How Two-Factor Authentication Works and Which Types Are Most Secure

Why Passwords Alone Are Not Enough

Passwords are the default authentication mechanism for most online accounts, but they have fundamental weaknesses that make them increasingly inadequate as a sole security control. Passwords can be stolen through phishing attacks, data breaches, keyloggers, and network interception. They can be guessed through brute force attacks or the use of credential stuffing tools that automatically try billions of username/password combinations from previous breach databases. And they can be shared — intentionally or carelessly — undermining account security entirely.

The scale of the password problem is enormous: Have I Been Pwned, a widely used credential breach notification service, indexes over 12 billion compromised accounts. The widespread reuse of passwords across multiple sites means that a single breach can cascade into account takeovers on dozens of other services. Two-factor authentication (2FA) — requiring a second proof of identity beyond the password — addresses these weaknesses by ensuring that stolen credentials alone are insufficient to access an account. Even if an attacker has your username and password, they cannot log in without also possessing or controlling the second factor.

The Three Factors of Authentication

Authentication factors are categorized into three types: something you know (passwords, PINs, security questions), something you have (a phone, hardware token, or smart card), and something you are (biometrics: fingerprints, facial recognition, voice). True two-factor authentication combines factors from two different categories — adding a PIN to a password (both in the same category) is not genuine 2FA, whereas combining a password with a mobile-generated one-time code (something you know + something you have) is. Multi-factor authentication (MFA) is the broader term encompassing 2FA and authentication using more than two factors.

The strength of any 2FA implementation depends on the security properties of each factor and the degree to which the combination resists the most common attack scenarios. The spectrum of 2FA methods ranges from the highly vulnerable (SMS codes) to the highly secure (hardware security keys), with significant practical and security implications for the choice between them.

SMS-Based 2FA: Common but Vulnerable

SMS one-time passwords (OTPs) are the most widely deployed 2FA method: after entering a password, a six-digit code is sent to the user's registered mobile phone via text message, and the user enters that code to complete authentication. SMS 2FA is significantly better than no 2FA — it defeats most automated credential stuffing attacks. However, it is also the weakest form of 2FA and is vulnerable to several attack methods.

SIM swapping is the most significant threat: an attacker socially engineers or bribes a mobile carrier employee into transferring the victim's phone number to a SIM card the attacker controls, then intercepts all SMS messages including OTPs. SIM swapping attacks have been used to steal cryptocurrency worth hundreds of millions of dollars and to compromise high-profile social media accounts. SS7 attacks exploit vulnerabilities in the telephone signaling network to intercept SMS messages in transit, though these require sophisticated capabilities typically available only to nation-state actors or sophisticated criminal groups. Real-time phishing — where a proxy site captures credentials and OTPs simultaneously and immediately replays them to the legitimate site — can also defeat SMS 2FA. The U.S. National Institute of Standards and Technology (NIST) deprecated SMS OTP as an authentication mechanism in its 2016 Special Publication 800-63B, and major security organizations recommend using stronger alternatives wherever possible.

Authenticator Apps: TOTP and HOTP

Time-based One-Time Passwords (TOTP) — generated by authenticator apps such as Google Authenticator, Authy, Microsoft Authenticator, and 1Password — represent a significant improvement over SMS 2FA. TOTP codes are generated locally on the device using a shared secret established during setup, combined with the current timestamp, and hashed using HMAC-SHA1. The result is a 6-8 digit code valid for 30 seconds. Because codes are generated on the device rather than transmitted over the phone network, TOTP is immune to SIM swapping and SS7 attacks.

However, TOTP is still vulnerable to real-time phishing: an attacker's proxy site can capture a TOTP code entered by the victim and immediately relay it to the legitimate site, within the 30-second validity window. Sophisticated phishing kits (such as Evilginx) automate this in reverse-proxy attacks. Authenticator apps also create usability challenges: the shared secret must be backed up (Authy provides encrypted cloud backup; Google Authenticator historically did not, leading to lockouts), and if a device is lost without backup, account recovery can be difficult. Nevertheless, TOTP authenticator apps are a strong practical choice for most users and organizations and are much more secure than SMS 2FA.

Hardware Security Keys: The Gold Standard

Hardware security keys — physical devices such as YubiKey, Google Titan Key, and Feitian keys — implementing the FIDO2/WebAuthn and FIDO U2F standards represent the strongest widely available 2FA method. When registering a security key, the device generates a unique public-private key pair for each site, storing the private key securely on the hardware and sharing only the public key with the site. On subsequent logins, the site sends a cryptographic challenge, and the key signs it with the private key — proving possession of the key without ever transmitting the private key itself.

Hardware security keys have two critically important security properties not shared by other 2FA methods. First, they are phishing-resistant: the FIDO2 protocol binds authentication to the exact domain of the legitimate site (using the site's origin URL as part of the authentication process). This means that even if a user is on a perfect phishing site that looks identical to the real login page, the key will refuse to authenticate because the domain does not match — making real-time phishing attacks against hardware keys essentially impossible. Second, the private key never leaves the hardware device, eliminating the risk of key theft through malware or data breaches. Google reported in 2018 that after deploying security keys to all 85,000 employees, they had zero successful phishing-based account takeovers in the period since deployment.

Push Notifications and Biometrics

Push-notification 2FA — used by apps like Duo Security and Microsoft Authenticator in push mode — sends an approval request to the user's smartphone, which the user approves or denies with a tap. This is generally more secure than SMS and more convenient than TOTP, but is vulnerable to MFA fatigue attacks (also called push bombing): attackers who have compromised credentials send repeated push notifications hoping the user will approve one out of confusion or fatigue. This attack method was responsible for high-profile breaches including the 2022 Uber breach.

Biometric authentication — fingerprints, facial recognition, and voiceprints — is commonly used as the unlock mechanism for authenticator apps and hardware keys rather than as a standalone second factor. When used appropriately (to unlock a cryptographic key stored on a secure element), biometrics contribute meaningfully to security. As a network authentication factor transmitted to a remote server, biometrics are problematic — biometric data cannot be changed if compromised, and remote biometric verification systems can be vulnerable to spoofing. Passkeys — the emerging standard that combines FIDO2 public-key cryptography with device-bound biometric or PIN unlock — are increasingly offered as a passwordless replacement for both passwords and traditional 2FA, offering strong phishing resistance with improved usability.

Choosing the Right 2FA for Your Needs

• For most users: Any 2FA is vastly better than none. Start with an authenticator app (Authy or Microsoft Authenticator) for accounts that support it, and enable SMS 2FA only as a last resort or fallback.
• For high-value accounts (email, financial, cryptocurrency): Use hardware security keys (YubiKey or Google Titan Key) wherever supported, backed up by TOTP as a fallback.
• For organizations: Mandate phishing-resistant 2FA (FIDO2 hardware keys or passkeys) for administrator accounts and remote access, and TOTP as a minimum for all employee accounts.
• Avoid SMS 2FA for critical accounts: Especially for accounts that could be used for financial transactions or to reset other accounts via email.
• Use backup codes: When enabling 2FA, save your backup codes in a secure location (encrypted password manager or physical safe) to avoid permanent account lockout.