Two-factor authentication is the most useful security upgrade most people will ever turn on. The idea is simple. Even if someone gets hold of your password, they cannot log in without a second piece of proof that you actually control the account. That second factor comes in three common forms, and they are not equally strong. This is a plain-English comparison so you can pick the right one for each account that matters to you.
Why Two Factors Beat One
A password is something you know. A second factor adds something you have. The attacker who steals your password from a breach has the first thing but not the second. To compromise the account, they would need to also steal the device or token that generates the second factor, which is a much higher bar than running a leaked password list through a script.
Almost any second factor is better than none. That said, the three common options have meaningful differences in how well they hold up against real attacks.
SMS Codes
The most familiar version of two-factor authentication is the six-digit code sent by text message. You enter your password, the service texts you a number, you type it in, and you are in.
The good. It is available almost everywhere. Setup takes seconds. It works on any phone that can receive texts, including basic feature phones. For accounts that do not offer anything better, SMS is still vastly better than nothing.
The bad. SMS was not designed with security in mind. It is vulnerable to SIM swap attacks, where a scammer convinces your mobile carrier to move your number to a SIM they control. Once that happens, every code that should have come to you goes to them. SIM swaps have been used to drain bank accounts, take over social media handles, and reset email passwords. The technique is well-known and surprisingly easy in many countries.
SMS can also be intercepted in some networks, and codes can be phished. If an attacker tricks you into entering a real code on a fake page, they can replay it on the real site fast enough to beat the expiration.
Use it when. The service offers no other option, and the account is not financially sensitive. Almost any account with money attached deserves something stronger.
Authenticator Apps
An authenticator app generates a fresh six-digit code every thirty seconds based on a secret that was shared when you set the account up. The code is computed on your device, never sent anywhere, and rotates automatically. Examples include Aegis, Bitwarden, 1Password, Google Authenticator, and Microsoft Authenticator.
The good. Codes are generated locally, so a SIM swap does nothing. There is no network involved at the moment of authentication. Most apps work offline. Modern apps support encrypted backups, so a lost phone is not a permanent lockout. Setup is a one-time scan of a QR code per account.
The bad. Codes can still be phished. If you type a code into a convincing fake page, the attacker can use it within the 30-second window. Authenticator apps also require you to think about backup ahead of time. Without a backup, losing your phone means using recovery codes or going through account recovery for every service.
Use it when. You want strong, broadly compatible two-factor authentication for the dozens of regular accounts you use. This is the right default for most people on most services.
Hardware Security Keys
A hardware security key is a small device, often the size of a USB stick, that signs a cryptographic challenge from the website you are logging into. You plug it in, touch it, and you are authenticated. Common examples are YubiKey and the Google Titan key, and many phones now act as security keys themselves through their built-in secure elements.
The good. Hardware keys are essentially phishing-proof. The key checks the domain of the site requesting authentication before it responds. If the site is a clone hosted on a similar-looking domain, the key refuses to sign, so even a careful phishing attack against a user using a hardware key tends to fail at the last step. There is nothing to type, nothing to copy, and no code to intercept. SIM swaps and network attacks have no effect.
The bad. You have to buy one. They cost roughly the price of a nice dinner. Not every service supports them. Losing your only key is a real problem, which is why the standard advice is to buy two and register both with every account, keeping one in your daily-carry and one in a drawer at home.
Use it when. The account is high-value or high-risk. Primary email. Cloud storage with sensitive files. Crypto exchanges. Work accounts that touch production systems. Anywhere a successful takeover would cause real damage, a hardware key is worth the small upfront cost.
Passkeys: The New Default
Worth a quick mention. Passkeys are a newer standard that replaces both passwords and traditional two-factor for many services. They live in your phone, password manager, or hardware key, and they authenticate you with a touch or biometric. Behind the scenes, they use the same cryptography that makes hardware keys phishing-resistant. If a service offers passkeys, enabling them is usually a free upgrade in both security and convenience.
A Reasonable Setup for a Real Person
The decision tree below covers most people for most accounts.
- Primary email, banking, work, password manager: hardware key as primary, authenticator app as backup. Passkeys where supported.
- Social media, shopping, streaming, side accounts: authenticator app. Passkeys where supported.
- Services that only support SMS: SMS, and put pressure on the provider to offer something better. For very sensitive accounts that only support SMS, consider whether you need to keep using them.
Common Mistakes to Avoid
Storing recovery codes only on the same device. If your phone is lost or wiped, codes saved only there are gone too. Print recovery codes, store them in a password manager that you can access from a second device, or both.
Using the same phone number across many high-value accounts. Concentrating your second factor on a single SIM makes a SIM swap catastrophic. Authenticator apps and hardware keys do not have this problem.
Skipping two-factor on the email account. Your email is the recovery channel for almost everything else. If two-factor is on every account except email, you have built a fortress with the back door wide open.
The Goal Is to Stop Being the Easy Target
Most attackers play a numbers game. They are not picking you specifically. They are running scripts against millions of accounts and harvesting whichever ones do not push back. A unique password plus any form of two-factor authentication moves you out of the easy-target pool entirely. Upgrading from SMS to an authenticator app moves you further. Adding a hardware key to your most important accounts moves you all the way out of the comparison set for most automated attacks.
None of this is theoretical. Each upgrade closes a category of real, common attacks that compromise real accounts every day. Pick the level that matches the value of the account, set it up once, and move on with your life.