Two-factor authentication is one of the most important things you can do to protect yourself against getting your accounts hacked, and you should enable it now if you haven't already. Instead of using a text message, though, Authy is our favorite two-factor app on the block.
When you first enable two-factor authentication on a site like Gmail, LastPass, or Facebook, they will set you up using SMS as your second factor. So the next time you log into Facebook, you'll receive a 6-digit code as a text message whenever you try to log in. However, there are other ways to set up two-factor authentication—most notably, with an app that generates the codes for you.
You may have heard of these apps before, and a lot of the sites you use probably support them. They're handy because you don't have to rely on an incoming SMS message to log in—just open the app, and your codes are there waiting for you. In a lot of cases, they'll even work if you don't have an internet connection. Some of these apps do even more—like automatically log you in if your phone is near your computer. Our favorite, though, is Authy—here's why.
Supports a ton of apps, including all those supported by Google Authenticator: Gmail, LastPass, Evernote, Dropbox, Facebook, and tons more
Install Authy on multiple devices including your phone, tablet, and PC, and sync your tokens between them
Backup your accounts to the cloud (optional, turned off by default)
Get tokens offline or when you don't have good service
Lock Authy behind a PIN or Touch ID, so that even if your phone is stolen, your tokens aren't left out in the open
Use it in conjunction with the Mac app, which automatically bypasses Authy if your phone is in Bluetooth range
Where It Excels
When it comes to two-factor authentication apps, most are quite similar and support the same Google Authenticator-enabled services. Two main things set Authy apart: its ability to PIN or Touch ID-lock the app (which alone makes it our favorite) and its ability to sync to the cloud and between devices. That means if you don't have your phone nearby, your tablet or computer work just as well. And, before you think installing Authy on a computer is insecure, keep in mind it's really no different than installing Authy on your phone—the goal is to keep your devices out of theives' hands, so that even if they get your passwords, they can't log into your account. It doesn't matter whether that device is a PC or a phone (and in fact, a phone is easier to steal).
Where It Falls Short
Some people may not want to sync their accounts to Authy's servers, since it puts it in the hands of someone else. Authy encrypts everything locally on your phone so they never see it, but some people may prefer not to sync their accounts to Authy's servers. This is hardly a con of the app, though, since this feature comes turned off, and it's completely optional. Even if you don't sync your tokens to the cloud, having the PIN lock and the ability to install Authy on your computer is totally worth picking it over other apps.
Some users have also had some quirkiness with Authy's syncing and it's Bluetooth feature on the Mac, but I haven't experienced these myself. We're also not a huge fan of Authy's most recent grid-based iOS design, but that's a fairly small quibble.
The most obvious competition to Authy is Google Authenticator, the app that started it all. Google Authenticator works great, it's free, it's from a company you know, and it's easy to set up. It is, however, the most basic of the options out there, so you won't get any extra features here—just basic two-factor tokens for tons of accounts.
FreeOTP is similar to Google Authenticator, though with a slightly nicer UI and an open source codebase. If you prefer open source when it comes to security, FreeOTP will do the trick.
Toopher supports every site that Google Authenticator does, but with a few extra features for its partner sites, including LastPass, WordPress, MailChimp, and a few others. When you log in to a Toopher partner—say, LastPass—your phone will get a push notification with details on the account, browser, and computer requesting the login, and you can choose to allow it or deny it—no 6-digit code necessary. You can also choose to bypass two-factor authentication when you're in a trusted location, like home. Toopher says this shouldn't drain battery very much, since location services are only called upon when you get a push notification.
Lastly, you have the option of skipping apps entirely and just using SMS. SMS works fine, but it doesn't work when your phone's offline or doesn't have good service—a problem I've encountered more than a few times. This is also particularly useful when you're traveling. However, SMS will work as long as you have your number—whereas any of the above apps will stop working if you lose your phone or it gets its data wiped.
Lifehacker's App Directory is a new and growing directory of recommendations for the best applications and tools in a number of given categories.