Two-factor authentication (2FA) is one of the most effective ways to secure your accounts. But not all 2FA is equal — and the most popular type is also the most vulnerable. Here's what you need to know.
What Two-Factor Authentication Is
2FA adds a second verification step beyond your password. The idea is that even if an attacker steals your password, they still can't log in without the second factor. The three types are: something you know (password), something you have (a device or key), and something you are (biometrics).
SMS-Based 2FA: Better Than Nothing, But Vulnerable
The most common form of 2FA sends a six-digit code to your phone via text message. This is significantly better than just a password — but it has a critical weakness: SIM swapping.
In a SIM swap attack, a criminal calls your mobile carrier, impersonates you using personal information (often from data broker sites), and convinces the carrier to transfer your number to a SIM card they control. From that point, they receive all your SMS verification codes and can reset your passwords.
High-profile crypto holders, journalists, and executives have lost millions to SIM swapping. For high-value accounts, SMS 2FA is a known vulnerability.
Authenticator Apps: The Right Default
Authenticator apps like Google Authenticator, Authy, or Microsoft Authenticator generate time-based one-time passwords (TOTP) locally on your device. These codes change every 30 seconds and are not sent via SMS, making SIM swapping irrelevant.
This is the 2FA method you should use for all important accounts. Setup involves scanning a QR code in your account's security settings — takes about two minutes per account.
Authy vs. Google Authenticator: Authy backs up your codes to the cloud (useful if you lose your phone), but this adds a small security trade-off. Google Authenticator stores codes locally only. For maximum security, use Google Authenticator and store your backup codes safely.
Hardware Security Keys: The Gold Standard
Hardware keys like the YubiKey are physical USB/NFC devices that you insert or tap when logging in. They use public key cryptography, are immune to phishing (they verify the legitimate domain before responding), and cannot be SIM swapped. This is the most secure 2FA available.
Cost is around $25–60 per key. Recommended for high-value targets: crypto holders, executives, journalists, anyone with significant financial or reputational risk.
Which Accounts Need 2FA Most
Priority order:
- Email (everything else can be reset through your email)
- Banking and financial accounts
- Crypto exchanges and wallets
- Social media (especially if you have an audience)
- Work accounts (especially if you work with sensitive data)
Passkeys: The Future of Authentication
Passkeys are a new authentication standard that replaces passwords and 2FA with public key cryptography tied to your device. Apple, Google, and Microsoft are all implementing passkey support. When available, passkeys are more secure than passwords + 2FA and much easier to use. Enable them when offered.