Is SMS 2FA worth using?

Yes, if no better option is offered. SMS 2FA is dramatically better than no 2FA — it stops the bulk of credential-stuffing attacks. But for any account where you can use TOTP or a hardware key instead, do. SIM swap attacks against SMS-protected accounts have led to real losses, especially for cryptocurrency and high-profile social accounts.

Which authenticator app should I use?

Aegis (open source, Android) and Raivo (open source, iOS) are clean choices. 1Password and Bitwarden can store TOTP secrets alongside passwords. Avoid Google Authenticator if you have no backup — until recently it didn't sync, and many users have lost accounts after losing the phone. Authy syncs but had a contact-database breach in 2024.

Are hardware keys worth the cost?

For your high-value accounts, yes. A pair of YubiKeys (one primary, one backup in a safe) is around $90 total and is the highest-leverage security investment most people will ever make. Any account that can be configured to require a hardware key — and many critical ones can — should be.

TOTP and push notifications can be bypassed by real-time phishing (the attacker proxies the login to the real site). Hardware keys (FIDO2) cannot, because the origin binding makes the signature site-specific. Account recovery flows also weaken 2FA — if you can reset 2FA via SMS, the SMS becomes the attack surface.

Why do some sites only support SMS 2FA?

Implementation cost and accessibility. SMS works on every phone without an app install; TOTP/FIDO require a one-time setup that some users find confusing. Major banks have been slow to adopt FIDO; cloud and tech services adopted it years ago. The good news: every site that matters most for your security supports at least TOTP, and most support hardware keys.

Two-Factor Authentication Explained: TOTP, Push, SMS, and Hardware Keys

A password alone is one factor — "something you know." An attacker who steals or guesses it owns the account. Two-factor authentication adds a second, independent factor — "something you have" or "something you are" — that makes the same stolen password useless. The hard part isn't whether to use 2FA. It's which method to use, because the methods aren't equally strong.

Two-factor authentication (2FA) or multi-factor authentication (MFA) requires an additional credential beyond the password to log in. The factor categories are:

Something you know — a password, PIN, security question
Something you have — a phone, a hardware token, a smart card
Something you are — fingerprint, face, retina, voice

Two factors from different categories is the standard. A password plus a security question is not real 2FA — both are "something you know."

The factor ranking

From weakest to strongest:

SMS — the original mainstream 2FA. Vulnerable to SIM swapping (an attacker convinces the carrier to port your number) and to interception via SS7 weaknesses. Still better than no 2FA, but the weakest option that's still widely used.
Email-delivered codes — only as strong as the email account itself, which often has weaker 2FA. Acceptable as a last-resort recovery method, not a primary factor.
TOTP (Time-Based One-Time Password) — codes generated by an authenticator app (Aegis, Authy, Google Authenticator, 1Password) every 30 seconds, derived from a shared secret. Phishable, since a real-time attacker who tricks you into entering the code into a fake site can replay it.
Push notifications — "approve this login?" notifications on a trusted device. Convenient, but vulnerable to "MFA fatigue" where attackers spam approvals until the user taps yes.
Hardware security keys (FIDO2/WebAuthn) — physical USB/NFC tokens like YubiKey, Solo, Google Titan. The key signs a challenge from the site, cryptographically binding the response to the site's origin — meaning phishing is impossible because a fake site can't trigger the right signature. This is the gold standard.

How TOTP actually works

When you enroll, the site shows a QR code containing a shared 160-bit secret. Your authenticator app stores it. To generate a code, the app:

Takes the current Unix time divided by 30 (gives a counter that increments every 30 seconds).
HMAC-SHA1 with the shared secret over the counter.
Extracts 6 digits from the HMAC output (dynamic truncation).

The server independently computes the same value and accepts the code if it matches. The protocol is defined in RFC 6238; it's symmetric, fully offline, and runs on every authenticator app.

Why hardware keys are different

FIDO2/WebAuthn binds the authentication to the website's origin in the protocol itself. The hardware key never reveals its private key; it only proves possession by signing a challenge that includes the site's domain. If a phishing site at evil.com asks for a YubiKey signature, the key signs a challenge for evil.com — which the real bank site won't accept. With TOTP, the user can type their 6-digit code into evil.com, which forwards it to the real bank in real time. Hardware keys close that hole.

Recovery codes

Every 2FA-protected account should have backup recovery codes printed and stored physically — in a safe, with important documents, anywhere except on the same device that holds the second factor. Losing the second factor without recovery codes locks you out permanently for most services. The recovery flow varies: some services accept identity verification by support, but the trend is toward hard lockouts for accounts with no recovery codes.

Passkeys: 2FA in one tap

Passkeys (FIDO2 credentials stored in your OS keychain or password manager) collapse password + second factor into a single biometric or PIN check on a device that already passed device-level auth. They are phishing-proof for the same reason hardware keys are, and they're synced via iCloud Keychain, Google Password Manager, 1Password, etc. The medium-term direction is replacing password + 2FA with passkeys for new sites, while keeping password + hardware key for legacy ones.

Where 2FA matters most

The high-value accounts that require strong 2FA: your primary email (recovery vector for everything else), your password manager, your bank, your domain registrar, your cloud accounts (AWS/GCP/Azure), and your code repositories (GitHub/GitLab). For these, a hardware key — preferably two for backup — is the appropriate investment. For everything else, TOTP via an authenticator app is the practical default.

Frequently asked questions

Is SMS 2FA worth using?: Yes, if no better option is offered. SMS 2FA is dramatically better than no 2FA — it stops the bulk of credential-stuffing attacks. But for any account where you can use TOTP or a hardware key instead, do. SIM swap attacks against SMS-protected accounts have led to real losses, especially for cryptocurrency and high-profile social accounts.
Which authenticator app should I use?: Aegis (open source, Android) and Raivo (open source, iOS) are clean choices. 1Password and Bitwarden can store TOTP secrets alongside passwords. Avoid Google Authenticator if you have no backup — until recently it didn't sync, and many users have lost accounts after losing the phone. Authy syncs but had a contact-database breach in 2024.
Are hardware keys worth the cost?: For your high-value accounts, yes. A pair of YubiKeys (one primary, one backup in a safe) is around $90 total and is the highest-leverage security investment most people will ever make. Any account that can be configured to require a hardware key — and many critical ones can — should be.
Can 2FA be bypassed?: TOTP and push notifications can be bypassed by real-time phishing (the attacker proxies the login to the real site). Hardware keys (FIDO2) cannot, because the origin binding makes the signature site-specific. Account recovery flows also weaken 2FA — if you can reset 2FA via SMS, the SMS becomes the attack surface.
Why do some sites only support SMS 2FA?: Implementation cost and accessibility. SMS works on every phone without an app install; TOTP/FIDO require a one-time setup that some users find confusing. Major banks have been slow to adopt FIDO; cloud and tech services adopted it years ago. The good news: every site that matters most for your security supports at least TOTP, and most support hardware keys.