Updated 04 December 2017.
Copyright: European Union Public License, version 1.2 (EUPL-1.2).
We’ve tested 7 two-factor authentication apps. We need something that can be used across the organization.
Disclaimer : we are not affiliated to any of these Companies, this article is 100 % our own findings and there is no affiliate marketing in place through the links provided below for your convenience. Apps are listed in alphabetical order.
How we write our reviews: To ensure an unbiased and thorough review all apps are tested:
• In real time, i.e. we use it on real projects.
• By different team members located in different countries.
• With different devices and operating systems.
• For a minimum of two weeks, four on average.
• Article is peer reviewed by other team members then sent to the app’s publisher for final review.
Two-factor authentication is an advanced form of authentication on devices or on systems, It involves two or more levels of authentication, instead of just a login-password which is easy for hackers or state sponsored criminals to breach or through brute force attacks. Majority of people think of two-factor authentication as the system sending one-time passwords in text messages. Unfortunately if it’s the most prominent method of 2FA for web services, it is highly insecure. There are more and better ways to achieve 2FA, 2FA is like a door with two padlocks. One of them is the traditional login-password combination, and the second could be anything else. If two padlocks are not enough, you could employ as many as you like, but it would make the process of opening the door much longer, so it’s good to start with at least two.
Our specifications sheet:
- It should cover as much platforms as possible example Windows, iOS , Android OS , Clouds , social media platforms (Facebook, Twitter, etc.).
- It should offer multiple options of 2FA but also email authentication apps and hardware keys.
If possible, it works offline working too.
- Possibility to disable SMS 2FA, voice message or fingerprint options, which are not too secure .They can be intercepted or brute forced by hackers and state-sponsored criminals.
Authy is a free app that can be used to capture 2FA tokens from popular web services. It’s also a client for the Twilio 2FA API (companies like CloudFlare, Twitch, SendGrid use to simplify their 2FA implementations).
- Authy can be installed on common platforms such like iOS and Android, they have a desktop client for Windows and Mac OS with Linux coming soon.
- Authy also supports capturing 2FA tokens from popular services such as Facebook, Google and Twitter. It publishes guides on how to do this at authy.com/guides.
- The Authy app also works in tandem with the Twilio 2FA API that delivers 2FA codes and push based authentication to the Authy app.
- It support multiple devices authentication where 2FA codes and push notifications can be used from multiple devices.
- If a device is lost, stolen, or retired, you can deauthorize it from any authorized device just as quickly as you can reauthorize replaced devices either via SMS/voice or more securely from existing apps.
- It offers a backup for tokens in case if the authorized device is lost, so there is no chance to lose access to your application.
- Multiple authentication forms ( ).
- Possibility to disable SMS ,voice call authentication.
- Offline authentication.
- Easy installation.
- App is FREE to use with other services like Twitter and Snapchat. But if you want to implement a full 2FA solution into your application, it comes with a cost. The price is affordable the first 100 authentications per month is free then you can pay as you go at 0.045 usd per authentication. For 300 authentications per month you will need to pay 13.5 USD.
- It offers offline authentication.
- AuthLite can also use any OATH token including smartphone soft token apps such as Google Authenticator, so the cost can be lower than using a YubiKey. Also for larger volume of users, the price is much lower than $48/per.
- AuthLite can 2F enforce any authentication that points to Active Directory, including things that use ADFS for federation into AD.
- It is a Light solution offering a limited type of authentication: Windows authentication, RDP authentication and VPN.
- To use two factor authentication you have to user Yubikey USB stick which is not so practical taking in consideration that it can be lost and you can lose access to your devices.
- Price is not so cheap comparing to what it’s offering, 48 USD per user/lifetime and 30 USD Yubico Key Token, in total 70 USD.
- Vast number of application support like Windows, VPN, SSH, Cloud.
- It has a good centralized user console like (User managing, Device managing).
- If a device is lost, stolen, or retired, you can unauthorize it from any authorized device just as quickly.
- Multiple authentication forms.
- Option to disable SMS or voice call authentications.
- Doesn’t support mobile OS like (android, iOS) for 2FA.
- Price for that package that needs to be used in countries with high risk is 6 USD / User / Month which is a huge amount.
- After a conversation with their support team they state that “offline authentication “doesn’t work good as the devices need to be connected with internet.
- 2-Step Verification using SMS text message or Voice call.
- Able to generate codes using your mobile device.
- You can use the Google Authenticator app to receive codes even if you don’t have an Internet connection or mobile service, offline authentication.
- Price is free.
- It is used to sign into Google account, Facebook, Tumblr, Dropbox, vk.com, WordPress. For Windows log in you have to find third party application that is incorporated with Google Auth.
- Only one device can be used per account.
- It does not have backup recovery in case the mobile is lost or taken by the police.
- Price is affordable.
- It has a centralized reporting for the users 48 USD/year.
- It is a centralized IT solution, where the business should have an IT staff and an Active directory to be integrated with one click. In our case it is a con because we don’t have a centralized solution and agents are spread all over the world.
- It doesn’t state if offline authentication is available.
- It seems that supports is for just desktops OS (Windows and Mac OS) and apps.
- It cover a vast numbers of platforms more than the others below ,which means that you should have a smartphone to work with this solution : iPhone, Android, Apple Watch, Android Wear, Blackberry, Windows Phone, Java ME, iPad, iPad Mini, Android Tablet, Windows Tablet, Mac OSX, Windows OS, Mac Mini, Wearables, Google Glass, Kindle.
- It supports many platforms and applications for 2FA.
- It supports multiple device authentications.
- If a device is lost, stolen, or retired, you can deauthorize it from any authorized device just as quickly.
- It offers a backup for tokens in case the authorizated device is lost, so there is no chance to lose access to your application.
- Multiple Authentication forms (interesting feature: Touch ID).
- Options to disable SMS, Voice call and finger ID authentication.
- Offline authentication.
- Price is cheaper that the other solutions. It has s free package but it is limited not all the features. For a high security profile where agents are spread around the globe are the packages that cost around 20 usd/year and 40 usd/year.
- Easy installation.
- It cover nearly all platforms like Windows desktops (Linux coming soon), iOS , Android OS , some cloud storages ,web platforms (Facebook, tweeter, etc).
- It supports multiple devices log in.
- Offline authentication.
- Price is affordable around 50 usd per USB token ( Yubikey).
- Easy to install.
- Just one type of authentication with USB (Yubikey).
- If the USB token (Yubikey) is lost, stolen or taken from the government there is a big chance you lose access to your application or devices like computer, mobile.
- There is no possibility to backup tokens.
Two factor authentication makes attacks much less threatening since accessing passwords is not enough anymore to access your information; and it is pretty unlikely that the attacker (it could be state criminals) would also have the physical device associated with the user account. More layers of authentication makes a system more secure.
All the above apps would do a great job in providing that extra layer of protection. All of them support mobile tokens, have different levels of flexible authentication methods, and for some we did extra analysis. They differ, however, when it comes to pricing, packaging offers, ability to be installed in multiple devices, offline authentication, multiple apps supporting, user friendly usage, SMS options disable. Taking all these facts in consideration the solutions that fulfill this would be SAASPASS and as a second solution it would be Authy.