Happy New Years! I’m starting this year with a showdown between Yubico Authenticator, Google Authenticator, and Twilio Authy. This video is in partnership with Yubico as a part of my ongoing MFA series! Purchase a Yubikey for ultimate security of your online accounts!

I’m often asked which of these 3 apps is best and why? Each one has pros and cons, and you may prefer one for it’s specific features. Each of these is free but the differences are quite large.

First we have Yubico Authenticator:

Now, if you're familiar with YubiKey devices, and if you’re watching my channel, you likely are… then this one will definitely peak your interest. Yubico Authenticator is all about that hardware-based security. It's a clean and straightforward app that pairs seamlessly with YubiKeys, providing an extra layer of protection beyond just your password.

Pros: The hardware-based security is a significant win here, making it extremely difficult for those with malicious intent to steal any 6 digit codes. You can think of the Yubico Authenticator app as simply a visual screen that looks inside your hardware key. Nothing is being stored on your phone, it’s just using this display to show you what’s stored on the Yubikey.

Since the Authenticator app basically allows you to use a hardware key with websites that only have the six digit code option, this means you’ll get a wider range of compatibility with services and platforms.

In order to use the Yubico Authenticator app for 2FA codes, you download the app, choose to add a key, and plug in your key (or tap it). This will add your key to your Authenticator app.

From there, anytime you want to add new accounts that accept 2FA codes for authentication, you just need to click Add Account, scan the QR code from the website you want to set it up on, and add that secret key to your hardware key.

The nice thing about the app is you can use the same QR code to add those secret keys to more than one Yubikey, and I did a walkthrough of this in my recent video about what to do if you lose a hardware key.

Another perk is if you lose your phone, those 2FA codes will be inaccessible without the hardware key to unlock them. And if you download the app onto another device, you’ll be able to access those 2FA codes as long as you have your hardware key.

It’s also cross platform and can be used on desktop as well, which I found to be helpful when I first set up my online accounts to work with it, since it was easier to do on desktop as the app just injects the QR code secret key for me, so I didn’t have to take a photo of a QR code or copy and paste the secret key.

This setup ends up being safer than just using the app on your smartphone because even if you lock an app with a PIN, you’ll be safer if you’re locking the app with a hardware key that is separate from your phone.

The downside is the feature set of the Yubico Authenticator app is limited. It doesn’t include cloud syncing features within the app, because it’s tied to your hardware key. But if you’re more security conscious, that’s probably a good thing. You can choose between themes like light or dark modes, and you can set a password to unlock the yubikey when you tap it. Chicken is not my real password, I just used that as a demo, FYI.

You’ll need a YubiKey to use this app. But you’re in luck. Yubico has been working with me on creating a whole series of videos all about multi factor authentication and using hardware keys. If you don’t have one yet, or you’re looking to add more to your arsenal, grab one from my link. Join me in 2024 to create the ultimate consumer security in the easiest ways possible. Thank you to Yubico for sponsoring this video.

Next is Google Authenticator. It's the go-to app for many users due to its simplicity and widespread integration. But how does it stack up?

On the pros side: Google Authenticator is as simple as it gets, making it incredibly user-friendly. To use it, you take a photo of a QR code and add accounts to your app. Then, you can copy the 6 digit codes from the app in order to log into the accounts.

Google Authenticator introduced Cloud syncing which means your codes can be synced to your Google Account. While this is very convenient, it also opens up a potential loophole that could be exploited by an attacker. If someone gained access to your google account, even if they don’t have your phone, they could download the app on their own phone, log into your google account, and download your codes onto their own phone. It is now E2EE though, which is better than no encryption in transit at all.

Google doesn’t make disabling cloud syncing very clear. In order to disable it, you have to click on your user profile photo and click “Use without an account”.

Google Authenticator can also be used for any websites that accept codes from an authentication app.

But the downside is if you lose your phone and don’t set up online backups, you could lose access to your 2FA codes.

It’s also not the most secure. You can’t hide the codes or force a tap to reveal them, there’s also no way to lock the app with biometrics or a pin code.

Lastly is Twilio Authy. Authy is best known for being a cloud based authenticator. Authy aims to stand out with its cloud-based backup and multi-device support. But that also might be it’s biggest negative. From a convenience perspective, Cloud-based backup ensures you won't lose access even if your phone takes an unexpected dive off a cliff. Authy’s Multi-device support lets you authenticate from your phone, tablet, even a smart watch.

When you set up Authy, it asks for a phone number to associate with your account as well as an email address as a backup contact method. It verifies both email and phone number by sending 6 digit codes to each of them.

Authy does have the best looking user interface. There’s a dark and light mode, It’s got large icons, tile view, and a colorful main page that make it easy to find your 2FA codes for any sites. You can also drag and drop to sort them however you please.

But, I’d assume a lot of folks in my audience may have reservations about the security implications of storing authentication codes in the cloud. You can disable backups, which is what I would do, and the backups are password protected. You can also disable multi device usage. The app can also be locked with a PIN code or biometrics and it’s easy enough to remove any old devices from your account.

So after looking at these from a basic view, they all have pros and cons. But:

DATA PRACTICES

Another major point you might want to consider is each app’s data practices. In the case of Yubico Authenticator: this app doesn’t collect or share any data. No data is shared with third parties. And no data is collected by Yubico.

In the case of Google Authenticator. While no data is shared with third parties, Google Authenticator does collect data. And that includes your device ID, app crash logs and diagnostics, app interactions and optionally in app search history, which is used for analytics, fraud prevention, security and compliance as well as app functionality, optionally it can collect your contact info. It also collects data from photos for account management. And it also collects optionally, your name, email address, user IDs, address, phone number, etc. Data is encrypted in transit.

And lastly, in the case of Twilio Authy. No data is shared with third parties. But Twilio does collect data such as your approximate location, crash logs and diagnostics, analytical information about app activity, personal info such as your email address, user IDs and phone number, and the device ID. Data is encrypted in transit

When it comes to security and data privacy, Yubico Authenticator takes obviously takes this crown. The hardware-based approach provides an extra layer of protection that Google Authenticator and Twilio Authy just don’t match. While each app has its strengths, like Authy is the prettiest for sure, Yubico Authenticator is far ahead in the race for the most secure authentication app.

I think that Yubico Authenticator, Google Authenticator, and Twilio Authy each have their strengths and weaknesses, but if security is your top priority, Yubico Authenticator is the clear winner in this showdown. Of course, the best choice depends on your specific needs and preferences. What's your go-to authentication app, and did this comparison change your mind?