Two-factor authentication is one of the most effective security improvements available to ordinary users — but it spans an enormous range of actual protection. SMS codes and hardware security keys are both "2FA." They are not remotely equivalent.
The idea behind two-factor authentication is simple: require a second proof of identity beyond a password. Even if an attacker steals your password, they cannot log in without the second factor. In practice, the security you get depends almost entirely on which second factor you use — and the gap between the best and worst options is significant.
SMS One-Time Codes
When a service texts you a six-digit code at login, it's using SMS as a second factor. This is the most widely deployed form of 2FA — and also the most fragile. SMS has three significant attack vectors that do not require compromising your device:
- SIM swapping — An attacker calls your carrier, impersonates you, and convinces them to transfer your number to a SIM the attacker controls. SMS codes then route to the attacker. This attack has been used against cryptocurrency holders, journalists, and politicians.
- SS7 interception — The Signaling System 7 protocol has known vulnerabilities that allow SMS interception by parties with access to telecom infrastructure. Nation-state actors and sophisticated criminal groups have demonstrated this capability.
- Real-time phishing — A fake login page captures your password and SMS code simultaneously, relaying them to the real site before the code expires. Because SMS codes offer no verification of which site you're authenticating to, there's no cryptographic defense against this.
Bottom line: SMS 2FA is significantly better than no 2FA against opportunistic attackers. Against a motivated adversary, it provides minimal protection. Use it when nothing better is offered; replace it whenever you can.
TOTP: Time-Based One-Time Passwords
TOTP (RFC 6238) works differently. When you set up 2FA with an authenticator app (Aegis, Authy, Google Authenticator), the service provides a shared secret stored on your device. At login time, both your app and the server independently compute HMAC-SHA1(secret, floor(unix_time / 30)) — a new six-digit code every 30 seconds, no network required.
Because the code derives from a secret on your device rather than being transmitted over cellular networks, SIM swapping and SS7 attacks don't apply. Significant improvement.
The remaining weaknesses:
- Real-time phishing still works — TOTP codes are valid for up to 90 seconds. A phishing proxy that relays your code can use it in real time. TOTP does not verify the identity of the site you're authenticating to.
- Shared secret theft — A breach of the service database that exposes TOTP secrets lets attackers generate valid codes for every user.
- Device compromise — Malware on your device can exfiltrate TOTP secrets.
TOTP is a substantial improvement over SMS. Its primary remaining vulnerability — phishing — is where hardware keys do something fundamentally different.
Hardware Security Keys: FIDO2 and WebAuthn
Hardware security keys (YubiKey, Google Titan Key, and equivalents) implement the FIDO2/WebAuthn standard. The mechanism is categorically different.
When you register a hardware key with a site, the key generates a unique public/private keypair for that specific origin (the domain name). The private key never leaves the hardware device. At authentication time, the browser sends the key a challenge that includes the origin, and the key signs it. The server verifies the signature.
The critical property: the key signs a payload that includes
rpId— the relying party's domain name. If you're on a phishing site atlogin-google.evil.com, the key will refuse to sign a challenge claiming to begoogle.com. Phishing attacks are cryptographically blocked.
This makes hardware keys the only common second factor that defeats real-time phishing. No other widely deployed mechanism does this.
Practical limitations: physical loss requires backup keys, cost is roughly $25-$60 USD, and not every service supports WebAuthn yet.
Passkeys: Hardware Key Concepts, Software Delivery
Passkeys apply WebAuthn's origin-binding cryptography without requiring a dedicated hardware device. Your phone, laptop, or password manager stores the private key material. The same property holds: the key for example.com will only sign challenges from example.com.
Passkeys are often described as a password replacement rather than a second factor, combining something you have (device with private key) and something you know or are (PIN or biometric).
The main trade-off vs. hardware keys: passkeys synced via cloud keychain (iCloud Keychain, Google Password Manager) are exposed if that sync account is compromised. Hardware keys with resident keys store credentials on the device only — no sync extraction possible.
How They Compare
| Method | SIM Swap | Phishing | Device Compromise | Ease of Use |
|---|---|---|---|---|
| SMS | Vulnerable | Vulnerable | Vulnerable | Easy |
| TOTP | Resistant | Vulnerable | Partial | Easy |
| Hardware Key (FIDO2) | Resistant | Resistant | Resistant | Moderate |
| Passkey | Resistant | Resistant | Depends on sync | Easy |
Which Should You Use?
For high-value accounts (email, financial, domain registrar, password manager master): hardware security key. The phishing resistance alone justifies the cost. Keep a backup key registered.
For everything else: TOTP via an authenticator app with encrypted backup (Aegis on Android is excellent). Substantial improvement over SMS, no additional hardware required, works offline.
Passkeys: adopt as sites add support, especially if your password manager stores them locally. User experience often better than TOTP, phishing resistance equals hardware keys.
SMS: enable if it's the only option. If the service offers TOTP or WebAuthn and you're using SMS because it was the default — change it.
A Note on Backup Codes
Almost every 2FA system generates one-time backup codes at setup. These bypass the second factor entirely. Store them in a password manager or printed and locked away — not in a file on the same device you use for 2FA. A backup code stored on your phone's notes app is an attack vector, not a safety net.
Originally published at havenmessenger.com
Top comments (0)