Almost every account takeover I have helped clean up over the years had one thing in common: either there was no second factor at all, or the second factor was a text message that the attacker simply intercepted or talked their way around. Two-factor authentication (2FA) is the most effective single upgrade you can make to your security — but only if you choose the right kind. Not all second factors are equal, and the most popular one is also the weakest.

This guide ranks the methods from weakest to strongest, explains why in plain terms, and shows you how to set up the options that genuinely protect you.

Why a second factor matters at all

A password is “something you know.” The whole problem with knowledge-based secrets is that they can be copied without you noticing — phished, leaked in a breach, guessed, or keylogged. Once copied, the attacker has everything they need.

A second factor adds “something you have” (a device) or “something you are” (a fingerprint or face). Now stealing your password is no longer enough; the attacker also needs physical access to your phone or hardware key. For the overwhelming majority of attacks, which are remote and automated, that requirement is a brick wall.

You can confirm how exposed a single password is on its own with our password strength tester — but the honest truth is that even a strong password is one breach away from being useless. The second factor is what keeps you safe when, not if, a password leaks.

The methods, ranked

Weakest: SMS text-message codes

SMS 2FA is far better than nothing, and if it is the only option a service offers, use it. But understand its weaknesses, because they are serious and they are actively exploited.

SIM swapping is the headline attack. A criminal calls your mobile carrier, impersonates you with personal details harvested from data breaches, and convinces the carrier to transfer your number to a SIM they control. Every code now arrives on their phone. I have seen this happen to people who did everything else right — it bypasses the strongest password entirely.

SS7 interception lets sophisticated attackers reroute text messages at the network level without touching your phone or your carrier’s support line. It is less common but very real.

Phishing relay. A fake login page asks for your password and the SMS code, then immediately replays both to the real site in real time. The code’s short lifespan doesn’t help, because the attacker uses it within seconds.

The lesson is not “never use SMS.” It is “never rely on SMS for an account you cannot afford to lose, if a better option exists.” Move your email, banking and password manager off SMS as a priority.

Better: authenticator apps (TOTP)

An authenticator app — Google Authenticator, Microsoft Authenticator, Authy, or the one built into many password managers — generates a six-digit code that changes every thirty seconds. This is called TOTP, Time-based One-Time Password.

The crucial difference from SMS is that the code is generated locally on your device from a shared secret established once at setup. Nothing is transmitted over the phone network, so SIM swapping and SS7 interception are irrelevant. There is no message to intercept.

Setup is simple: the service shows a QR code, you scan it with the app, and from then on the app and the server independently compute the same rolling code. I recommend an authenticator app as the minimum acceptable standard for any important account.

Two practical tips from experience. First, save your backup/recovery codes when you enable TOTP, and store them somewhere safe and offline. If you lose your phone without them, recovery can be painful. Second, consider an app that backs up its secrets in encrypted form (Authy and most password-manager authenticators do this), so a lost phone doesn’t mean losing every code.

TOTP has one residual weakness: it can still be phished by the real-time relay attack described above, because you are typing a code into a page. That is rare against individuals but worth knowing — and it is exactly what the next tier eliminates.

Strongest: hardware security keys and passkeys

A hardware security key is a small physical device (YubiKey is the best-known brand) that plugs into USB or taps via NFC. It uses the FIDO2/WebAuthn standard and public-key cryptography, and it is the gold standard for a reason.

The key advantage is phishing resistance built into the cryptography itself. The key verifies the website’s real domain before it will authenticate. A fake login page on a lookalike domain cannot trigger it, full stop. This defeats the real-time relay attack that can still catch TOTP. There is no code to type, nothing to read out, nothing to trick you into entering on the wrong page.

Passkeys (covered in detail in my separate guide) are the software cousin of this approach — the same FIDO2 cryptography, stored in your phone or password manager instead of a dedicated device. For most people, a passkey is both your login and your second factor rolled into one phishing-resistant step.

For my own administrative and financial accounts, I use a hardware key as the primary second factor and keep a second key in a safe location as backup. For everyone else, I recommend a passkey where supported, falling back to an authenticator app where it isn’t.

A practical rollout plan

Don’t try to secure everything at once — you will give up halfway. Work in order of damage potential.

  1. Email accounts first. Your email is the recovery point for everything else. Add the strongest 2FA the provider supports — ideally a passkey or hardware key, at minimum an authenticator app. Then remove SMS as a recovery method if a stronger one is in place.

  2. Your password manager. It holds the keys to your kingdom. Protect it with a hardware key or passkey, never SMS.

  3. Financial accounts. Banking, PayPal, investment and crypto accounts. Use the strongest method each one offers.

  4. Identity and social accounts. Apple/Google/Microsoft accounts, plus social media that could be used to impersonate you. Authenticator app minimum.

  5. Everything else, over time. As you log into other sites, take thirty seconds to enable 2FA while you’re there.

At each step, save the recovery codes offline, and set up a backup factor so a single lost device never locks you out permanently.

The mistakes I see most often

Using SMS for the password manager or email — the two accounts that should have the strongest protection often have the weakest, because SMS was the default.

Never saving recovery codes — then losing the phone and being locked out of an account with no way back in. The recovery codes are not optional paperwork; they are your safety net.

Treating 2FA as a reason to keep weak passwords. It is a second layer, not a replacement for the first. You still want long, unique passwords for every site — generate them with our password generator, which runs entirely in your browser — and then add a strong second factor on top.

One factor, one device. If both your password manager and your authenticator live only on the same phone, that phone is a single point of failure. Spread your factors across devices, or keep a hardware key as an independent backup.

The bottom line

Two-factor authentication works, but the version most people use — SMS codes — is the version attackers have learned to beat. Move your important accounts to an authenticator app at minimum, and to passkeys or a hardware security key wherever you can. It is twenty minutes of setup that defeats the entire remote-attack playbook, and after thirty years of cleaning up the alternative, I can tell you it is the best twenty minutes you will spend on your security all year.

Before you layer on a second factor, make sure the first one is solid. Test your current passwords privately with the PassGuard Check strength tester — all analysis happens locally in your browser.