Proton Authenticator
Free, open-source, end-to-end encrypted, and works offline. Available on iPhone, Android, Windows, Mac, and Linux.
Download Proton AuthenticatorHow to set up 2FA in 5 steps
-
1
Download Proton Authenticator
Install the free app on your phone from the App Store (iPhone) or Google Play (Android). You do not need a Proton account to use it.
-
2
Go to your account’s security settings
Log in to the account you want to protect (your bank, email, Amazon, etc.) and look for Security or Two-Factor Authentication in the settings menu.
-
3
Choose “Authenticator App”
When asked how you want to receive your second factor, select Authenticator App (not SMS/text message — I’ll explain why below). The site will show you a QR code.
-
4
Scan the QR code
Open Proton Authenticator, tap the + button, and choose Scan QR code. Point your phone at the code on your screen. The account is now linked.
-
5
Save your backup codes
Most sites will show you a list of one-time backup codes. Save these somewhere safe — a printed sheet in a secure location, or in your password manager. You’ll need them if you ever lose your phone.
Set up 2FA on your most important accounts first: email, bank, and any account that stores payment information. Then work your way through the rest.
If a site only offers to send a code by text message, that’s better than nothing — but it’s the weakest form of 2FA. Hackers can intercept texts through a technique called SIM swapping. Use an authenticator app whenever the option is available.
What is two-factor authentication?
Two-factor authentication (2FA) — sometimes called two-step verification — adds a second layer of protection to your accounts beyond just a password. The idea is simple: even if someone steals your password, they still can’t get into your account without also having access to your second factor.
Think of it like a bank safe that requires both a key and a combination. Stealing one isn’t enough.
The “factors” in authentication are typically described as:
- Something you know — your password
- Something you have — your phone (with an authenticator app)
- Something you are — a fingerprint or face scan
2FA combines at least two of these. The most common combination is your password plus a time-sensitive code generated by an app on your phone.
Why passwords alone aren’t enough
Passwords are stolen constantly — through data breaches at companies you trust, through phishing emails, and through automated attacks that try millions of combinations per second. According to the 2024 Verizon Data Breach Investigations Report, stolen credentials are involved in over 80% of hacking-related breaches.
Even a strong, unique password can be compromised if the company storing it is breached. 2FA means that even a stolen password is useless to an attacker without your phone.
Types of 2FA — from weakest to strongest
Not all 2FA is created equal. Here’s how the common options compare:
| Method | How it works | Strength |
|---|---|---|
| SMS / Text message | A 6-digit code is sent to your phone number | Weak — vulnerable to SIM swapping |
| Email code | A code is sent to your email address | Moderate — only as secure as your email |
| Authenticator app (TOTP) | App generates a new 6-digit code every 30 seconds | Strong — my recommendation |
| Hardware security key | A physical USB or NFC key you plug in or tap | Strongest — best for high-value accounts |
| Passkeys | Replaces both your password and 2FA with a single biometric step (Face ID, fingerprint, or device PIN) | Strongest — the future of login |
A note on passkeys
Passkeys are a newer technology that goes a step beyond traditional 2FA. Instead of entering a password and then a code, a passkey uses your device’s built-in biometrics — Face ID, fingerprint, or PIN — to verify your identity in a single step. The key never leaves your device, which means there’s nothing for hackers to steal from a company’s servers.
Major sites including Google, Apple, Amazon, and GitHub now support passkeys. When a site offers you the option to “create a passkey,” take it — it’s more secure than a password plus 2FA combined. Your password manager (Bitwarden, 1Password) can store passkeys alongside your passwords.
Passkeys are still rolling out across the web, so you’ll still need an authenticator app for many sites. But whenever a passkey option is available, it’s the best choice.
Why I recommend Proton Authenticator
I recommend Proton Authenticator because it combines strong privacy with ease of use:
- End-to-end encrypted — your 2FA codes are encrypted before they leave your device
- No account required — works fully offline; a Proton account is only needed if you want to sync across multiple devices
- Open-source — the code is publicly auditable, so security researchers can verify it does what it claims
- Cross-platform — available on iPhone, Android, Windows, Mac, and Linux
- Free — no cost, no ads, no data selling
Proton is a Swiss company founded by scientists from CERN. Their products are built around the principle that they should never be able to access your data even if compelled by law — because they design their systems so that they technically cannot.
Further Reading
- What is two-factor authentication? Proton Blog
- Multi-Factor Authentication CISA (Cybersecurity and Infrastructure Security Agency)
- Turn on MFA Before Crooks Do It For You Krebs on Security
- Two Factor Auth Directory twofactorauth.org — check which sites support 2FA