How to Set Up an Authenticator App
Authenticator apps give you stronger two-factor codes than text messages — and they are quick to set up. Here is the hands-on walkthrough, including how to never get locked out.
If you have read our explainer on two-factor authentication, you know an authenticator app is one of the strongest, most convenient ways to add a second layer to your logins — safer than codes sent by text, and it works even with no signal. This guide is the hands-on companion: which app to pick, exactly how to add an account by scanning a QR code, how to save the backup codes that stop you ever getting locked out, and what to do if you lose or replace your phone. Set aside ten minutes and you can protect your most important accounts for good.
Key takeaways
- An authenticator app shows a fresh six-digit code every 30 seconds that you enter after your password.
- Setup is simple: open the account’s security settings, choose authenticator app, and scan the QR code.
- Save the backup/recovery codes the site gives you — they are your way back in if you lose your phone.
- Pick an app that supports cloud backup or export so moving to a new phone is painless.
Why an authenticator app beats text codes
Two-factor authentication asks for a second proof after your password. The code can arrive by text message, but an authenticator app is better for two reasons. First, it is more secure: text codes can be intercepted or stolen through “SIM-swap” attacks where a criminal hijacks your phone number, whereas an app generates the code on your device, with nothing sent over the network to intercept. Second, it is more reliable: the app works with no signal and no roaming charges, because the code is calculated on the phone itself using a shared secret and the current time. If you want the full comparison of 2FA methods, our two-factor authentication explainer ranks them; this guide is purely about getting an app set up and working.
Step 1: Choose an authenticator app
Any reputable authenticator app works with virtually every website, because they share an open standard (TOTP). They differ mainly in backup and convenience features. Good options include the authenticator apps from Google and Microsoft, as well as well-regarded independent apps. When choosing, look for:
- Cloud backup or export. The single most important feature — it lets you restore your codes if your phone is lost or replaced, instead of being locked out of every account.
- A trustworthy maker with a track record, since this app guards access to your accounts.
- Optional app lock (PIN, fingerprint or face) so the codes are protected even if someone picks up your unlocked phone.
- Multi-device or sync if you want the same codes on a tablet as a backup.
Install one app from your official app store and stick with it for all your accounts — juggling several just makes life harder.
Step 2: Add your first account with a QR code
The setup happens on the website you want to protect (your email, bank, social account), with your phone ready to scan. The wording varies slightly per site, but the flow is always the same.
Open the account’s security settings
On a computer, sign in and go to Settings → Security (or “Password & security” / “Sign-in”). Find Two-factor authentication or “2-step verification” and choose to add an authenticator app (sometimes listed as “authentication app” or “TOTP”).
Display the QR code
The site shows a QR code (a square barcode) and usually a text “setup key” beneath it as a fallback. Leave this on screen.
Scan it in your app
Open your authenticator app, tap Add or the + button, choose Scan a QR code, and point your phone’s camera at the code. The account appears instantly with a six-digit code counting down. If the camera will not scan, choose “enter a setup key” and type the text key by hand.
Confirm with the first code
Back on the website, type the six-digit code your app now shows to prove it is linked, then confirm. The site will report that the authenticator app is enabled. That is the account protected.
The code changes — that is normal. If a code expires while you are typing, just wait for the next one and enter that. The codes rotate every 30 seconds by design. Make sure your phone’s clock is set to update automatically, because the codes depend on accurate time.
Step 3: Save your backup and recovery codes
This is the step people skip and later regret. When you switch on 2FA, almost every site offers a set of one-time backup codes (sometimes called recovery codes). These let you log in if you ever lose access to your authenticator app — they are your safety net.
Do not skip the backup codes. Without them, losing your phone can mean losing access to the account entirely. Save them the moment the site offers them — before you finish setup — and store them somewhere safe and separate from your phone.
Store the codes well:
- In your password manager — the neatest option, keeping each account’s codes attached to its login. See our password manager guide if you do not use one yet.
- Printed and kept somewhere secure at home, such as with important documents — offline and immune to a dead phone.
- Not in a plain note on the same phone that holds the authenticator, where one lost device loses both.
Step 4: Protect your other important accounts
Repeat the same scan-and-confirm process on every account that matters. Prioritise in this order:
- Your primary email first. It is the master key — password resets for everything else land there, so securing it protects all the rest.
- Banking and financial apps and any payment services.
- Your password manager itself and your main cloud storage.
- Social media and shopping accounts, which are common targets for takeover.
Each one takes a minute or two, and you collect them all in the single app. Pair this with strong, unique passwords — created with our strong-password method or the password generator — and your accounts become dramatically harder to break into.
What if you lose your phone?
This is the fear that stops people enabling 2FA, but with a little preparation it is entirely manageable. If your phone is lost, stolen or broken, you get back in by one of these routes, which is exactly why the earlier steps matter:
Use a backup code
Enter one of the recovery codes you saved in step three instead of an app code. Each works once; cross it off as you use it. This alone prevents most lock-outs.
Restore from the app’s cloud backup
If your authenticator app backs up to the cloud, install it on your replacement phone, sign in, and your accounts reappear ready to use.
Use the account’s recovery process
As a last resort, most services have an account-recovery path — verifying your identity another way — though it is slower. A second factor on file, like a trusted device, can help here.
The takeaway: a lost phone is a nuisance, not a disaster, provided you saved your backup codes or use an app with cloud backup. That preparation is the whole point of step three.
Moving to a new phone
When you upgrade phones on purpose, plan the move so you never lose access:
- If your app has cloud backup or sync: install the app on the new phone, sign in to the same app account, and your codes transfer automatically. The simplest path.
- If your app offers an export/transfer: many show a “transfer accounts” option that displays a QR code on the old phone for the new one to scan. Do this before wiping the old device.
- If neither is available: set up the authenticator afresh on the new phone for each account — sign in (using a backup code), turn 2FA off and back on to generate a new QR code, and scan it with the new phone.
Whatever the method, keep the old phone until every account works on the new one, and refresh your backup codes afterwards. For a smooth overall switch, our guide to transferring data to a new phone covers the rest of the move.
Frequently asked questions
How do I set up an authenticator app?
Install a reputable authenticator app, then on the website you want to protect, open Settings then Security and choose two-factor authentication using an authenticator app. The site shows a QR code; in the app tap add, scan the QR code, then type the six-digit code the app generates back into the website to confirm. The account is then protected, and you repeat this for each account.
Is an authenticator app safer than text-message codes?
Yes. Text codes can be intercepted or stolen through SIM-swap attacks, where someone hijacks your phone number. An authenticator app generates the code on your device with nothing sent over the network, so there is nothing to intercept. It also works without any signal, which makes it both more secure and more reliable than SMS codes.
What happens if I lose the phone with my authenticator app?
You get back in using one of the backup or recovery codes you saved when you enabled 2FA, or by restoring your app from its cloud backup on a new phone, or through the account's own recovery process. This is why saving your backup codes during setup is essential; with them, a lost phone is a nuisance rather than a lock-out.
What are backup codes and where should I keep them?
Backup codes are one-time login codes a site gives you when you turn on 2FA, used if you cannot access your authenticator app. Each works once. Store them in your password manager or printed somewhere secure at home, and never only on the same phone that holds the authenticator, or one lost device would take both.
How do I move my authenticator to a new phone?
If your app has cloud backup or sync, just install it on the new phone and sign in to the same app account, and your codes transfer. Some apps offer an export that shows a QR code on the old phone to scan with the new one. Otherwise, set each account up again on the new phone using a backup code. Keep the old phone until everything works.
Sources & further reading
- CISA — More than a password (use authenticator apps)
- NIST SP 800-63B — Digital identity and authenticators
- Google — Set up Google Authenticator
This guide is independently produced. We reference primary documentation from device makers and security authorities. Tudug is reader-supported and may earn from ads.