Two-Factor Authentication: Every Method Explained

⏱ 6 min read · PasswordUtils

Two-factor authentication (2FA) adds a second verification step to login — something you have, in addition to something you know. But 2FA is not one thing: there are multiple methods with meaningfully different security properties. Understanding them helps you choose the right method for each account.

SMS / Text Message Codes

The most common and most criticized 2FA method. A one-time code is sent to your phone number via SMS. Weaknesses: SIM swapping (an attacker who convinces your carrier to transfer your number can intercept all SMS), SS7 protocol vulnerabilities (telecom network vulnerabilities can allow interception), and social engineering of carrier support staff. SMS 2FA is significantly better than no 2FA, but it's the weakest of the available methods.

Authenticator Apps (TOTP)

Apps like Google Authenticator, Authy, and Microsoft Authenticator generate time-based one-time passwords (TOTP) — 6-digit codes that change every 30 seconds. These are more secure than SMS: the code is generated locally on your device with no network transmission that can be intercepted. The shared secret between the service and your app was exchanged once at setup and doesn't travel again.

Authenticator apps are the best 2FA method most people can practically use. They're resistant to SIM swapping, don't require network connectivity to generate codes, and work across all services that support TOTP (the standard underlying almost all authenticator apps).

Hardware Security Keys (FIDO2/WebAuthn)

Physical devices (YubiKey, Google Titan Key) that plug into USB or tap via NFC. The most secure consumer 2FA: they're phishing-resistant (the key verifies the domain it's communicating with, and won't authenticate on fake sites), require physical possession, and don't rely on any network transmission for the authentication step. For high-value accounts — email, banking, domain registrars — hardware keys are worth the investment.

Passkeys

The newest method, increasingly available as the industry moves beyond passwords. Passkeys use public key cryptography: your device holds a private key, the service holds a public key, and authentication happens via a cryptographic challenge that your device answers using biometrics (FaceID, fingerprint) or PIN. Passkeys are phishing-resistant and eliminate the password entirely.