Using an authenticator app
How authenticator apps work, which one to choose, and how to set one up on your phone for two-factor authentication.
An authenticator app is a small app on your phone that generates a fresh 6-digit code every 30 seconds. You enter this code when you log into an account as your second factor. No internet connection needed — the codes are generated entirely on your device.
Quick summary
An authenticator app generates time-sensitive login codes on your phone. It is more secure than receiving codes by text message. Choose Authy if you want easy backup and recovery, or 1Password if you already use that as your password manager. Setup takes about two minutes per account.
How authenticator apps work
The app and the service you're logging into share a secret key when you first set up 2FA. Both sides use this key plus the current time to calculate the same code — which changes every 30 seconds. No codes are transmitted over the internet; your phone generates them locally.
This is why authenticator codes are more secure than SMS:
- SMS codes are sent over phone networks, which can be intercepted
- Authenticator codes exist only on your physical device
- Even if someone intercepts the code, it expires in 30 seconds
Choosing an authenticator app
| App | Best for | Backup/recovery | Cost |
|---|---|---|---|
| Authy | Most people — best recovery options | Cloud backup, multi-device | Free |
| Google Authenticator | Simplicity; comes with Google integration | Manual export to new device | Free |
| Microsoft Authenticator | Microsoft 365 users | Cloud backup | Free |
| 1Password | 1Password subscribers | In your vault | Subscription |
| Apple Passwords | Apple-only users (iOS 18+) | iCloud backup | Free |
Our recommendation: Authy for most people. It backs up your accounts to the cloud (encrypted with a password you set), so if you lose your phone, you can restore all your accounts on a new device. This removes a significant point of failure.
Setting up Authy
Download Authy from the App Store (iOS) or Google Play (Android).
Enter your phone number and verify it. Authy links your accounts to your phone number for recovery purposes.
Set a backup password when prompted. This encrypts your cloud backup. Store it in your password manager or somewhere very safe — Authy cannot recover your accounts without it.
Add your first account. In the account you want to protect, go to security settings and find the 2FA option. When you see the QR code, switch to Authy and tap Add Account.
Scan the QR code by pointing your phone's camera at the screen.
Name the account in Authy (e.g., "My Business Gmail").
Enter the 6-digit code shown in Authy back into the website to confirm it's working.
Using your authenticator code when logging in
Once 2FA is set up, here is what happens every time you log in on a new device:
Enter your username and password as normal.
The site asks for your 2FA code.
Open your authenticator app. Find the account in the list.
Type the 6-digit code shown. You have about 30 seconds before it changes — but if it changes while you're typing, just use the new one.
Never share your code
Legitimate companies will never call or message you asking for your 2FA code. If someone asks for your code, it is a scam. Hang up or stop replying.
What to do when you get a new phone
Plan for this before it happens:
If you use Authy:
- Install Authy on your new phone.
- Log in with your phone number.
- Approve access from your old device (if you still have it), or use account recovery.
- All your accounts will be restored automatically.
If you use Google Authenticator:
- In the app on your old phone, go to Transfer Accounts → Export Accounts.
- Scan the QR code with your new phone's Google Authenticator app.
If you already lost your old phone without doing this: Use the backup codes you saved when setting up 2FA for each account, or go through each service's account recovery process.
What to do if you lose your phone
- Use backup codes to regain access to critical accounts.
- If you don't have backup codes, use each service's account recovery process (this takes time — sometimes days).
- Once you have access, change your passwords and set up 2FA again on your new device.
This is why saving backup codes is so important. Do it when you set up each account.
Common questions
Related guides
- Two-factor authentication, explained
- How to set up two-factor authentication
- Passkeys, explained
- What to do if an account is compromised
- Your business security checklist
Need a hand?
Learn more
How to set up two-factor authentication
Step-by-step instructions for enabling two-factor authentication on your most important accounts — email, your website, and more.
Passkeys, explained
Passkeys are a new, password-free way to log in that is more secure and easier than passwords. Here is what they are and how they work.