’s an option to require Face ID when opening Google Authenticator.

But having said all that, I am looking forward to Passkeys and will gladly stop using authenticator and SMS based 2FA whenever it’s possible.

I’m using Google Authenticator. But I do not have it configured to share keys with my Google cloud storage. I manually sync keys between my devices using its ability to export keys to a QR code and read that code from another device.

As an app, it works well and implements the TOTP algorithm without any proprietary changes (as far as I can tell).

My university usually requires Okta but since can only have Okta live on a single device will accept Google Authenticator on the 2nd device.

There was an Authy breach a little more than a year ago, but it appeared that only around 250 individual users (out of 75 million users) were impacted to varying degrees, suggesting it was a highly targeted attack. That’s definitely bad news, but I am not sure there are many enterprise tools that can successfully withstand a highly targeted attack against a small number of specific users by a sophisticated, determined attacker, like a government.

I still keep Authy up to date, but I’ve transitioned nearly all my 2FA accounts to 1Password, which enters the code automatically for me. So, so much easier than fussing with a separate app and copy-and-paste or retyping.

On the iPhone I’m using Google’s Authenticator because on campus we’re a Google shop and that’s how I started with 2FA.

However, on my Macs I use Authenticator App (MAS link) instead because it’s very bare bones (at least the free tier is), MAS says no data linked to me, and it can live hidden in my menu bar where just clicking on its entries will simply copy the code to my clipboard which makes using 2FA such a breeze. I do not rely on any cloud syncing for these as work stipulates we can only do that using Google and I try to keep a healthy distance to Google and their cloud stuff when I can.

I haven’t tried that…is there some import ability from Authy or Google Authenticator…or just set up per the docs again?


I’m using 1Password (7). It’s on all my Apple devices and always available. It would also be on Windows devices if I owned any at the moment (I’ve needed one or two for work in the past and 1PW was on them).

Authy. But my university requires the MS Authenticator app. That too.

Can’t wait for this phase to be over.

It’s going to be a long wait. FWIW, Amazon now supports passkeys, and I have one, but it didn’t remove passwords as an option - it asks each time you log in which you want to use - and it still uses the 2FA, even if you log in with the passkey.

Alas, there’s no import, so yes, I just have to set it up again for each account. A few accounts have allowed multiple setups.

Perhaps I’m misunderstanding that, but the account has no say in the matter. It just generates a key (a random number generator seed), which you enter in your authenticator app (usually by scanning a QR code). The account has no way of knowing whether you enter the key in multiple places or not.

Sorry, I wasn’t clear. A few (at least one, I think, though I can’t remember the details) accounts let you add another 2FA setup to the account, allowing you to enroll a second app without disabling the first one. But that’s unusual—most force you to reset the 2FA setup to switch from one authentication app to another.

I’ve always added the 2FA codes to both Authy and 1Password, just in case.

Yes, although even worse, the password option is the default, and choosing to use a passkey requires pointing and clicking a “Sign in with a passkey” button, then doing the same again when a “Sign in with a passkey” window with its own “Sign in” button pops up.

1 Like

I haven’t had 1Password do that!?!?! Better check my settings. And, I thought that I was up-to date on this!!! :face_with_diagonal_mouth:

Apps and web sites that use TOTP generally provide no mechanism to export the key associated with your account. This is deliberate. So yes, if you tell it to register a new device, it will generate a new key (likely deleting the old one).

But that having been said, the QR codes used for installing these keys are simple URL links using a standard schema. Most authenticator apps can read these QR codes to import the corresponding keys. And if you use an app that lets you export your keys as a QR code (e.g. Google Authenticator), then any other app can import from that QR code.

So if your current app will let you export keys, you should have no problem importing them to another app. Which is how I can access my 2FA codes on all my mobile devices (Android phone, iPhone, iPod Touch).

1 Like

Looks like Google Authenticator might have the ability to export accounts since that was how they got around the problem of not being able to bring along 2FA accounts when you got a new iPhone. But do any other apps provide that feature? Authy and 1Password don’t seem to, from what I can tell.

The iOS/iPadOS/MacOS app OTP Auth does allow this, by showing a QR code (or Base32 “secret”) that you can scan from another device (or enter with the secret).


Well, this is worrying. I have 4 authenticators on my phone and 2 of these on my desktop. They are Authy, Google, Microsoft, and one required by a financial company. I could switch all the 7 accounts in Authy to one of the other apps but it is neither obvious nor simple to do. As far as I can tell neither Google nor Microsoft provides a version for macOS. It can be argued that this adds an extra layer of protection as two devices are then required for logon from a desktop.

So I have two questions. (1) How serious is the Authy breach? I’ve seen various reports and it appears fewer than 300 users were affected but that is still 300 too many. (2) Should I switch to another app?