Comparing the best two-factor authentication apps for Australian businesses — Microsoft Authenticator, Google Authenticator, Authy, Duo, and hardware keys. Which is right for your team?
Multi-factor authentication (MFA) is no longer optional for Australian businesses. It is the single most effective control against account compromise — stopping over 99% of automated credential attacks according to Microsoft’s own data. Cyber insurance providers now mandate it. The Australian Signals Directorate’s Essential Eight requires it at Maturity Level 1.
The question for most businesses is not whether to implement MFA, but which authenticator app to use — and how to manage the rollout without creating a support burden or locking staff out of their accounts.
This guide compares the main options available to Australian businesses.
Why the Choice of Authenticator App Matters
All authenticator apps generate time-based one-time passwords (TOTP) — six-digit codes that expire every 30 seconds. At a basic functional level, they all work the same way.
The differences that matter for businesses:
- Backup and recovery: What happens when a staff member loses their phone?
- Centralised management: Can IT administrators manage MFA codes for the organisation?
- Platform support: Does it work across the systems your business uses?
- Phishing resistance: Does it protect against advanced phishing attacks that steal MFA codes in real time?
- Compliance: Does it satisfy your cyber insurance and regulatory requirements?
For a sole trader with one login, these distinctions are minor. For a 50-person Melbourne professional services firm with staff turnover, international travel, and cyber insurance requirements, they are significant.
Microsoft Authenticator
Best for: Businesses running Microsoft 365
Microsoft Authenticator is the natural choice for organisations on Microsoft 365 — and since most Melbourne SMBs run Microsoft 365, it is also the most common authenticator app we deploy.
Key advantages:
- Native integration with Microsoft 365 and Azure Active Directory (Entra ID)
- Number matching and additional context: displays the application being accessed and the geographic location of the login request, reducing approval-of-everything fatigue
- Push notifications rather than manual code entry for Microsoft services
- Passwordless authentication: staff can log in to Microsoft 365 with just a push notification — no password required
- Backup and cloud sync of accounts (linked to a Microsoft account)
- Centrally managed through Entra ID: IT administrators can see which users have MFA registered and require re-registration if a device is lost
Limitations:
- Primarily optimised for Microsoft services; works with non-Microsoft services but the experience is less seamless
- Requires a Microsoft account for backup/sync
Our recommendation: If your business runs Microsoft 365, use Microsoft Authenticator. The integration, number matching, and central management through Entra ID make it significantly better than any generic TOTP app for Microsoft environments.
Google Authenticator
Best for: Personal use; not recommended for businesses
Google Authenticator is the original authenticator app and is widely supported across almost every platform. For individuals securing personal accounts, it is fine.
For businesses, it has significant limitations:
- No backup: Until recently, Google Authenticator had no backup or sync capability. A lost phone meant losing all MFA codes. Google added cloud sync in 2023, but the implementation has been criticised for security weaknesses.
- No central management: There is no way for an IT administrator to manage Google Authenticator at an organisational level.
- No push notifications: Code entry is always manual.
Our recommendation: Do not deploy Google Authenticator as your business authenticator. The lack of centralised management and the historical backup issues create too much support burden and recovery risk.
Authy
Best for: Businesses without Microsoft 365 needing cross-device backup
Authy addresses the backup problem that plagued Google Authenticator — it syncs MFA codes across multiple devices (phone, tablet, desktop) and allows recovery through a registered phone number.
Key advantages:
- Multi-device sync: staff can access codes on their phone and computer
- Encrypted backups to the cloud
- Works well as a generic TOTP app across a wide range of services
Limitations:
- No enterprise management features — no centralised IT visibility or control
- Owned by Twilio, which has had its own security incidents
- Not integrated with Microsoft 365 in the same way Microsoft Authenticator is
- Phone number-based recovery is vulnerable to SIM-swap attacks
Our recommendation: Better than Google Authenticator for SMBs that need backup and cross-device access, but lacks the enterprise management features that larger businesses need. If you are on Microsoft 365, Microsoft Authenticator is still a better choice.
Duo Security (Cisco)
Best for: Larger businesses with complex, multi-platform environments
Duo is an enterprise MFA and zero-trust access platform acquired by Cisco in 2018. It is significantly more powerful — and more expensive — than consumer-grade authenticator apps.
Key advantages:
- Centralised management: full IT administrator visibility and control
- Works across virtually any platform and application
- Device health checks: can be configured to deny access from devices that are not managed or are out of compliance
- Detailed audit logging and reporting
- Push notifications with contextual information
Limitations:
- Significantly higher cost than free consumer apps
- More complex to deploy and manage
- Overkill for smaller businesses with simple environments
Our recommendation: Suitable for Melbourne businesses with 50+ staff, complex multi-application environments, or specific compliance requirements (government, healthcare, finance) that require enterprise-grade MFA management. For most Melbourne SMBs on Microsoft 365, Duo’s capabilities are largely duplicated by Microsoft Entra ID with Microsoft Authenticator, at no additional cost.
Hardware Security Keys (YubiKey, FIDO2)
Best for: High-value accounts requiring phishing-resistant MFA
Hardware security keys — physical USB or NFC devices like YubiKey — represent the most secure form of MFA available. They use FIDO2/WebAuthn protocols that are fundamentally resistant to phishing attacks that steal software-based MFA codes.
Why hardware keys are more secure: Phishing-resistant MFA works because the cryptographic authentication is bound to the specific domain being accessed. A phishing site at m1crosoft.com cannot steal a FIDO2 authentication because the hardware key will refuse to authenticate for any domain other than the legitimate one.
Software-based TOTP codes — even push notifications — can theoretically be stolen by a sophisticated real-time phishing attack. Hardware keys cannot.
Key advantages:
- Phishing resistant by design
- No battery required (passive hardware)
- Works offline — no network dependency
- Long-lived (YubiKeys typically last 5–10+ years)
Limitations:
- Cost: YubiKeys are approximately $50–$100 per key (most users need two: one primary, one backup)
- Physical device: can be lost or forgotten
- Not all services support FIDO2/WebAuthn yet (though Microsoft 365 and most major platforms do)
- Requires physical deployment to staff
Our recommendation: Hardware keys are the gold standard for protecting high-value accounts — Microsoft 365 global administrators, privileged service accounts, and executives with access to sensitive financial systems. They are not practical as the primary MFA method for all staff in most Melbourne SMBs, but should be considered for the highest-privilege accounts in your organisation.
What About SMS Codes?
SMS-based MFA — where a code is sent to your phone number — should be considered the weakest form of MFA and should not be relied on as your primary MFA method for business accounts.
SMS codes can be intercepted through:
- SIM-swap attacks (calling your telco and convincing them to transfer your number to an attacker’s SIM)
- SS7 protocol attacks (technical interception of SMS at the network level)
- Malware on the receiving device
Most cyber insurance policies and the ASD Essential Eight now specify authenticator apps or hardware keys rather than SMS as the required MFA method. If you are using SMS-based MFA for business accounts today, migrating to an authenticator app should be a priority.
Which Should Your Business Use?
For most Melbourne SMBs on Microsoft 365:
Use Microsoft Authenticator for all staff. Enable number matching in Entra ID. Configure Conditional Access to require MFA for all applications. Use hardware YubiKeys for global administrator accounts.
For businesses not on Microsoft 365:
Use Authy or another backup-enabled TOTP app as a minimum. Evaluate Duo if you have complex multi-platform requirements or 50+ staff.
For any business:
Get rid of SMS-based MFA where it is still in use for business accounts.
If you are not sure where your organisation stands on MFA, or if you need help deploying Microsoft Authenticator and Conditional Access across your Microsoft 365 environment, contact our team. We help Melbourne businesses implement MFA properly — not just tick a box on a compliance checklist.
