What Is Two-Factor Authentication? TOTP, Hardware Keys, and Why SMS 2FA Is Weak

What Is Two-Factor Authentication?

Two-factor authentication (2FA) — a subset of multi-factor authentication (MFA) — is a security process that requires users to provide two distinct forms of identification before gaining access to an account or system. The underlying principle is that combining multiple independent factors dramatically reduces the likelihood that an attacker can compromise an account, even if one factor is stolen or guessed.

Authentication factors fall into three categories: something you know (a password, PIN, or security question answer); something you have (a physical device such as a smartphone or hardware token); and something you are (a biometric factor such as a fingerprint or face scan). True two-factor authentication requires factors from at least two different categories — combining two passwords, for example, is two-step verification but not two-factor authentication.

Passwords alone have proven woefully inadequate as a security mechanism. Credential stuffing attacks (testing stolen username/password pairs across multiple services), phishing, keyloggers, and data breaches have made compromised passwords ubiquitous. Verizon's Data Breach Investigations Reports consistently find that over 80% of hacking-related breaches involve compromised credentials. 2FA provides a backstop: even if an attacker has your password, they need your second factor to complete the login.

SMS-Based 2FA: Convenient but Weak

SMS-based 2FA sends a one-time code to the user's registered phone number via text message. It is the most widely deployed form of 2FA because it requires no additional app or hardware — virtually everyone has a phone capable of receiving SMS. It is significantly more secure than a password alone.

However, SMS 2FA has well-documented weaknesses. The most serious is SIM swapping — a social engineering attack in which an attacker convinces a mobile carrier's customer service representative to transfer the victim's phone number to an attacker-controlled SIM card. Once the attacker controls the phone number, they receive all SMS messages, including 2FA codes. SIM swapping has been used to compromise cryptocurrency accounts, bank accounts, and even the Twitter accounts of high-profile individuals. The attack requires only information obtainable from public records or previous data breaches, and carrier security processes have proven repeatedly vulnerable.

SMS is also vulnerable to SS7 attacks — exploiting weaknesses in the Signaling System 7 protocol that underlies the global telephone network — to intercept SMS messages in transit. While SS7 attacks require sophisticated technical capabilities and are primarily a concern for high-value targets, they demonstrate that SMS is not a cryptographically secure channel. Additionally, real-time phishing toolkits (such as Evilginx) can transparently proxy login pages, capturing both passwords and SMS codes as the user enters them.

TOTP: Time-Based One-Time Passwords

Time-based One-Time Passwords (TOTP), standardized in RFC 6238, are generated by an authenticator app installed on the user's device. The app and the server share a secret key established during enrollment. Both use the same algorithm (HMAC-SHA1 applied to the shared secret and the current Unix timestamp, truncated and divided into 30-second windows) to generate the same 6-digit code. Because the code changes every 30 seconds and depends on a secret that never leaves the enrolled device, an attacker who intercepts a code cannot reuse it.

Popular TOTP apps include Google Authenticator, Microsoft Authenticator, Authy, and the open-source Aegis. TOTP is significantly more phishing-resistant than SMS 2FA because the code cannot be redirected by SIM swapping, though real-time phishing proxies can still capture and relay TOTP codes. The security of TOTP depends on the security of the authenticator app and the device it runs on.

One important consideration is backup and recovery. If a device running TOTP is lost or stolen, accessing enrolled accounts requires recovery codes or re-enrollment through account recovery processes. Apps such as Authy offer encrypted cloud backup of TOTP secrets, trading some security for convenience.

Push Notifications and Number Matching

Some enterprise MFA solutions (such as Duo Security and Microsoft Authenticator) use push notifications — the user receives a mobile push notification when a login is attempted and approves or denies it with a single tap. Push MFA is user-friendly but susceptible to MFA fatigue attacks (also called push bombing), in which attackers flood the user with approval requests hoping the user will tap accept out of frustration or confusion. This technique was used in the 2022 Uber breach.

Number matching (requiring the user to match a number displayed on the login screen to one shown in the push notification) and context information (showing the location and device requesting access) substantially mitigate MFA fatigue attacks by requiring conscious verification rather than a reflexive tap.

Hardware Security Keys and FIDO2

Hardware security keys such as YubiKey, Google Titan Key, and others implementing the FIDO2/WebAuthn standard are currently the strongest widely available 2FA option. FIDO2 is a set of open standards developed by the FIDO Alliance and the W3C that enable cryptographic authentication without shared secrets.

When a FIDO2 key is registered with a service, the key generates a public-private key pair for that service. During authentication, the server sends a challenge; the key signs it with the private key (which never leaves the hardware token) and returns the signature. The server verifies the signature with the stored public key. Critically, each key pair is scoped to a specific origin (domain), making it impossible for a phishing site to use credentials collected from a legitimate site.

FIDO2 is fully phishing-resistant — even a perfect replica of the legitimate login page will fail to authenticate because the origin check will fail. This makes hardware keys the recommended 2FA method for high-value accounts such as financial services, corporate administrator accounts, and cryptocurrency wallets. Passkeys — a consumer-friendly implementation of the FIDO2 standard built into modern operating systems and browsers — are rapidly extending phishing-resistant authentication to mainstream users without requiring physical hardware.

Biometric Authentication

Biometrics — fingerprint readers, face ID, iris scans — can serve as the something you are factor in MFA. On modern smartphones, biometric authentication typically unlocks a cryptographic credential stored in the device's secure enclave, rather than transmitting biometric data to a server. This local processing model avoids the catastrophic risk of centralized biometric database breaches, since the biometric data never leaves the device. Biometrics are discussed in depth in a companion article on biometric security.