Two-factor authentication is one of the most effective security tools available — but not all 2FA is equal. SMS codes can be intercepted. App-based codes are better. Hardware keys are best. Here's the complete guide to understanding and choosing the right protection.
Passwords are broken. Not conceptually — the idea of a secret phrase to prove identity is fine. What's broken is the reality: billions of passwords have been stolen in data breaches and traded on criminal markets, people reuse passwords across dozens of accounts, and the average password is far weaker than security guidelines recommend. Even a strong, unique password can end up in a criminal's hands through no fault of your own, simply because the service that stored it was compromised.
Two-factor authentication — commonly called 2FA, or multi-factor authentication (MFA) when more factors are involved — is the security layer designed to solve this problem. The idea is simple: to log into your account, you need both something you know (your password) and something you have (a physical device, a code, a hardware key). Getting just the password isn't enough to get in.
In practice, 2FA has become one of the most recommended security measures in existence. Major governments, cybersecurity agencies, and security researchers universally advise enabling it on important accounts. And yet, the practical implementation details matter enormously — because not all 2FA is equally secure, and some forms can be bypassed by attackers who know what they're doing.
The failure modes of password-only authentication are well-documented:
Breach exposure. When a service's database is compromised, passwords in that database — even if hashed — are sometimes recoverable. Once recovered, if you've reused that password elsewhere, other accounts become vulnerable.
Phishing. A convincing fake login page can capture your password in real time. You think you're logging into your bank; you're actually logging into an attacker's copy of your bank's login page. Your password goes directly to them.
Credential stuffing. Automated tools test billions of username-and-password combinations stolen from old breaches against current services. If you've reused a password that appeared in any breach, you're vulnerable to this.
Keyloggers and malware. If malicious software is installed on your device, it can record every key you type — including passwords — and transmit them to attackers.
Guessing and brute force. Weak passwords can simply be guessed. Common patterns (Password1!, birthdays, names followed by numbers) are well-represented in the dictionaries attackers use.
In all of these scenarios, having a second factor breaks the attack. Even if an attacker has your password from a breach, can't log in without your authenticator app. Even if a phishing page captures your password, can't complete the login without the hardware key you're holding. The second factor isn't a perfect shield, but it raises the cost and difficulty of account takeover dramatically.
Not all second factors are equally secure. Here's the landscape from least to most protective:
The most common form of 2FA sends a six-digit code to your phone via text message. You enter your password, receive a code, enter the code. Simple, familiar, and widely supported.
The problem is that SMS-based 2FA has a well-documented vulnerability: SIM swapping. In a SIM swap attack, an attacker contacts your mobile carrier, impersonates you, and convinces customer service representatives to transfer your phone number to a SIM card the attacker controls. Once they have your number, any SMS code sent to that number goes to them, not you.
SIM swapping is not a theoretical risk. Twitter CEO Jack Dorsey had his account hijacked via a SIM swap in 2019. Multiple cryptocurrency holders have lost millions of dollars to SIM swap attacks targeting their phone numbers to bypass SMS-based 2FA on exchange accounts.
SMS codes are also vulnerable to more sophisticated interception techniques. The SS7 protocol, which carriers use to route calls and texts globally, has known security flaws that governments and well-resourced attackers have exploited to intercept messages. Sophisticated attackers can also set up "adversary-in-the-middle" phishing pages that capture both your password and your SMS code in real time, using both before the code expires.
This doesn't mean SMS 2FA is worthless. It's substantially better than no 2FA at all — it defeats credential stuffing, most phishing attempts, and basic account takeover. But it's the weakest form of 2FA, and for high-value accounts (banking, cryptocurrency, primary email), you should use something stronger.
Some services send a verification code to your email address rather than your phone. This has similar weaknesses to SMS: if your email account is compromised, the codes go to the attacker. It's marginally better than nothing, but doesn't represent meaningful protection if the goal is to protect your email account itself (since the second factor goes to the same account it's trying to protect).
Time-based One-Time Passwords (TOTP) are the codes generated by authenticator apps like Google Authenticator, Authy, Microsoft Authenticator, and others. These apps aren't connected to your carrier or dependent on SMS infrastructure. They generate codes using a mathematical formula that combines a secret key (stored in the app when you set up 2FA) with the current time. The code changes every 30 seconds, and only the service and your app know the secret key needed to generate the correct code.
Because TOTP codes are generated locally on your device rather than sent over a network, they can't be intercepted by SIM swapping or SS7 attacks. They're also not affected by carrier outages or changes.
The residual vulnerabilities: a phishing site can capture a TOTP code in real time if you're tricked into entering both your password and your code on a fake login page (a "real-time phishing" attack). And if your phone is stolen and the thief can unlock it, they can access your authenticator app. But these attack scenarios are significantly harder and more targeted than the simple SIM swap that defeats SMS 2FA.
Setting up Google Authenticator:
Important: Back up your authenticator codes. If you lose your phone and haven't backed up, you'll be locked out of accounts. Authy, unlike Google Authenticator, offers encrypted cloud backup of your authenticator seeds, which makes recovery easier — though it introduces its own trust consideration (your codes are stored in the cloud, encrypted with your master password).
Consider storing backup codes (provided by most services during 2FA setup) in your password manager.
Hardware security keys — physical devices that you plug into a USB port or tap against your phone's NFC reader — represent the strongest commonly available form of 2FA. The leading products are the YubiKey (made by Yubico) and Google's Titan Security Key.
These devices implement a standard called FIDO2/WebAuthn, which uses public-key cryptography rather than shared secrets. When you register a hardware key with a service, the key generates a key pair: a private key that never leaves the device, and a public key that is stored by the service. When you log in, the service sends a cryptographic challenge; your hardware key signs it with the private key; the service verifies the signature with the public key. No code ever passes over the network.
This design is resistant to phishing in a way that TOTP codes are not. The signing operation performed by the key is bound to the specific website domain — a hardware key registered to mybank.com will not respond to a login challenge from my-bank-login-secure.com, even if the page looks identical. The key knows the difference at the cryptographic level. This makes hardware keys the only commonly available form of 2FA that provides practical phishing resistance.
Hardware keys are also resistant to SIM swapping (they're not connected to your carrier), server-side breaches (the private key never leaves the device), and real-time phishing attacks.
The practical downsides: they cost money (YubiKeys start around $25-$50), they require physical presence (you need to have the key with you), and not all services support them yet. For most people, they're worth using on the highest-value accounts: email, financial accounts, password manager, work systems.
A newer development worth mentioning is passkeys — a successor to traditional passwords, built on the same FIDO2 cryptographic standard as hardware keys, but implemented directly in your device's secure hardware (the Secure Enclave on an iPhone, the Titan M chip on Pixel phones, or Windows Hello on compatible PCs).
Passkeys replace passwords entirely rather than supplementing them. You register a passkey with a service, and logging in involves only authenticating to your device (using your fingerprint, face, or device PIN), which then performs the cryptographic authentication automatically. No password to type, no code to enter.
Google, Apple, Microsoft, GitHub, PayPal, and many other major services now support passkeys. They're genuinely phishing-resistant and significantly more convenient than the password-plus-authenticator-code flow. Adoption is growing rapidly; passkeys are likely to be the dominant authentication mechanism within a few years.
Google offers the most complete 2FA options of any major platform. Navigate to myaccount.google.com, then Security, then 2-Step Verification.
Options include: SMS codes, Google Authenticator (or any TOTP app), Google's own prompt system (which sends a push notification to your Android or iPhone to approve login), backup codes, and hardware security keys. Google also supports passkeys.
For most users, Google's authenticator app or a hardware key provides the best protection. Avoid SMS if you can. For your Google account in particular — which is the "master key" to most of your Google services — use the strongest 2FA you're comfortable with.
Navigate to Settings → Your Name → Sign-In & Security → Two-Factor Authentication (on iPhone or iPad), or appleid.apple.com in a browser. Apple uses its own system: codes sent to trusted Apple devices or SMS to a trusted phone number. Apple now also supports passkeys and hardware security keys for Apple ID (you need two hardware keys to enable the most secure "Advanced Data Protection" mode).
In Facebook: Settings → Security and Login → Use two-factor authentication. Options include authentication apps, SMS, or hardware security keys. Use an authenticator app or hardware key — Meta has a history of receiving SIM swap attempts against high-profile accounts.
Most major banks now offer 2FA, though many still default to SMS codes. Log into your bank's website, find the security settings section, and enable whatever 2FA options are available. If your bank offers only SMS, that's better than nothing — push for authenticator app support and hardware key support when they eventually become available.
Your password manager is one of the most important accounts to protect with strong 2FA — it's the key to everything else. As we discuss in our guide to the best password managers, leading password managers (1Password, Bitwarden, Dashlane) all support authenticator apps and hardware keys. Enable 2FA on your password manager as a priority.
What if I lose my phone?
This is why backup codes matter. Every service that offers 2FA also provides a set of single-use backup codes when you enable it. Store these in your password manager (not just on your phone). If you lose your phone, you can use a backup code to log in and re-establish 2FA with a new device.
Does 2FA slow me down?
Minimally. Most services only require 2FA verification when you log in from a new device or after clearing your cookies. On trusted devices, you can often stay logged in for extended periods without re-entering a 2FA code. The slight extra friction at login is the price of meaningful security improvement.
Can 2FA ever be beaten?
Yes, through sophisticated targeted attacks. Advanced phishing tools exist that can capture both passwords and TOTP codes in real time. SIM swapping defeats SMS 2FA. If an attacker has persistent access to your device, they can see the codes being generated. But these attacks require substantially more effort and targeting than the automated credential stuffing that affects millions of accounts with no 2FA. For the vast majority of users and the vast majority of threats, any 2FA is dramatically better than none, and hardware keys are dramatically better than SMS.
The goal of 2FA isn't to make your account impenetrable. It's to make attacking your account expensive enough that criminals move on to easier targets.
References:
A good password manager is the single most effective step most people can take to improve their digital security. We tested the leading options across ease of use, security model, cross-platform support, and price.
VPNs are marketed as essential privacy tools. The reality is more nuanced: they solve specific problems well, and are often irrelevant for the threats most people actually face. We break down when a VPN helps — and when it doesn't.
A credit freeze is the single most powerful tool available to protect yourself from identity theft — and it's free. Here's exactly how to freeze your credit at every major bureau, what it actually does, and how to lift it when you need to apply for credit.
