Enabling multi-factor authentication is the single most repeated security recommendation you will encounter. It is good advice — a stolen password alone should not be enough to take over an account. But the method you use matters enormously. Not all second factors offer the same protection, and some give a false sense of security that can be worse than understanding the actual risk.[1]
What MFA Actually Is
Authentication is classically broken into three categories: something you know (a password or PIN), something you have (a device, a token, a key), and something you are (a biometric). Multi-factor authentication simply means combining at least two of these categories. The idea is that an attacker who compromises one factor — say, your password in a breach — still cannot access your account without the second.
The second factor is almost always “something you have”: a device that can receive a code, generate one, or perform a cryptographic operation. The difference between the available methods is in how that second factor works, and critically, whether it can be stolen or tricked without you ever knowing.
SMS Codes: Convenient, Compromised
SMS-based one-time codes are the most common form of MFA — and the weakest. Two separate attacks make them unreliable for anything you care about.
SIM swapping is a social engineering attack against your mobile carrier.[2] An attacker calls your provider, convinces customer support that they are you, and has your phone number transferred to a SIM card they control. From that moment on, all SMS messages intended for you — including authentication codes — go to the attacker. You still have your phone, showing full signal, with no indication anything is wrong. Carriers in many countries have alarmingly weak identity verification processes, and this attack has been used to drain cryptocurrency wallets and take over high-profile accounts.[3]
SS7 interception is more technical and typically the domain of state-level or well-resourced attackers.[4] The SS7 protocol, which underpins the global telephone network, has known vulnerabilities that allow SMS messages to be silently intercepted and redirected in transit. No SIM swap required, no notification to you. The attack is largely invisible.
For most people, SIM swapping is the realistic threat. The conclusion is the same: SMS as a second factor is significantly weaker than people assume.
Email Codes: Only as Strong as Your Email Password
Many services offer “send me a code by email” as a second factor. The problem is structural. If you use the same password for the service and for your email account — a very common pattern — then compromising one compromises both. The “second factor” collapses into a single point of failure.
Even with a unique email password, your email inbox is effectively the master key to your digital life: password reset emails for every service flow through it. An attacker who controls your email account does not need your second factor for anything — they simply reset your password. Email-based MFA is better than nothing, but it is not a true second factor if your email security is weak.
TOTP: A Real Improvement With One Serious Blind Spot
Time-based one-time passwords (TOTP) — the six-digit codes generated by apps like Aegis, andOTP, or Google Authenticator — are a genuine step up.[8] The setup involves scanning a QR code that contains a shared secret. Your app and the server independently compute the same time-based code, so nothing is transmitted over SMS or email. There is no carrier to social-engineer.
The shared secret lives only on the server and in your authenticator app. As long as that secret is not leaked in a server breach and your phone is not compromised, TOTP holds up well.
The blind spot is real-time phishing. TOTP codes are valid for 30 seconds. A phishing site that looks like your bank — perhaps hosted at bank-secure-login.com instead of bank.com — can receive your username, password, and TOTP code in real time and immediately replay them to the legitimate site before the code expires. This is called an adversary-in-the-middle (AitM) attack, and tools to automate it are publicly available.[9] TOTP provides no protection against this because it has no awareness of which site it is authenticating to. If you can be tricked into entering your credentials on a convincing fake site, TOTP does not save you.
WebAuthn and Hardware Keys: Phishing Cannot Win
FIDO2/WebAuthn — the standard implemented by hardware tokens like YubiKey, as well as by passkeys on modern devices — works fundamentally differently.[6] Instead of a shared secret or a transmitted code, authentication uses public-key cryptography. During registration, your device generates a key pair. The private key never leaves the device. During login, the server sends a challenge, and the device signs it with the private key. The server verifies the signature against the stored public key.
Critically, the key pair is bound to the exact origin — the domain name of the site. When you register with bank.com, the credential is cryptographically tied to bank.com. If you visit bank-secure-login.com, the browser and the security key refuse to use that credential. There is no code to intercept, no code to replay, and no way to trick the device into authenticating to a look-alike site. This is typosquatting resistance and phishing resistance built into the protocol itself.
Hardware tokens carry the private key in tamper-resistant hardware; it cannot be extracted even if your computer is compromised. Passkeys stored on a phone or laptop offer similar cryptographic guarantees but depend on the security of the device and its sync infrastructure.
For accounts that genuinely matter — email, password manager, financial services, infrastructure — a hardware key is the only second factor that is resistant to the full range of common attacks.
Note: Unfortunately, not every website supports WebAuthn and hardware keys. While major platforms (Google, Microsoft, GitHub, Apple) are fully integrated, many services still lack this option. In those cases, TOTP is the best available alternative.
Choosing Your Level of Protection
No single recommendation fits every situation. A useful mental model is to match the method to the value of the account:[5]
Comparison of MFA Methods
| Method | Phishing Resistant | SIM-Swap Proof | No Shared Secret |
|---|---|---|---|
| SMS | No | No | Yes |
| Email OTP | No | Yes | Yes |
| TOTP | No | Yes | No |
| WebAuthn / Passkey | Yes | Yes | Yes |
Each method trades off between security, usability, and implementation complexity:
- High-value accounts (email, password manager, banking, infrastructure): hardware key or device-bound passkey[6]
- Important accounts (social, work tools, development platforms): TOTP at minimum, hardware key preferred[7]
- Low-stakes accounts: TOTP is fine; SMS if that is all that is offered is still better than nothing
- Email accounts specifically: treat as critical infrastructure — use the strongest available method, because everything else flows through it
Backup codes deserve a separate note: store them offline, not in a cloud notes app. They are a recovery mechanism, not a convenience feature — treat them accordingly.
Sources
[1] National Institute of Standards and Technology (NIST). Special Publication 800-63B: Authentication and Lifecycle Management. https://pages.nist.gov/800-63-3/
[2] FBI Internet Crime Complaint Center (IC3). Criminals Increasing SIM Swap Schemes to Steal Millions of Dollars from US Public. PSA I-020822-PSA, February 8, 2022. https://www.ic3.gov/PSA/2022/PSA220208
[3] Federal Communications Commission (FCC). Cell Phone Fraud. Consumer guidance on SIM swapping, port-out fraud, and protecting your mobile account. https://www.fcc.gov/cell-phone-fraud
[4] Daily Security Review. SS7 Alarm: TCAP Tag Exploit Lets Attackers Intercept SMS and Track Users. Technical breakdown of SS7 TCAP tag exploit enabling silent SMS interception and user location tracking. https://dailysecurityreview.com/cyber-security/application-security/ss7-alarm-tcap-tag-exploit-lets-attackers-intercept-sms-and-track-users/
[5] Karen Kent, TechTarget. Multifactor Authentication: 5 Examples and Strategic Use Cases. Covers MFA method types, their security properties (including SMS insecurity and phishing-resistant WebAuthn/FIDO), and how to match authentication strength to use case risk level. June 24, 2025. https://www.techtarget.com/searchsecurity/tip/Multifactor-authentication-Examples-and-strategic-use-cases
[6] World Wide Web Consortium (W3C). Web Authentication: An API for accessing Public Key Credentials. https://www.w3.org/TR/webauthn-2/
[7] Electronic Frontier Foundation (EFF). How to: Enable Two-Factor Authentication. Surveillance Self-Defense guide covering 2FA methods, security tradeoffs, and recommendations. https://ssd.eff.org/module/how-enable-two-factor-authentication
[8] Internet Engineering Task Force (IETF). RFC 6238: TOTP: Time-Based One-Time Password Algorithm. https://tools.ietf.org/html/rfc6238
[9] Microsoft Threat Intelligence. From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud. Technical documentation of adversary-in-the-middle proxy tools (Evilginx2, Modlishka, Muraena) and real-time credential interception bypassing MFA. July 12, 2022. https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/