Friday, Jul 10, 2026 CARMANNEWS · INDEPENDENT EDITION №191
Carmannews Daily edit · est. 2026
On carmannews

Independent daily journalism — carmannews covers business and personal finance, preventive health, consumer technology, home improvement, and lifestyle. Named editors, primary sources, public corrections, no paywall — read the daily brief or meet the carmannews newsroom.

Tech

Two-factor authentication: which apps are still safe

Several popular 2FA apps have introduced backup-to-cloud features that quietly weaken the threat model. carmannews lists which apps still implement TOTP correctly and which now compromise on the basics.

Two-factor authentication: which apps are still safe

Several popular 2FA apps have introduced backup-to-cloud features that quietly weaken the threat model. carmannews lists which apps still implement TOTP correctly and which now compromise on the basics.

Two-factor authentication is the single best thing most people can do to protect their accounts, and it works: even if someone steals your password, they’re stopped at the second step. But not all second factors are equal, and a few convenience features added to popular authenticator apps have quietly traded away some of the security that made them worth using. The good news is you don’t need to be an expert to get this right — you need to understand a short hierarchy of which methods are strong, which are weak, and how to back up your codes without handing them to an attacker.

The hierarchy of second factors

Not every form of two-factor authentication offers the same protection. From strongest to weakest, here’s how the common options stack up.

  • Strongest: a hardware security key or passkey. A physical key you plug in or tap, or a passkey tied to your device, resists even sophisticated phishing because there’s no code for an attacker to trick out of you. For your most important accounts — email, banking, anything that would be catastrophic to lose — this is the gold standard.
  • Strong: an authenticator app generating codes. An app on your phone produces a rotating six-digit code that changes every thirty seconds. The secret stays on your device, so there’s nothing for a network attacker to intercept. This is the practical sweet spot for most people and most accounts.
  • Weakest of the real options: codes sent by text message. A code texted to your phone is far better than nothing, but it’s the most attackable method, because criminals can hijack your phone number through your carrier and redirect the texts. Use it where it’s the only choice, but prefer an app or a key where you can.

The single most valuable upgrade for most people is moving their important accounts off text-message codes and onto an authenticator app, and using a hardware key or passkey for the handful of accounts that matter most. That one change closes the most commonly exploited gap.

The cloud-backup trade-off

Authenticator apps used to keep their secret codes only on your device, which was secure but had a downside: lose or break the phone and you could be locked out. So many apps added cloud backup, syncing your codes to an online account. That solves the lockout problem and introduces a new one — your second factor now lives on a server, and the security of all those codes is only as strong as the account protecting the backup. If that account is weak or itself only protected by a password, an attacker who breaks into it can potentially get your authentication codes, undermining the whole point.

This isn’t a reason to avoid backups — being locked out of your accounts is a real and common disaster. It’s a reason to do backups carefully. If your authenticator app syncs codes to the cloud, make sure that backup is itself strongly protected: a long, unique password and, where offered, end-to-end encryption so even the provider can’t read your codes. The goal is a backup that rescues you from a lost phone without becoming a soft target.

What “implemented correctly” means

A trustworthy authenticator app follows an open, standard method for generating codes — which means you aren’t locked to one company and can move your codes to a different app if you choose. It’s clear about whether and how it backs up your secrets, and it offers a way to protect those backups, ideally with end-to-end encryption. The apps worth trusting are transparent about all of this. Treat vagueness about where your codes are stored and how they’re protected as a reason to look elsewhere.

How to set this up safely

  • Turn on two-factor everywhere it’s offered. Even text-message codes are far better than none. Start with the accounts that would hurt most to lose — email first, since it’s the key to resetting everything else.
  • Move important accounts to an app or a hardware key. Step up from text codes to an authenticator app for important accounts, and use a hardware key or passkey for the few that are critical.
  • Save your backup codes. When you enable two-factor, services give you one-time recovery codes. Save them somewhere safe and offline — printed, or in a password manager — so a lost phone doesn’t lock you out permanently. This single step prevents the most common 2FA disaster.
  • If you use cloud backup, protect it properly. Give the backup account a strong, unique password and enable end-to-end encryption if available, so syncing your codes doesn’t quietly create a weak point.

One habit closes a gap that two-factor authentication alone can’t: staying alert to where you type your codes. Even strong two-factor can be defeated if an attacker tricks you into entering a code on a fake site that relays it to the real one in real time. So treat any unexpected request for a login code with suspicion — if you didn’t just try to sign in, don’t approve it, because a prompt arriving out of nowhere can mean someone else has your password and is trying to get past the second step. Hardware keys and passkeys resist this trick by design, which is part of why they sit at the top of the hierarchy; for everything else, your own caution is the backstop.

Specific apps and their backup features change over time, and security advice evolves, so check an app’s current documentation about how it stores and protects your codes before trusting it. But the hierarchy is stable: hardware keys and passkeys strongest, authenticator apps strong, text codes weakest — and a safely protected backup is what lets you use the strong options without fear of lockout.

The biggest win is the simplest: get your important accounts off text-message codes. The most-exploited weakness in two-factor is the phone number, not the password.

Kenji Tanaka, Tech Editor, carmannews