Google Authenticator has the advantage that it's Open Source, but I can't really control whether the thing I downloaded in the app store is actually built from the public sources. But at least I can build my own if I have a developer account. Apparently people are having issues with GA on iOS7 though (it tends to forget the keys), so now I'm kinda out of luck.
Authy is both closed source and wants my cell phone number, Duo Security is just closed source.
I know it's crazy inconvenient in the long run, but I'd much rather install a github official authenticator app than to trust a third-party app with the github token.
But then what if Google pulls the rug out from under apps that rely on it and what if knowledgeable users like you don't like the idea of a third party having access to their second factor?
I'm starting to think that unless you're willing to build your own authenticator apps for multiple mobile OSes SMS-only is the best way to go.
As has been pointed out, it's open source (specifically, Apache 2.0). So, fork the code, if necessary find&replace any google trademarks, and republish as a dedicated authenticator for your own app. Or use one of the existing apps which have forked off gauthenticator, e.g. https://github.com/kaie/otp-authenticator-android .
 Except for some bits specific to gmail's 2-factor workflow added after v2.21
 git clone https://code.google.com/p/google-authenticator/
Or I can implement or build from source a TFA app I trust and use that.
I really hate sites that support TFA and don't support authentication apps as I have very poor phone service at both my home and place of work and hence SMS is a frustrating experience for me.
IMO a shared-secret OTP app is certainly not unbreakable but is more secure than SMS.
SMS is known to be easily subpoenaed and universally stored while believing in a widespread OTP app trojan-horse requires some form of tinfoil-hattery. Both are still orders of magnitude more secure than single-factor authentication anyway and hence I believe both should be included in a reasonable 2-factor authentication solution.
Personally I can't adopt an SMS-only 2-factor solution due to service issues anyway.
(If I'm logging in primarily from a phone/tablet, an authenticator app on the same device is much less secure against targeted attacks than a hardware token would be. Plus, hardware tokens allow lots of useful things like physical-escrow based access control.)
You'd still have one hard token per site (in reality, you'd have one or two hard tokens for the most important things, and then use soft tokens for everything else.)
Yep. I opened mine one day and all my keys were gone. It's a real pain.