You don't need both Google and Microsoft Authenticators though, both of them support TOTP. But, yeah, there are some places that require as separate app just for them, like Steam, eBay, Twitch and Blizzard, which is annoying.

Wait are you saying any authenticator app works for all services?

Because whenever I'd sign up or they'd add it as a requirement, they'd always link to a specific authenticator app to use.

Is that just a suggestion rather than a requirement?

Most frequently, yes! Sometimes the UI crosses the line from providing a suggestion to straight up bullshitting you, but most implementations of time-based 2FA are compatible with RFC 6238[1] (of which TFA is a good summary) and communicate the shared secret in a de facto standard URI format[2] inside a bog-standard QR code.

[1] https://datatracker.ietf.org/doc/html/rfc6238

[2] https://www.iana.org/assignments/uri-schemes/prov/otpauth

Wow, I had no idea. Thanks so much!

Although now that I'm researching it, it's even more convoluted. I'd installed the Symantec VIP Access authenticator app, for example, specifically because PayPal had said they required it (or the wording had led me to believe that -- they certainly didn't mention alternatives).

But now apparently it's the opposite -- as of this past June, PayPal has removed support for Symantec, and requires instead Google/Microsoft/Authy/etc.:

https://www.paypal.com/us/smarthelp/article/what-other-2-ste...

What in the actual hell. I swear to god there's no winning here. :S

Never interacted with Symantec’s system and thought it was one of the rare non-standard exceptions, but apparently it’s just normal TOTP with extra funky lock-in at the enrolment stage[1,2].

[1] https://www.cyrozap.com/2014/09/29/reversing-the-symantec-vi... (expired cert warning)

[2] https://github.com/dlenski/python-vipaccess