Two-factor authentication (2FA) requires a second proof of identity beyond your password. There are three types: SMS codes (weakest — vulnerable to SIM swap attacks), authenticator app codes (better — immune to SIM swap but can be phished), and hardware security keys like YubiKey (strongest — cryptographically bound to your account, impossible to phish). For any account you care about, upgrade past SMS.
The Three Types of 2FA — Compared
| Method | How It Works | Phishing Resistant | SIM Swap Proof | Cost |
|---|---|---|---|---|
| SMS Code | 6-digit code texted to your phone number | ❌ No | ❌ No | Free |
| Email Code | 6-digit code emailed to you | ❌ No | ✔ Yes | Free |
| Authenticator App (TOTP) | Time-based 6-digit code from an app | ❌ No | ✔ Yes | Free |
| Passkey (device-based FIDO2) | Biometric or PIN-unlocked key on your device | ✔ Yes | ✔ Yes | Free |
| Hardware Security Key (FIDO2) | Physical USB/NFC key with cryptographic proof | ✔ Yes | ✔ Yes | $25–$60 Recommended |
SMS 2FA — Better Than Nothing, But Broken
When you log in with SMS 2FA, the service texts a 6-digit code to your phone number. You type that code to complete the login. This is better than a password alone — an attacker who has only your password still can't get in.
But SMS has two well-documented weaknesses. SIM swapping is when an attacker calls your mobile carrier, impersonates you, and convinces a support agent to transfer your number to a new SIM card the attacker controls. Within minutes, all texts go to them — including your 2FA codes. This attack has been used to steal millions of dollars from crypto accounts and compromise high-profile social media accounts. SS7 attacks exploit vulnerabilities in the phone network's routing infrastructure to intercept SMS messages directly, without the carrier's involvement.
SMS 2FA is still far better than no 2FA. But for any account that matters — email, banking, crypto, cloud storage — move to an authenticator app or hardware key.
Authenticator Apps (TOTP) — Much Better Than SMS
Apps like Google Authenticator, Authy, and 1Password generate Time-based One-Time Passwords (TOTP). These are 6-digit codes that change every 30 seconds based on a shared secret and the current time. Because they're generated offline, they're immune to SIM swapping.
However, TOTP codes can be phished. A sophisticated attacker can set up a real-time phishing proxy — a fake login page that silently relays your credentials and code to the real site, logging in as you before the 30-second window expires. This is called an adversary-in-the-middle (AiTM) attack and is used in targeted attacks against high-value targets.
For most people, an authenticator app provides excellent protection. It is the recommended minimum for any account you care about.
Hardware Security Keys (FIDO2) — The Gold Standard
A hardware security key like a YubiKey uses FIDO2/WebAuthn — a cryptographic protocol where your key generates a unique proof of identity that is mathematically bound to the exact domain name of the site you're logging into.
Here's why this matters: if a phishing site at goog1e.com tries to use your FIDO2 authentication to log into google.com, it fails — the domain doesn't match and the cryptographic proof is invalid. The attacker gets nothing. This is what "phishing resistant" means, and it's why FIDO2 is the only 2FA method endorsed by NIST (the US National Institute of Standards and Technology) as phishing-resistant.
The hardware key also can't be SIM-swapped, malware-intercepted, or remotely accessed — it only works when physically present and touched by you.
Which 2FA Should You Use?
Use a hardware security key for your highest-value accounts — primary email, Microsoft or Google Workspace account, password manager, banking (where supported), and any account that could be used to recover others. Use an authenticator app for everything else that supports it. Fall back to SMS only for services that offer nothing else. Never use no 2FA at all.