When I started using two-factor authentication, I saved my time-based one-time passwords (TOTP) in Google Authenticator since it was one of the first prominent tools for the job. Years later, I left Google Authenticator for Authy because it had cross-device syncing and backup that Google’s solution lacked at the time.
And while I was happy with Authy for a good while, I’ve since decided to switch my 2FA codes to another home you might not expect: my password manager. Authy has let me down over the years, and while I was initially resistant to keeping 2FA in the same place as my passwords, I don’t mind this now.
Why Authy wasn’t cutting it anymore
Initially, Authy solved my biggest problem with Google Authenticator (GA). In its early stages, GA was tied to a single device, with no easy option to port your 2FA codes to a new phone. That meant if your phone was lost or stolen, you had no option except for your backup codes. While those are workable, I didn’t want to take the risk since losing 2FA access can burn you.
Another key weakness of GA was its lack of a desktop app. When I started using Authy in 2014, I loved that I could get codes while working on my computer, so I didn’t have to grab my phone. However, Authy stopped supporting its desktop app in early 2024.
It’s also had security problems, which is especially concerning for an app you trust to protect your accounts. In July 2024, parent company Twilio announced that Authy was hacked, leading to the attackers gaining access to over 30 million users’ phone numbers.
While less important, I’ve also been disappointed with Authy’s lack of visual updates over time. The core look is still the same as when I started using it over a decade ago. There’s no dark mode, which is inexcusable. Several of the logos are outdated, don’t fit into the box, look blurry, or have other issues.
Unfortunately, the final issue I have with Authy ties into leaving it. Authy has no option for exporting your TOTP keys; if you want to switch to another 2FA app, you have to manually disable 2FA on every service and re-enable it with your new 2FA app.
Choosing Authy’s replacement
There were ample reasons to leave Authy, but I wondered which app I should pick to replace it. I didn’t want the same issues to befall me again, so I thought carefully.
I initially considered Ente Auth, a relative newcomer in the space. It has thoughtful features, like tags for different account types, the option to see the next code, pinning your most-used to the top, and the essential desktop app.
I procrastinated the move due to the time investment required (I have over 50 accounts saved in Authy). During this time, Proton released its own 2FA solution, called Proton Authenticator. It struck me as similar to Ente, though it comes from a well-trusted security company.
Then I considered another option: I’ve been happy to pay for 1Password for years, and always dismissed the prompts to use 2FA in the password manager. My thinking was that it’s not wise to have both keys to your account in one place, since if someone breaches your password manager, they have everything they need to enter.
Is using 2FA in your password manager secure?
However, 1Password’s article about keeping TOTP codes in a password manager convinced me to make the switch. As the article points out, segmenting your 2FA codes into a separate app only offers extra protection in niche scenarios.
If someone managed to obtain your 1Password login info, plus your Secret Key, and broke the 2FA protection on your 1Password account, but didn’t have your device, then having your 2FA codes in another app would keep you safe. Otherwise, someone who compromised your device would be able to take control of your 2FA codes no matter where they were stored.
A true second factor would be keeping your codes on a secondary device you use only for them, or a hardware solution like a Yubikey. Those offer stronger security, but are much less convenient. Having your TOTP codes on the same phone as 1Password, but in a different app, doesn’t provide more protection since anyone who cracks your phone would have access to both.
All that considered, I’m happy to keep my 2FA codes in 1Password and enjoy the convenience of autofilling them.
The tedious process of switching
Next is the boring part: manually switching all my TOTP codes from Authy to 1Password. With no option to export from Authy, I have to visit every service I was using Authy for, disable 2FA, then re-enable it in my password manager.
With 50+ accounts, it will take a while to move everything over (I haven’t finished yet). Another part of the hassle is that disabling and re-enabling 2FA generates a new set of backup codes, requiring you to overwrite the old ones (and print them off again for sakekeeping). This wouldn’t be a problem if Authy had an export feature (Microsoft Authenticator also lacks this option).
Thankfully, 1Password makes it easy to add 2FA secrets to an item. In the menu for any entry, you can scan a QR code (this works best when done in the browser extension), or copy and paste the secret if scanning the code doesn’t work.
I’m happier having my 2FA keys in 1Password than in Authy. 1Password’s apps for desktop and web autofill your 2FA code along with your other saved credentials, which is smooth. The interface is neat, and it’s one fewer app to worry about being breached, going offline, or degrading in quality.
I don’t use 1Password for all 2FA codes
Even though I switched to 1Password as my primary authenticator, I’m still keeping a couple of 2FA accounts in Proton Authenticator: my primary email account and 2FA for 1Password itself. I decided on Proton since it’s from a trusted company and the UI is more polished.
It would be foolish to keep the 2FA codes for logging into 1Password inside the password manager, which means you need another 2FA app for at least that. Your email is your most important login because it lets you reset the passwords for all your other accounts. I thus want to be able to get into that account even if I can’t get into 1Password for some reason.
Because 1Password (unlike Authy) makes it easy to export your 2FA secrets, you can save them in more than one app. This lets me enjoy the convenience of autofilling my email 2FA with 1Password, while also having a backup copy in case I get locked out.
It also creates more overhead, however. I can secure my Proton account with 2FA to better protect the few codes it contains—but in turn, this requires a third authenticator app (since 1Password and Proton protect each other). I’m willing to do this since I won’t need it often, but it is clumsy.
Choose your 2FA app carefully
As the 1Password article brings up, increasing your digital security, however you do it, is a positive change. If you aren’t using 2FA at all, you should start. And if you’re using SMS-based 2FA, which is a lot weaker, I recommend switching to app-based 2FA.
For me, it was time to leave Authy, and I wouldn’t advise anyone to start using it now since it’s hard to jump ship. Whether you use your password manager or a dedicated app like Proton Authenticator, it’s worth taking stock of your 2FA situation to make sure it’s right for you.
