2FA: which second factor is actually worth using
Any 2FA beats none, but the gap between SMS codes and hardware keys is bigger than most people think. Ranked, with an honest take on the hassle.
6 min read · Reviewed July 2026
Two-factor authentication means a stolen password alone can’t open your account — the thief also needs something you have. That single change defeats most automated account takeovers outright. But ‘2FA’ covers methods with very different strength, and the setup screens never tell you which is which. Here’s the ranking.
SMS codes: fine, with an asterisk
Codes texted to your phone stop the bulk attacks — someone in another country with your leaked password gets nowhere. The weakness is targeted attacks: SIM swapping, where someone convinces your carrier to move your number to their SIM, receives your codes, and resets your accounts. It’s a real, practiced crime, mostly aimed at people worth targeting — crypto holders, public figures, business owners.
My take: SMS 2FA is dramatically better than nothing, and if it’s the only option a site offers, turn it on without hesitation. Just don’t leave your most valuable accounts on it if something stronger is available.
Authenticator apps: the sweet spot
Apps like Google Authenticator or Authy generate six-digit codes on your device. Nothing travels over the phone network, so SIM swapping is useless against them. They work offline, cost nothing, and nearly every major service supports them. The remaining weakness is phishing: a convincing fake login page can ask for your code and relay it in real time.
For most people, this is the right answer for everything important. Save the backup codes each service gives you when you enroll — in your password manager — or a lost phone becomes a very bad week.
Passkeys and hardware keys: phishing-proof
Passkeys (built into phones and browsers now) and hardware keys (a small USB device) use cryptography bound to the real website’s domain. A fake site can’t harvest anything, because your device simply won’t respond to the wrong domain. That kills phishing — the attack that beats authenticator codes.
Passkeys cost nothing and are genuinely easier than typing codes; adoption is spreading fast. Hardware keys add physical separation and are worth the ~$25-50 for the accounts that would ruin you — email above all. Honest hassle assessment: enrollment takes minutes per account, and then daily use is faster than any code.
The order to do it in
Email first — it’s the recovery path for everything else. Then money: bank, brokerage, payment apps. Then your password manager. Then whatever else you’d hate to lose. Any 2FA on all of those beats perfect 2FA on one of them.