Why Passwords Alone Aren't Enough
Even the strongest password can be compromised through phishing, data breaches, or keyloggers. Two-factor authentication (2FA) adds a second layer by requiring something you have in addition to something you know.
But not all 2FA methods provide the same level of security. Understanding the differences can help you make informed decisions about protecting your most important accounts.
SMS-Based 2FA
How it works: A text message with a 6-digit code is sent to your phone number when you log in.
Pros:
- Available on virtually every service that supports 2FA
- No app installation required
- Familiar and easy to use
Cons:
- Vulnerable to SIM swapping — an attacker can transfer your phone number to their device by calling your carrier
- Can be intercepted through SS7 network vulnerabilities
- Dependent on cellular service availability
- Susceptible to real-time phishing proxies that relay codes to attackers
Best for: Accounts where no better option is available. SMS 2FA is still significantly better than no 2FA at all.
Authenticator Apps (TOTP)
How it works: An app like Google Authenticator, Authy, or Microsoft Authenticator generates time-based one-time passwords (TOTP) that change every 30 seconds.
Pros:
- Codes are generated locally — no network required
- Immune to SIM swapping attacks
- Works offline (airplane mode, no signal areas)
- Free and widely supported
Cons:
- Still vulnerable to real-time phishing (user can be tricked into entering the code on a fake site)
- Recovery can be difficult if you lose your device (unless using a cloud-synced app like Authy)
- Codes must be entered manually
Best for: Most accounts. TOTP authenticator apps offer a strong balance of security and convenience.
Hardware Security Keys (FIDO2/WebAuthn)
How it works: A physical device (like a YubiKey or Google Titan key) plugs into your USB port or taps via NFC. The key performs a cryptographic handshake with the website that is bound to the exact domain.
Pros:
- Phishing-proof — the key will not authenticate on a fake domain, even a convincing one
- Immune to SIM swapping, network interception, and code-relay attacks
- Nothing to type — just tap or insert
- Extremely fast login process
Cons:
- Requires purchasing a physical device ($25-70)
- Not supported by all services yet
- Need a backup key in case the primary is lost
- Not all devices have USB-A or NFC support
Best for: High-value accounts (email, banking, cloud storage, work accounts). Hardware keys provide the strongest consumer-grade authentication available.
Passkeys: The Future
Passkeys are built on the same FIDO2/WebAuthn technology as hardware security keys but are stored on your phone or computer instead of a separate device. They're synchronized across your devices through your platform's cloud service (iCloud Keychain, Google Password Manager, etc.).
Passkeys offer the phishing resistance of hardware keys with the convenience of not needing to carry a separate device. Major platforms including Apple, Google, and Microsoft are rolling out passkey support.
Recommendations by Account Type
| Account Type | Minimum 2FA | Recommended 2FA | |---|---|---| | Email (primary) | Authenticator app | Hardware key + passkey | | Banking & financial | Authenticator app | Hardware key | | Social media | SMS | Authenticator app | | Cloud storage | Authenticator app | Hardware key | | Work accounts | Authenticator app | Hardware key | | Shopping & general | SMS | Authenticator app |
Getting Started
If you're not using 2FA on your most important accounts, start today. Begin with your primary email — if an attacker controls your email, they can reset passwords on everything else.
Check which of your accounts have been exposed in breaches on LeakedSource, then enable the strongest 2FA available on each one.