Two-factor authentication done right (and the kinds you should drop)
MFA-fatigue attacks grew 217% YoY in the 2026 Verizon DBIR. SMS 2FA is worse than nothing. Here is the four-tier ranking of every 2FA method, and the migration path from "I use texts" to "I am hardware-key-protected."
Two-factor authentication is the difference between a leaked password being a minor inconvenience and a leaked password being the start of your identity-theft autobiography. But not all 2FA is equal — some of it is actively dangerous, in the sense that it gives you a sense of security you do not actually have.
Here is the 2026 ranking, the migration plan, and the recovery story you need before you start. The 2026 Verizon DBIR clocked MFA-fatigue attacks (the kind where an attacker spams you with push notifications until you tap "yes") at 217% year-over-year growth. The defenses that worked in 2020 do not work now.
Tier 1: hardware-bound keys (the right answer)
A FIDO2/WebAuthn hardware key — YubiKey, Titan, or a hardware-backed passkey on Apple/Android — is the only 2FA category that is phishing-resistant by design. The cryptography is bound to the website's origin. A fake login page cannot relay the credential because the credential will not respond to a fake origin. End of class of attack.
- YubiKey 5 series: works everywhere. ~$50.
- YubiKey Bio: fingerprint reader on the key itself. ~$80.
- Apple passkeys: stored in the Secure Enclave, synced to other Apple devices via iCloud Keychain.
- Google Titan: equivalent to YubiKey, sometimes cheaper.
- Windows Hello with a TPM: hardware-backed, but device-bound rather than portable.
Tier 2: TOTP authenticator apps (good)
TOTP — those six-digit rotating codes — is not phishing-resistant (an attacker on a fake page can still get the code typed in if they are fast), but it is immune to SIM swap and to most automated attacks. Use a real TOTP app, not your phone's SMS inbox.
- Aegis (Android): open source, encrypted backups, no cloud requirement.
- 2FAS (iOS and Android): clean UX, optional encrypted iCloud sync.
- Ente Auth: cross-platform, end-to-end encrypted sync, free.
- Google Authenticator: works fine, but enable cloud sync only if you understand the trade-offs (it is end-to-end encrypted now, but it was not always).
Avoid Authy. The Twilio breach in 2024 leaked customer phone numbers and the app has had recurring issues with account portability. There are better options.
Tier 3: push approvals (mediocre)
Push 2FA — the "tap Yes to approve sign-in" prompt — sounds great. The user does nothing typeable, so phishing seems harder. The reality is MFA fatigue: an attacker who has your password sends you 50 push prompts at 3 AM until you tap "Yes" to make the buzzing stop. The DBIR numbers are not subtle. This works.
Modern push implementations (Microsoft Authenticator number-matching, Duo verified push) mitigate this by showing a number you have to type or a code from the login screen. If your push 2FA does that, it is fine. If it is just "tap Yes," upgrade.
Tier 4: SMS (drop it)
SMS 2FA is bad. SIM-swap attacks — where an attacker convinces your carrier to port your number to their SIM — are routine. Carrier SS7 vulnerabilities mean SMS can be intercepted at the network layer in some jurisdictions. NIST has been telling people to stop using it since 2016.
When a service offers only SMS 2FA, use it (still better than nothing) but understand it gives you a fraction of the security people assume.
The migration plan: do this in order
You will not migrate everything in one sitting. You will not need to. Here is the order that protects the things that matter first:
- 1Email. This is the master key. Every "forgot password" link goes here. Migrate to hardware key + TOTP backup, today.
- 2Password manager. If your manager falls, everything falls. Hardware key, no SMS.
- 3Bank and brokerage. Hardware key if supported (most major US banks now do); TOTP if not.
- 4Cloud storage (iCloud, Google, OneDrive, Dropbox). Hardware key.
- 5Social media. TOTP at minimum. (Twitter/X charges for non-SMS 2FA on the free tier — pay it or move on.)
- 6Everything else. TOTP unless the service forces SMS.
Buy two keys
Single-key setups are how people get locked out of their own accounts. Buy two YubiKeys. Register both with every service. Keep one on your keychain. Keep the second somewhere not-on-your-keychain — a drawer at home, a safe deposit box, your partner's desk.
When you lose the first one (you will), the second is already enrolled. You do not need to call support, fight a recovery flow, or stare at a "verify with the device you no longer have" screen.
Recovery codes: print them
Every service that offers TOTP or hardware key 2FA also gives you a one-time list of recovery codes. Print them. On paper. Put them in an envelope, seal it, and put it in your kitchen drawer (or your home safe, if you have one).
Why paper? Because if your laptop, phone, and YubiKey are all gone (theft, fire, lost luggage, all-of-the-above), the digital copy is gone too. Paper survives most non-apocalyptic disasters. The kitchen drawer is fine — burglars do not steal envelopes from kitchen drawers, and the threat model "someone in my house finds them" is almost always lower than "I lose access to my own accounts."
When you lose your second factor
- 1Stay calm. Most services have a recovery flow.
- 2Check your second hardware key (you bought two, right?).
- 3If both are gone, get the recovery codes from the kitchen drawer.
- 4If those are also gone, contact the service's support. Bring ID. Be patient. This takes hours to days.
- 5Once you are back in: enroll a new key, generate fresh recovery codes, replace the envelope. Treat the old codes as burned.
A 30-minute Saturday plan
- 1Order two YubiKey 5Cs. They will arrive in two days.
- 2While you wait, install Aegis or 2FAS on your phone.
- 3Migrate email, password manager, and bank to TOTP this weekend.
- 4When the keys arrive, register both on email, password manager, bank, cloud storage.
- 5Print recovery codes. Seal envelope. Done.
Two-factor authentication is the lowest-effort, highest-impact change you can make to your security in 2026. It is also one of the few areas where the right answer has barely changed in five years: hardware key first, TOTP second, push only with number-matching, SMS as a last resort. Anyone telling you otherwise is selling something.
Frequently asked
Is a passkey the same as a hardware key?+
They use the same underlying protocol (FIDO2/WebAuthn). A "hardware key" is a physical device like a YubiKey. A "passkey" can be stored on a hardware key, in your phone's secure enclave, or synced via iCloud / Google. Both are phishing-resistant. Hardware keys are more portable across ecosystems; passkeys are easier for non-technical users.
Should I disable SMS 2FA on my bank if it is the only option?+
No. Some 2FA is better than no 2FA. Use SMS where it is the only choice, but pressure your bank (or switch banks) to get hardware-key support. Most major US banks added it in 2024-2025.
Run PlanetProxy for seven days, on us.
Same purple tile cards you see on this page, plus the green lock and a 50 ms hop to wherever you want to be.
Start the trial →More from the dispatch
GuidesPP · DispatchA survival kit for public Wi-FiGuides · 6 minA survival kit for public Wi-Fi
Hotel networks. Airport lounges. The cafe with the cute logo. Six concrete habits that take ten seconds and stop 95% of network-level attacks against you.
GuidesPP · DispatchSplit tunneling: when it's a feature, when it's a foot-gunGuides · 5 minSplit tunneling: when it's a feature, when it's a foot-gun
Letting some apps skip the VPN sounds great until you discover your banking app went out the back door. Here's a clean rule for when to use split tunneling.
GuidesPP · DispatchWhy your VPN keeps getting blocked by streaming services (and the fix)Guides · 7 minWhy your VPN keeps getting blocked by streaming services (and the fix)
Netflix says "you appear to be using a proxy." Disney+ shows the wrong library. Here is what is actually happening on the back end and how we route around it.