We are fans of authenticator apps at Computing: these take over from SMS text messages the job of sending you a one-time code to confirm that it’s you logging in to an account by generating the code securely on your phone.
Why is that safer than an SMS text message?
SMSs are vulnerable to a couple of types of attack. The most likely is that someone convinces your mobile provider to send them a SIM card for your number, which would mean they could get all your codes and get into your accounts. Less likely, but still possible, is what’s called a ‘man-in-the-middle’ attack that intercepts your SMS messages. An authenticator app doesn’t rely on your SIM card or the mobile networks.
How does an authenticator app work?
Authenticator apps generate a one-time code that you use to confirm that it's you logging in to a website or service; they provide the second part of what's called two-factor authentication (2FA). You can read more about 2FA and why it's a good thing here.
When you set up an authenticator app with a website, that site generates a secret key - a random collection of numbers and symbols - which you then save to the app. The site usually shows you that key in the form of a QR code. When you scan that with the app, the key is then saved to your phone.
A website generates a key which it shows you as a QR code. You scan the code and it saves to the app on your phone
Then when you log in again to that website, it asks you to check your app for a code which it displays for a short time, usually 30 seconds. The app generates that code by combining the key the website gave you when you first set it up with the current time. If the key in the access code matches the one the website holds for you, it knows the right person is trying to sign in.
The authenticator app generates a code that you then type in to confirm that it's you signing in
Sounds great. How do I get started?
There are lots of authenticator apps to choose from in the Google and Apple app stores. Google and Microsoft both have their own apps, as does security company Sophos; game company Blizzard; Okta, a provider of enterprise authentication technologies; password manager LastPass - there are many to choose from. We like Authy for reasons we'll discuss shortly. They all do more or less the same thing, and we'd recommend choosing one from a big, familiar name.
How do I set up an authenticator app?
Download the app of your choice to your iOS or Android device and install it on to your phone. Then go to any of your online accounts that supports 2FA and look in the settings for where to add 2FA, then choose the option to use an authenticator app.
You can see which websites and services support 2FA on this website.
Once you're in the section of your account where you can add a 2FA method, choose the option for an authenticator app (sometimes it specifies a particular vendor's app but you might find it will work anyway with another one).
Then in your authenticator app, tap on Add Account (our screengrabs are from Authy, but most apps are broadly the same).
The website will show you a QR code: this is a machine-readable representation of the key it wants to share with you. On your app, tap Scan QR Code. This will open your camera (you might have to grant the app permission), and when you point it at the QR code, the app will scan that and add that website to your app. You might then have to confirm it with the website by typing in the code the app then generates.
The app will give the account a name and an icon - usually the email address you've associated with the account, but you can change that to something more memorable.
Want some more help with setting up an authenticator app? Our friendly tech team can help you with one-to-one support on a range of tech issues. Find out more here.
Can I move my codes to another device?
It depends on the app. You can with Google Authenticator. To move your codes to another device, go to your Google 2FA page, sign in, scroll down to Authenticator app, and then click CHANGE PHONE.
Choose your phone (Android or iPhone), open up Google Authenticator on your new phone and use the app to scan the QR code, and then enter the code it gives you to confirm.
Multiple devices with Authy
With Authy, you can get codes on multiple devices - phones, tablets, laptops and desktops - which means if you lose your phone, you can wipe that and still be able to get your codes.
To add more devices to your Authy, open the app and go to Settings (on Android, tap the three vertical dots in the top right-hand corner; on iOS, tap the cogwheel in the top right-hand corner) and then go to Devices and toggle on Allow Multi-device.
When you set up Authy for the first time, it asks you for your phone number and sends an SMS to verify that you own the device.
Now when you want to install Authy on another device, the app will ask you to input your phone number - make sure it's the same number that you first set it up with. The app will then offer you a choice of an SMS, a phone call or approving a prompt on your other device to verify that it’s you. Once you’ve done that, your accounts will be visible on your new phone.
When you install Authy on another device, you'll have to confirm that it's you
Unlocking your Authy codes on a new device
When you set up Authy for the first time, you'll be asked to create a backup password. To unlock the codes on your new phone, you'll have to input that password when you first try to access codes on the new device.
You can see which devices you've installed Authy on under Settings > Devices. You can rename them to something more memorable by long-pressing (Android) or tapping the device name and then tapping Edit (iPhone).
Can I use Authy on my laptop?
Yes, you can. There’s a browser extension for Chrome (though not for other browsers such as Firefox at the moment). Install that, and then follow the prompts to add the Chrome web app to your browser. You’ll need to set a master password (which shouldn’t be the same as your backup password), and then you’ll need use your backup password to unlock your accounts as you did on your new phone.