How to choose a 2FA method

The 4 categories of 2FA

Tier 1 (strongest): hardware keys (FIDO2/U2F) and passkeys. Phishing-resistant — even if you click a fake login link, the authenticator refuses to release credentials to the wrong domain.

Tier 2: authenticator apps generating Time-based One-Time Passwords (TOTP). The 6-digit codes you've seen in Google Authenticator. Better than SMS but phishable — you can be tricked into typing the code into a fake site.

Tier 3: push notifications (Duo, Microsoft Authenticator push). Convenient but vulnerable to 'MFA fatigue' attacks where attackers spam approval prompts hoping you'll approve one out of habit.

Tier 4 (weakest): SMS codes. Vulnerable to SIM swap attacks and SS7 protocol exploits. Used as a fallback when nothing else is supported.

Hardware keys (YubiKey, Google Titan, Solo Key)

A hardware key is a small USB or NFC device that signs a challenge from the legitimate site. It can't be phished, can't be cloned, and works offline.

Cost: $25-50 per key. Buy at least two — one daily use, one backup in a safe.

Strengths: phishing-resistant, durable, no batteries, no app updates. The gold standard.

Weaknesses: physical device you can lose, requires the service to support FIDO2/WebAuthn (most major services now do), can be inconvenient to plug in repeatedly.

Recommended brands: YubiKey (industry standard), Google Titan (Google's version, often discounted), Solo Key (open-source). Avoid no-name brands.

Passkeys

Passkeys are FIDO2 credentials stored in your phone, password manager, or hardware key. Same phishing-resistance as a hardware key, but easier to use.

Strengths: same security as hardware keys, syncs across devices via your password manager or platform (iCloud Keychain, Google Password Manager), works seamlessly with face/fingerprint biometrics.

Weaknesses: still relatively new (broad support arrived 2023-2024), recovery if you lose your sync source can be tricky, varying support across services.

Use passkeys wherever supported — Google, Apple, Microsoft, GitHub, most banks now support them in 2026.

Authenticator apps

Apps that generate TOTP codes. Each service is added by scanning a QR code; the app then generates a fresh 6-digit code every 30 seconds.

Recommended apps: Aegis (Android, open-source, strong export), 2FAS (cross-platform, open-source), Raivo (iOS, open-source), Ente Auth (cross-platform with E2E sync).

Acceptable but with caveats: Google Authenticator (cross-device sync added 2023, but no encryption initially), Microsoft Authenticator (good for MS accounts), Authy (works but proprietary, account-tied to phone number which is a SIM-swap weakness).

Whichever you pick, the critical step is backing up the seed codes. If you lose your phone without backup, you lose access to every account. Most apps now offer encrypted exports — use them.

When SMS is OK and when it isn't

SMS 2FA is better than no 2FA — it stops automated credential-stuffing attacks. So enable it if it's the only option.

SMS is NOT enough for: cryptocurrency exchanges (SIM-swap attacks have stolen millions), primary email accounts (recovery channel for everything), banking (where supported, prefer hardware key or push).

SIM swap attacks: an attacker convinces your carrier to port your number to their SIM. Victims typically don't notice for hours. During those hours, SMS 2FA codes go to the attacker.

If your carrier supports a 'port-out PIN' or 'SIM swap protection,' enable it. T-Mobile, AT&T, Verizon all offer this in some form.

The realistic 2026 setup

Buy two hardware keys ($50 total). Register both as 2FA on Google, Apple, Microsoft, GitHub, your password manager, and any account that supports them.

Store one key on your keychain, the other in a fire-safe at home or with a trusted family member.

For accounts that only support TOTP, use Aegis (Android) or 2FAS or Raivo (iOS). Export and back up the seed file weekly to encrypted storage.

Keep SMS as backup only on accounts that require it.

Set up account recovery on your password manager via designated trusted contacts (1Password Emergency Kit, Bitwarden Emergency Access).

Frequently asked questions

Is YubiKey worth the price?

For accounts you care about, yes. $25-50 vs the cost of getting your email or password manager compromised — it's the highest-leverage security purchase you can make.

What if I lose my phone with the authenticator app?

If you backed up the encrypted export (Aegis, 2FAS, Raivo all support this), restore it on a new phone. If you didn't, you'll need to use each service's account recovery flow — some require waiting periods, identity verification, or losing the account entirely. Back up your seeds today.

Are passkeys actually safe?

Yes — they use the same FIDO2 cryptography as hardware keys. The trust shifts to your password manager or platform (iCloud, Google) which holds the keys. As long as you trust those, passkeys are equivalent to hardware keys with better UX.

What's MFA fatigue?

An attack where someone spams you with push-notification approval requests at 3am, hoping you'll tap 'approve' to make the buzzing stop. Microsoft Authenticator added 'number matching' to defeat this — instead of just tapping yes, you have to enter a number shown on the legitimate device.

Should I disable SMS 2FA on accounts that have authenticator app or hardware key?

On critical accounts (email, banking, password manager), yes — once you have a stronger method working, the SMS option becomes a downgrade path for attackers. Verify the stronger method works first, then disable SMS.

Sources & further reading

We cite primary sources whenever possible. Below is the reference list relevant to this category. Specific facts in this article are checked against vendor documentation and the sources we link to inline.

• CISA — Cybersecurity & Infrastructure Security Agency ↗
• OWASP — Open Worldwide Application Security Project ↗
• NIST Cybersecurity Framework ↗
• Have I Been Pwned ↗

How we research: see our Source Policy and Review Methodology. If you spot an inaccuracy, please tell us — we publish corrections at the top of the affected article.

Related guides