Hardware keys are the most secure form of two-factor authentication. SMS codes are the weakest. But you knew that already.
The real question is which method fits your life. Security theater helps nobody. A YubiKey collecting dust in a drawer is worse than SMS codes you use consistently. We've tested all these methods across our team for the past three years. Here's what we learned.
SMS Codes: The Baseline
SMS two-factor sends a code to your phone via text message. It works. Millions of people use it without issue.
The problem: SIM swapping. Attackers call your carrier, convince them to transfer your number to their SIM, and intercept your codes. The FBI's Internet Crime Complaint Center recorded over 2,000 SIM swap complaints in 2022, with victims losing more than $72 million.
SIM swaps require effort. Your average opportunistic hacker won't bother. They're looking for accounts with no 2FA at all. SMS stops most automated attacks cold.
Use SMS when the site offers nothing else. Bank of America, some credit unions, older platforms. If it's SMS or nothing, pick SMS.
Authenticator Apps: The Sweet Spot
Google Authenticator, Authy, Microsoft Authenticator. They all generate time-based codes that refresh every 30 seconds. The codes never leave your device. No cellular network involved.
SIM swaps don't work here. Neither do most phishing attacks. An attacker would need physical access to your unlocked phone.
Authenticator apps take five minutes to set up per account. Scan a QR code, save the backup codes somewhere safe, done. We switched our whole team to Authy in 2021. Haven't had a single account compromise since.
Authy beats Google Authenticator for one reason: encrypted cloud backup. Lose your phone with Google Authenticator and you're locked out of everything. Authy lets you recover. Worth the tradeoff for most people.
Security researcher Troy Hunt
The best security is the one you'll use. A hardware key in a drawer protects nothing.
Hardware Keys: Maximum Security
YubiKey, Google Titan, SoloKeys. Physical devices that plug into USB or tap via NFC. You can't get phished because the key verifies the website's identity before responding.
A 2019 Google study found that hardware keys blocked 100% of automated bot attacks, 100% of bulk phishing attacks, and 100% of targeted attacks against their employees. Zero successful account takeovers across 85,000 employees after deploying keys.
The catch: they cost money. A YubiKey 5 NFC runs $50. You need two (backup in case you lose one). That's $100 before you protect a single account.
They're also inconvenient. Forget your key at home and you're locked out. Some sites still don't support them. And explaining them to family members takes patience.
We recommend hardware keys for people with high-value targets: journalists, activists, executives, anyone handling sensitive financial data. For protecting your Netflix account, it's overkill.
Passkeys: The Future (Eventually)
Apple, Google, and Microsoft are pushing passkeys hard. They combine the security of hardware keys with the convenience of your phone. Your device generates a cryptographic key pair. The private key never leaves your device. Phishing-resistant by design.
Passkeys work today on many sites. Amazon, eBay, PayPal, GitHub. But adoption is spotty. Most banks haven't caught up. Enterprise software lags behind consumer apps.
We've started using passkeys where available. The experience is slick. Face ID or fingerprint, and you're in. No codes to type. No dongles to carry.
Give it two more years. By 2027, passkeys will be table stakes. For now, treat them as a bonus when available, not a complete solution.
Our Recommendations
Protect your most important accounts first: email, banking, social media. A compromised email leads to compromised everything else.
For most people: Use an authenticator app. Authy if you want cloud backup, Google Authenticator if you don't. Enable it everywhere that supports it.
If SMS is your only option: Use it. Some protection beats none.
If you handle sensitive data for work: Hardware keys. Get two YubiKeys, register both, keep one in a safe place.
If a site offers passkeys: Try them. They're easier than anything else.
Don't overthink this. The worst 2FA method is the one you don't enable. Pick something, turn it on, move forward.
*Stay sharp.*