Two-factor authentication, ranked from weakest to strongest
SMS, authenticator apps, passkeys — which one should you actually use?
“Turn on two-factor authentication” is the most repeated security advice on the internet — and the least specific. 2FA isn’t one thing; it’s a ladder of methods, and the gap between the bottom rung and the top is the gap between “slows an attacker down” and “ends the attack class entirely.”
Here’s the ladder, weakest to strongest, and where each rung actually breaks.
6. Email codes — barely 2FA
A code sent to your inbox is only a second factor if your email isn’t the thing being attacked. For most people, email is the first thing attackers go for — it’s the recovery hub for everything else. If the same password (or the same session) unlocks both the account and the “second factor”, you have 1.5-factor authentication at best.
Verdict: Better than nothing, acceptable for low-value accounts. Never for email itself, banking, or anything that can move money.
5. SMS codes — the fragile default
SMS 2FA genuinely stops the commodity attack: someone across the world with your leaked password can’t receive your texts. That matters, and it’s why SMS remains better than no 2FA.
But the failure modes are well-worn:
- SIM swapping — an attacker convinces (or bribes) a telecom employee to port your number to their SIM. Your phone goes dead; their phone gets your codes. This is a routine, documented attack against anyone worth targeting.
- Phishing relay — you type the SMS code into a fake login page; the attacker forwards it to the real site within its validity window. SMS offers zero resistance here.
- SS7 and interception — telecom-layer attacks that intercept texts in transit. Exotic for individuals, real for high-value targets.
Verdict: The floor, not the goal. Use it where nothing better is offered, and detach your phone number from account recovery wherever possible — the number is a bigger liability as a reset path than as a code channel.
4. Authenticator apps (TOTP) — the solid middle
Those six-digit rotating codes (Google Authenticator, Aegis, 2FAS, etc.) are generated on your device from a shared secret and the current time. Nothing travels over the phone network; there’s nothing to SIM-swap; the secret never leaves your phone after setup.
Two failure modes remain:
- Phishing relay still works. A fake login page can ask for your TOTP code just as easily as your password, and relay both in seconds. TOTP proves you have the secret — it doesn’t prove you’re on the right website.
- Backup pain. Lose the phone without backups and you’re locked out of everything at once. Solve this the day you set it up: use an app with encrypted export, and store the export (or the original QR secrets) offline.
Verdict: The right default for most people in 2026. Big upgrade over SMS, works offline, costs nothing.
3. Push-based approval — convenient, with a trapdoor
Push 2FA (“Did you just sign in? Approve / Deny”) improves on TOTP ergonomics and adds context — location, device, app. Some implementations (number matching, where you type a code from the login screen into the phone) meaningfully resist relay.
The trapdoor is push fatigue: attackers with your password trigger prompts repeatedly — 2 a.m., 2:05, 2:10 — until you approve one to make it stop. It works often enough that it has a name and a body count of major corporate breaches.
Verdict: Excellent if number matching is enabled, and if you internalize one rule: an approval prompt you didn’t cause is an attack in progress. Deny it and change that password.
2. Hardware security keys (FIDO2/U2F) — where phishing goes to die
A hardware key (YubiKey and friends) does public-key cryptography with a crucial twist: the browser tells the key which website is asking, and the key’s response is cryptographically bound to that exact origin. A pixel-perfect phishing site on accounts-google.security-check.com receives a signature that is mathematically useless for accounts.google.com.
This isn’t “harder to phish.” The credential-phishing attack class — the one behind most account takeovers — stops working entirely. No code to read out, nothing to relay, nothing to fatigue you into approving.
Costs: ~₹2,000–₹5,000 per key, you should buy two (one is a backup), and you must register them per site.
Verdict: The gold standard for accounts that matter — email above all, password manager, financial, admin, domain registrar.
1. Passkeys — the same cryptography, minus the dongle
Passkeys are FIDO2 credentials stored in your phone or password manager instead of a USB stick, unlocked by your fingerprint, face, or device PIN, and synced across your devices. Same origin-binding as a hardware key — same immunity to phishing relay — with nothing to buy, carry, or lose. Adoption crossed the mainstream threshold years ago: Google, Apple, Microsoft, GitHub, WhatsApp, most major banks.
Two honest caveats: syncing means your passkeys are as secure as the account/vault that syncs them (secure that with a hardware key or a strong passphrase + TOTP), and account-recovery flows at some services can still fall back to weaker methods — close those doors in your settings.
Verdict: For most people, the top of the ladder: gold-standard cryptography at zero cost and better ergonomics than passwords. Turn passkeys on everywhere they’re offered.
The ranked list, one screen
| Rank | Method | Stops password reuse? | Stops phishing relay? | Stops SIM swap? |
|---|---|---|---|---|
| 1 | Passkeys | ✅ | ✅ | ✅ |
| 2 | Hardware key | ✅ | ✅ | ✅ |
| 3 | Push + number match | ✅ | mostly | ✅ |
| 4 | Authenticator app | ✅ | ❌ | ✅ |
| 5 | SMS code | ✅ | ❌ | ❌ |
| 6 | Email code | partly | ❌ | ✅ |
What to actually do this week
- Email account → passkey or hardware key. Your inbox is the master key to your life; give it the strongest lock available.
- Password manager, banking, anything with money → passkey/hardware key where supported, TOTP where not.
- Everything else → TOTP or push. SMS only when it’s the only option.
- Audit recovery paths. The strongest 2FA is worthless if “Forgot password?” falls back to an SMS to a swappable SIM. Recovery is part of the ladder — check it rung by rung.
The whole upgrade takes an evening. Do the email account first — everything else inherits its safety from that one.