If your important accounts (registrar, hosting, GitHub, banking, work email) only need a password to log in, you have already lost. The standard advice is "enable two-factor authentication". The detail nobody tells you is that the second factor matters: SMS is the worst legitimate option, and the gap between SMS and the next tier is huge.

This article explains why SMS as 2FA is broken, and what the four real options are, ranked from worst to best.

The attack that killed SMS 2FA

The attack is called SIM swapping. It works like this:

  1. The attacker collects your phone number, your name, your date of birth, and a few personal details from data leaks or social media.
  2. They contact your mobile carrier impersonating you, claim they lost the phone, and request the number be activated on a new SIM (theirs).
  3. The carrier's support agent, after questions you can answer with public information, makes the swap.
  4. Your real phone goes silent. The attacker's phone now receives all your SMS, including 2FA codes.
  5. Within 30 minutes, they reset passwords, drain accounts, and disappear.

The attack does not require any technical sophistication. It requires a phone call to a help desk and confidence. It happens to thousands of people per month. Italian, German, US, Brazilian carriers have all been affected. Some carriers are better than others, but no carrier is immune.

There is also a second class of attack: SS7 interception, where SMS messages are read in transit through the international telephony signalling protocol. This is more sophisticated and used in targeted cases, but it has been demonstrated for over a decade and is still possible.

The takeaway: SMS as second factor is transport-level insecure and socially exploitable. It is better than nothing, but only by a small margin.

The four real options, ranked

4. SMS one-time codes

A 6-digit code sent to your phone. Default at most banks and at many older services. The attacks above. Use only if your account literally offers no other 2FA option, and even then plan to migrate.

3. Email codes

A 6-digit code sent to your email. Slightly safer than SMS because email is harder to intercept than a phone number, but only as safe as your email itself. If your email account is the recovery for everything else, and the second factor for everything else is also email, you have one single point of failure. Better than SMS for one specific account, useless for protecting your email account itself.

2. TOTP apps (Authenticator apps)

The standard "Authenticator" approach. The service shows you a QR code once during setup. Your app (Google Authenticator, Microsoft Authenticator, Aegis, 2FAS, Bitwarden Authenticator, Raivo OTP) scans it and starts generating a 6-digit code that changes every 30 seconds. To log in, you read the code from the app and type it.

This is algorithmic (RFC 6238), not transmitted: the secret is on your phone, the codes are generated locally. There is nothing for an attacker to intercept. SIM swap does not affect TOTP. Phishing pages can still trick you into typing the code, but the time window is narrow (30 seconds) and the attacker has to act in real time.

The trap with TOTP: if you lose the phone with no backup, you lose access. Mitigations:

  • Aegis (Android, FOSS) and 2FAS (Android/iOS) have encrypted backups to a file you store yourself.
  • Bitwarden stores TOTP secrets along with passwords, encrypted, with sync. Convenient, but it makes Bitwarden a single point of failure (if your master password leaks, both factors are compromised). For high-value accounts you may want TOTP separate.
  • Always save the backup codes the service gives you at setup. Print them, put them in a safe.

1. Hardware security keys (FIDO2/WebAuthn)

A physical USB or NFC device (YubiKey, Token2, NitroKey, SoloKey) that you tap or insert when logging in. The device performs a cryptographic challenge with the service. The challenge is bound to the exact domain you are visiting, which makes phishing physically impossible: a fake login page on a similar domain cannot get the key to sign for the real domain.

This is the strongest 2FA available to consumers. Phishing-resistant, SIM-swap-immune, malware-resistant. Compatible with Google, Microsoft, GitHub, Cloudflare, AWS, X, Facebook, password managers, banks. Not yet universal, but the list grows every year.

The downsides are honest:

  • Cost: 30-70 euro per key. You need at least two so the loss of one is recoverable.
  • Setup: more clicks per service than TOTP.
  • Mobile: you need an NFC key or a USB-C key for the phone.

For accounts that protect significant value (registrar, financial accounts, work account if you have admin powers), this is what to use. For everything else, TOTP is enough.

Practical setup for a small team or freelancer

A pragmatic configuration in 2026:

  1. Buy two YubiKey 5 NFC (about 100 euro total). Register both as 2FA on every account that supports FIDO2: registrar, Cloudflare, GitHub, Google/Microsoft account, AWS root, password manager. Keep one in your wallet, one in a drawer at home.
  2. Use TOTP for everything else: install Aegis on Android or 2FAS on iOS. Enable encrypted backup to your cloud of choice. Add 2FA on every service that does not support FIDO2 yet.
  3. Use SMS only as a fallback when nothing else is available. Then complain to the service.
  4. Store recovery codes in a password manager or printed in a sealed envelope. Test them once.
  5. Disable SMS recovery on your important accounts. If both 2FA and account recovery accept SMS, an attacker still wins through SIM swap. The "fall back to SMS if you lose your second factor" option must be off.

What to do today, in 5 minutes

Open your email account settings. The email is the master key, the recovery for everything else. Check:

  • 2FA is enabled.
  • The second factor is not SMS only.
  • Recovery options do not silently include SMS or a phone number that, alone, lets you in.

If anything is wrong, fix it now, before reading the rest of this site. The email account is the most important account you have, and the one most often left protected by SMS only.

The investment of 5 minutes today removes the single most common attack vector against personal accounts. Then come back and move the rest of your accounts to TOTP, then to FIDO2 over time.