Two-step authentication with TOTP It has become the essential shield for protecting your accounts: a second code that changes periodically and that you must enter in addition to your password. In this article, I bring you a comprehensive guide with app comparisons, configuration tips, and real-life use cases, all explained in detail and in a user-friendly way so you don't get lost along the way.
Beyond a simple list, here you will find practical information To choose the best TOTP app, learn how to set it up on popular services (GitHub, Bitwarden, Nextcloud, etc.), understand how to implement it in your backend with Node.js, and avoid common mistakes that can leave you locked out of your accounts. Let's get to it.
What is TOTP and why you should activate it today
TOTP (Time-based One-Time Password) It's an algorithm that generates time-based one-time passwords. Your app and the server share a secret; using the system clock, they both calculate the same code, which is typically renewed every 30 seconds. Since it works offline, It is fast, reliable and very comfortable, and adds a second layer that stops attacks even if your password is leaked.
Within 2FA there are several methods (SMS, email, biometrics, physical keys, push notifications...), but TOTP apps are usually the most balanced option For privacy, availability, and control. Note: SMS is useful as a rescue, but it's not as robust or reliable, especially outside the U.S.
Key tips before you start
First, Don't delete a 2FA account from your app. without first deactivating it from the service's website. It's easy to get blocked for life. Second, generate and save the recovery codes whenever they're available. Third, plan your backups: choose apps with encrypted cloud backup, export to an encrypted file, or use account sync to avoid losing tokens when switching phones.
A note of reality: Every 39 seconds there is a cyber attack anywhere in the world. Activating 2FA with TOTP takes less than two minutes and increases your security. If you also add a physical security key as an alternative method, you'll be well overdue.
How to choose your TOTP app: what to look for and what to avoid
The best apps combine security, ease, export/backup and cross-platform compatibility. It's key that they can be protected with biometrics or PIN, hide on-screen codes, and offer encrypted backups or secure export. If you use multiple operating systems, look for synchronization between Android, iOS and desktop.
What to run away from? Apps without backup or export, incompatible copies between platforms (if you rotate between iOS and Android), or that require a phone number if you don't need one. The fine details make all the difference in a time of crisis.
Complete comparison of TOTP authentication apps
Below you have an overview with the most relevant features and nuances of the tools that appear most frequently in the best guides, documentation, and specialized analyses.
Google Authenticator (Android, iOS)
It is the classic reference: free, simple and no account requiredExport all tokens at once using a single QR code to migrate to another phone, and on iOS you can secure access with Face ID/Touch ID and search for tokens. It lacks native cloud backups and doesn't always hide codes, which can be awkward in public. Ideal if you don't want cloud and you prioritize simplicity.
Microsoft Authenticator (Android, iOS)
Combines password manager and TOTP with Biometric/PIN protection, code hiding and cloud backups. Weak point: iOS and Android backups are incompatible with each other, doesn't export tokens and takes up a lot of space (150-200 MB). If you're in the Microsoft ecosystem, it makes logins much easier.
Twilio Authy (Android, iOS, Windows, macOS, Linux)
The multi-platform star: synchronizes impeccably between mobile and desktop, with cloud backup and PIN/biometric protection. Account creation with a phone number is required, and the mobile interface displays one token at a time, which is less agile with many accounts. It doesn't export/import tokens, but as an alternative to Google/Microsoft, it's one of the best.
Duo Mobile (Android, iOS)
Very popular in companies, clean and simple interface, hides codes and allows backup to Google Cloud (Android) or iCloud (iOS) without creating a new account. There is no access protection in the app and iOS/Android copies are not supported each other. If you're not going to change platforms, it can serve you perfectly.
FreeOTP (Android, iOS)
Open source project, minimalist and very light (2-3 MB). No cloud storage or token export; on iOS, it doesn't allow you to create tokens with a manual key (only QR codes). On iOS, you can protect tokens with Face ID/Touch ID, and the codes are hidden by default and after 30 seconds of inactivity. For those who prioritize minimalism and privacy.
andOTP (Android)
Very complete and open source: PIN/password/fingerprint lock, labels, search, automatic hiding and locking due to inactivity, a "panic button" to delete everything, and exporting to an encrypted file (e.g., Google Drive). It's discontinued, but it's still very solid. Risk: : the ease of recovering keys requires very good protection of access.
Aegis Authenticator (Android)
Modern open source alternative, free, with encryption, biometrics and good backup options. It supports importing from Authy/andOTP and almost all 2FA formats. Some powerful features require root, which isn't for everyone. Good balance between security and usability.
OTP Auth (iOS, macOS)
Powerful for Apple: folders to organize, export to file, key/QR token reading, iCloud sync, and Face ID/Touch ID or password protection. It doesn't hide codes, and some features are paid for on macOS. For iPhone/Mac, It is the most complete.
Step Two (iOS, macOS)
Minimalist, with iCloud sync and Apple Watch support. No access protection, no code hiding, no token export/import, and the free version limits you to ten tokens. On macOS, it requires screenshot permission to read QR codes. Perfect if you want something very simple in the Apple ecosystem.
WinAuth (Windows)
Gamer-oriented: supports tokens non-standard Steam, Battle.net, or Trion/Gamigo, in addition to standard TOTP. It allows you to encrypt data, export it in plain text or encrypted file, protect with a password or YubiKey and hide codes automatically. It only exists for Windows and, as a rule, 2FA is not recommended on PC, but for games it's a gem.
Authenticator App (Apple ecosystem)
Checker with apps for iPhone, iPad, Mac and Apple Watch, and extensions for almost all browsers (Safari, Chrome, Brave, Tor, Vivaldi…). It has a very limited free version; the paid version adds backup and sync. It includes encryption, share with family and lock with Face ID. If you live in Apple, it's an option to consider.
2FAS (2FA Authenticator)
Simple, free and with E2E encryption, works offline and allows you to link tokens by key or QR code and sync them with Google Drive. Backups so you don't lose tokens, a browser extension, PIN/biometrics, and no ads. Few advanced options. but very reliable for the day to day.
1Password (with built-in TOTP)
Paid password manager that includes 2FA TOTP Integrated. The big plus is code autofill on supported sites and unified credential management. It's not a pure 2FA app, but if you already use 1Password, it simplifies your life on mobile, desktop and browser.
Bitwarden (with integrated TOTP)
Open source and free for single user; the paid version adds TOTP which is autocomplete on websites and apps. It generates six-digit codes (SHA-1, 30s) by default, and allows you to customize parameters by editing the TOTP URI. Browser extensions copy the TOTP to the clipboard after autocomplete if you enable the option. Very round to centralize passwords and 2FA.
TOTP Authenticator (BinaryBoot)
Clean interface and extensive support for 2FA services. It offers Cloud Sync Premium with Google Drive (you control the data), browser extension (premium), dark theme, tags and search, cross-platform support (Android/iOS), multi-device use (encrypted backups), multiple widgets, icon customization and biometric security with the option to block screenshots. The free version is somewhat limited.
Protectimus Smart OTP
Available on Android and iOS, compatible with Android watches, supports multiple protocols and allows you to protect the app with a PIN. Less well-known, but very complete if you're looking for a variety of standards and use in wearables.
How-to Guides: How to Activate TOTP on Popular Services
Let's go with specific instructions, distilled from official documentation so you can configure TOTP without getting lost.
Configure TOTP on GitHub (TOTP app or SMS, with additional methods)
GitHub recommends using Cloud-based TOTP apps and security keys as a backup instead of SMS. After activating 2FA, your account enters a 28-day verification period: if you fail the authentication process, you'll be prompted for 2FA on the 28th day and can reconfigure it if something goes wrong.
- Step by step TOTP: User Settings → Password and Authentication → Enable 2FA → Scan the QR code with your TOTP app or use the manual setup key (Type TOTP, GitHub Label: , GitHub Issuer, SHA1, 6 digits, 30s). Verify with a current code and download the recovery codes.
- SMS as an alternative: Add your number after passing a CAPTCHA, enter the code received via SMS, and save the recovery codes. Only use this if you can't use TOTP.
- PasskeysIf you already have 2FA via TOTP app or SMS, add a passkey to log in without a password while still meeting the 2FA requirement.
- Security keys (WebAuthn)After activating 2FA, register a compatible key. It counts as a second factor and requires your password; if you lose it, you can use SMS or your TOTP app.
- GitHub Mobile: After having TOTP or SMS, you can use the mobile app with push notifications; does not rely on TOTP and uses public key encryption.
If a TOTP app doesn't suit you, register SMS as plan B and then add a security key to raise the bar on security without complicating things.
Bitwarden Authenticator: Generation, Autofill, and Tricks
Bitwarden generates 6-digit TOTPs with SHA-1 and 30s rotationYou can scan the QR code from the browser extension (camera icon) or enter the code manually on iOS/Android. Once configured, you'll see the rotating TOTP icon inside the item and can copy it just like a password.
AutocompleteBrowser extensions automatically fill in the TOTP or copy it to the clipboard after autofill if you enable "Autofill on page load." On mobile, the code is copied to the clipboard after autofilling the login.
If your codes don't work, synchronizes the device clock (Turn automatic time on/off on Android/iOS; on macOS, the same for date/time and time zone.) If a service requires different settings, edit the URI otpauth manually in the item to adjust digits, period or algorithm.
On iOS 16+, you can set Bitwarden as default app verification When scanning codes from the camera: Settings → Passwords → Password Options → Set up verification codes using → Bitwarden. When scanning, tap "Open in Bitwarden" to save it.
For Microsoft Azure/Office 365 accounts: During 2FA setup, choose “another authenticator app” instead of Microsoft Authenticator and scan the QR code with Bitwarden. For Steam, use a prefixed URI. steam:// followed by your secret key; the codes will be 5 character alphanumeric.
Nextcloud: TOTP and Backup Codes
If your instance enables 2FA, in your personal preferences you will see the secret code and a QR to scan with your TOTP app. Generate and save the backup codes in a safe place (not on the phone itself), because they will get you out of trouble if you lose the second factor.
When you log in, enter the TOTP password in your browser or select another second step if you have one set up. If you use WebAuthn, do not reuse the same token for 2FA and for passwordless login, as it would no longer be “double” factor.
Corporate Case Study: Specialty Medicines Portal (AEMPS)
Typical flow example: install a TOTP app (Microsoft/Google Authenticator, FreeOTP, Authy…) and from the browser requests "Reset verification code" on the credentials page. You'll receive an email with a link showing a QR code.
Scan the QR with your app, you will see your first code and return to your browser to enter it on the reset page. From there, log in by choosing the "Verification Code" method: username, password, and the current TOTP code displayed on your phone.
Hardware keys: YubiKey as a luxury accessory
For maximum security, YubiKey by Yubico It's the gold standard: IP68 physical keys, battery-free, robust, and compatible with FIDO2, U2F, OTP, Smart Card, etc. They work perfectly with Google, Facebook, and many other services. If a service doesn't support hardware, you can use their authenticator app backup. There are even FIPS-certified models for environments that require it.
The ideal: TOTP app + YubiKeyYou'll always have a second factor available, and another highly secure one for when you want to maximize your protection.
Implement TOTP in your backend (Node.js with otplib)
If you develop your own application, TOTP is easy to integrate with otplib and a dash of Express.js. The workflow has two phases: associating a TOTP secret with the user and validating the codes upon login.
- Association: Generate a secret on the server, create the OTPauth URI, and display it as a QR code (using libraries like QRcode). The user scans it with their app and sends you a TOTP. validate and save the association.
- Verification: at every login after correct password, ask for the TOTP and check its validity against the saved secret. If it's valid, you complete the login.
As you can see, it is a very clear pattern: you synchronize a secretYou validate the first code and then compare the rotating TOTP code with each login. Simple, robust, and compatible with most authenticator apps.
Tricks and good practices that will save you trouble
Think about your “plan B”: recovery codes and alternative methods (security key, SMS, push mobile app) and if you rely on cloud sync, check if there is incompatibilities between iOS and Android (Microsoft and Duo case) so you don't get any surprises when changing your phone.
When to use a password manager with built-in TOTP
If you already use Bitwarden or 1Password, activate the TOTP module Unifies passwords and second-factor authentication, with autofill in the same tool. Advantages: speed and less friction. Disadvantage: you concentrate more sensitive elements in one place, so shield it with strong 2FA and check secure export/backup options.
Summary of featured apps and compatibilities
Android: Google Authenticator, Microsoft Authenticator, Authy, Duo, FreeOTP, Aegis, andOTP, 2FAS, Protectimus, TOTP Authenticator, WinAuth (non-mobile). In iOS: Google Authenticator, Microsoft Authenticator, Authy, Duo, FreeOTP, OTP Auth, Step Two, Authenticator App, TOTP Authenticator. Desk: Authy (Win/macOS/Linux), OTP Auth (macOS), Step Two (macOS), WinAuth (Windows).
To special video game tokens, WinAuth shines with Steam and Battle.net; Bitwarden can handle Steam with steam://At Apple, the integrated authenticator on iOS 15+ and Safari 15+ it's useful, but its autocomplete doesn't always hit the mark and isn't as snappy as a dedicated app.
Quick checklist for choosing your TOTP app
- Need? true cross-platform (mobile + desktop)? Authy is a safe bet.
- Minimalism and no cloud? Google Authenticator or FreeOTP are a good base.
- Open source with fine control? Aegis (Android) or OTP Auth (iOS) stand out.
- All-in-one Manager + TOTP? Bitwarden or 1Password makes it much simpler.
- Gaming world? WinAuth supports non-standard tokens.
Whatever your choice, generates backup copies and saves recovery codes. It's a lifesaver when things are at their worst.
Activating TOTP gives you a huge leap in security with minimal time costs, and with the apps you've seen you can choose what best suits you: from simple, cloud-free solutions to synchronized ecosystems across all your devices, including managers that auto-complete the code for you or physical keys to close the loop. high security scenariosWith a couple of good decisions and a backup plan, Your account goes from being “at the mercy” to being “scare-proof”.
