ScamWatch

If you feel you're being scammed in United States: Contact the Federal Trade Commission (FTC) at 1-877-382-4357 or report online at reportfraud.ftc.gov

Two-Factor Authentication: SMS, Authenticator Apps & Hardware Keys

Detailed view of a secure electronic keypad with numbers and letters.

Why two-factor authentication (2FA) matters

Password-only defenses are still the leading cause of account takeover: stolen, reused, or guessed passwords let attackers in. Two-factor authentication (2FA) adds a second proof of identity — "something you have" (a phone or hardware key) or "something you are" (biometrics) — which greatly reduces the risk of unauthorized access. This article compares three common 2FA methods (SMS one-time codes, authenticator apps using TOTP, and hardware/FIDO security keys), explains their strengths and weaknesses, and gives practical setup and recovery guidance so you can pick the best option for your accounts.

Options Compared: SMS, Authenticator Apps, and Hardware Keys

SMS (text-message) codes

  • How it works: The service sends a one-time code by SMS to your phone number; you type that code to sign in.
  • Pros: Easy to set up and use; works on any phone without installing apps.
  • Cons: Vulnerable to SIM-swap attacks, phone number porting, intercepted SMS, and some phishing tactics. While better than no 2FA, SMS is considered a restricted or less-preferred out-of-band method by modern standards and should not be the only protection for high-risk accounts.

Authenticator apps (TOTP and push approvals)

  • How it works: Apps such as Google Authenticator, Microsoft Authenticator, or other TOTP apps generate time-based one-time passwords (codes) on your device; some apps also support push approvals (tap-to-approve).
  • Pros: More secure than SMS against SIM-swap and remote interception; offline codes when your phone has no signal; many apps support backups or account export/import features to move codes to a new device.
  • Cons: If you lose your device and haven't exported or saved backup codes, you may be locked out; some apps have varying support for cloud backup—verify your chosen app's migration capabilities before relying on it.

Hardware security keys and passkeys (FIDO/WebAuthn)

  • How it works: FIDO-certified hardware devices (USB, NFC, or Bluetooth) or platform passkeys use public-key cryptography to authenticate directly to the site; the private key never leaves the device. Many modern platforms implement WebAuthn/FIDO2 or passkeys for phishing-resistant sign-in.
  • Pros: Best protection against phishing and account takeover; resistant to remote SIM or SMS interception; standards-based (FIDO2/WebAuthn) and increasingly supported by major providers.
  • Cons: Requires purchasing or using compatible hardware (or modern device platform passkeys); losing your keys without a backup plan can be risky—some services require registering multiple keys or trusted devices to avoid permanent lockout. Apple, for example, requires two FIDO-certified keys when enabling security keys for an Apple ID.

Practical setup & recovery guidance

General planning (before you enable 2FA)

  • Inventory critical accounts (email, banks, password manager, social media) and enable 2FA starting with the most sensitive.
  • Decide your primary 2FA method (authenticator app or hardware key recommended) and set up at least one recovery option you control (printed backup codes, secondary authenticator, or an additional hardware key stored safely).
  • Record trustworthy backup steps in an encrypted note or password manager — don’t store backup codes in plain email or public cloud without encryption.

Step-by-step: Authenticator app (typical flow)

  1. Install a reputable authenticator app on your phone (Google Authenticator, Microsoft Authenticator, or another TOTP app).
  2. On the website's security/2FA page, choose "Set up an authenticator app"; the site will display a QR code.
  3. Open the authenticator app, choose "Add account" or camera-scan option, and scan the QR code; the app starts generating 6-digit codes.
  4. Enter the current code into the website to confirm setup; the site will usually give backup/recovery codes—download, print, or store them securely.

Step-by-step: Hardware security key (typical flow)

  1. Buy a FIDO2/WebAuthn-certified key (USB-C, USB-A, NFC, or Lightning as appropriate for your devices). Consider buying at least two keys and label them (primary and backup).
  2. On the account's 2FA/security page, select "Add security key" (or "Add passkey").
  3. When prompted, insert or tap your key, follow browser prompts (touch or press button), and give the key a recognizable name in your account settings.
  4. Register a second key or an approved recovery method immediately so you can sign in if one key is lost.

Account recovery tips

  • Store printed backup codes in a locked, private place (home safe or sealed envelope). These are often the simplest recovery route.
  • If using an authenticator app, enable its encrypted cloud backup or export your accounts to a secure password manager that supports TOTP. Test the recovery or migration process on a non-critical account first.
  • If you use SMS as a fallback, add a carrier account PIN/password and restrict account changes to in-store only where possible to reduce SIM-swap risk. The FTC recommends setting a PIN or password on your mobile account and limiting public exposure of your number.

Service-specific notes & the industry direction

Major platforms continue to expand support for phishing-resistant methods and move beyond SMS: many providers now support hardware security keys and passkeys under the FIDO standards, which are designed to be phishing-resistant and easier to use long-term. Enterprises and consumer services are encouraging passkeys and hardware-based authentication as safer alternatives to SMS and legacy OTPs.

Final recommendations

  • For most users: use an authenticator app plus securely stored backup codes (better than SMS alone).
  • For high-risk or targeted users (journalists, executives, people recovering from scams): prefer hardware security keys or passkeys and register multiple keys or recovery devices.
  • Keep a recovery plan: register a backup key, print and store recovery codes, and understand your provider's account recovery process before you need it.

If you're unsure how a specific service implements 2FA or recovery, consult that service's official support documentation before making changes to avoid accidental lockout.

Related Articles

Close-up of a young woman with facial recognition lasers projected, symbolizing future technology.

Voice‑Biometrics Bypass: How Fraudsters Outsmart Bank & Call‑Center Voice ID — Questions to Ask Your Provider

A man in a white shirt thinking, seated at a desk with papers and a plant.

Password Managers vs. Browser Passwords: Which Is Safer for Seniors and Busy People?

People in hoodies gathered in a cyber-themed bar using technology devices at night.

Privacy Audit Template: How to Check Your Social Profiles and Reduce Personal Data Used by Scammers