Traditional authentication systems based on fixed passwords are vulnerable to dictionary attacks, shoulder surfing attacks, eavesdropping attacks, spyware attacks, and phishing attacks. Therefore, many two-factor authentication (2FA) systems based on one-time passwords have been proposed. Although these 2FA systems based on one-time passwords can resist common phishing attacks, they still lack strong defensive capabilities against real-time phishing attacks, in which attackers can use various types of real-time phishing tools to break through the defenses of 2FA systems based on one-time passwords. In recent years, as the threats of real-time phishing attacks against 2FA systems based on one-time passwords increase significantly, security events related to real-time phishing attacks occur frequently. In this paper, we first analyze the general security strength and usability of the five most popular 2FA apps based on one-time passwords, including Aegis Authenticator, Google Authenticator, Microsoft Authenticator, andOTP, and Bitwarden. In particular, we also analyze their resiliencies to real-time phishing attacks. According to the comprehensive comparison results, we select Bitwarden, which has higher overall security, as the base app to embed our proposed security improvement mechanisms, including the security check mechanism for URI setting and the instant URI comparison mechanism, to enhance the system’s resilience to real-time phishing attacks.