Updated as of July 2023
Author: Allister D.
Most people use SMS for 2FA to further secure their online accounts, however due to the grotesque insecure nature of SMS technology and the risk that it leaves you vulnerable to [SIM swap](<https://www.yubico.com/resources/glossary/sim-swap/>) attacks, this method of 2FA should generally be avoided unless there is no other option available. Instead opt to use an authenticator app or a hardware 2FA key if available. But which app should you use? Google Authenticator is the most widely used 2FA app but that doesn't necessarily mean you should use it too as I’ll explain why below.
Google Authenticator recently rolled out a major update which added a new feature that allows users to sync their 2FA codes across devices. While this may seem convenient, it poses significant privacy and security risks. Network traffic analysis from [Mysk Co](<https://twitter.com/mysk_co/status/1651021165727477763>) revealed that the syncing process is not end-to-end encrypted! This means that Google can access your 2FA secrets while stored on their servers.
In the event of a data breach or unauthorized access to your Google Account, all your 2FA secrets could be compromised, defeating the purpose of two-factor authentication altogether. Additionally, Google can view your account names and the services you use (e.g., LinkedIn, Amazon), potentially using this information for more targeted ads.
Given these security concerns, it's wise to explore better alternatives like [Authy](<https://authy.com/>) (Multi Platform), [Aegis](<https://getaegis.app/>) (Android), or [Raivo](<https://raivo-otp.com/>) (iOS). These apps offer better security, privacy, and user control. Authy, for example, encrypts your 2FA secrets with zero knowledge encryption. Aegis and Raivo are open-source, offering transparent security and allowing users to verify their codebase for potential vulnerabilities. Both Aegis and Raivo also provide end-to-end encryption and the option to create an encrypted backup with password protection.
Note: Google has announced they will be encrypting 2FA seeds however no time line has been given as of yet of when this will go into effect.