Two-Factor Authentication: How to Protect Your Accounts¶
A stolen password is only half of what an attacker needs when two-factor authentication is enabled, and the type of 2FA you use determines how much that second factor actually protects you.
π The Basics¶
What It Is¶
Two-factor authenticationβalso called 2FA, multi-factor authentication, or MFAβis a login security method that requires a second verification step after your password. The logic is you're combining something you know (your password) with something you have (a device, a physical key) or something you are (biometrics). If an attacker steals or guesses your password, they still can't access your account without that second factor.
It's one of the highest-impact security improvements most people can make. But 2FA is a category of methods with meaningfully different security properties, so let's discuss them!
How It Works¶
There are four core types of 2FA, ordered from generally weakest to strongest:
SMS One-Time Codes, The Floor¶
This is typically a six-digit code sent to your phone via text. This is still the most common form of 2FA, but there are two structural weaknesses:
- SIM swapping: Where an attacker socially engineers your carrier into transferring your phone number to a SIM they control
- SS7 interception: Where vulnerabilities in the decades-old telecom signaling protocol allow someone with access to carrier infrastructure to intercept SMS messages in transit.
These are both still common threats with no signs of decline. Use SMS 2FA only where no better option exists, and treat it as a temporary measure to replace.
Email One-Time Codes, A Genuine Step Up¶
Some services send a one-time code to your email address instead of your phone. This sidesteps carrier infrastructure entirely, so SS7 attacks and SIM swaps are irrelevant. The security of this method is largely inherited from your email account, so if your email has a strong, unique password and strong 2FA protecting it, email OTP is a reasonable middle tier. The limitation is that it depends entirely on your email being accessible and secure.
TOTP Authenticator Apps, Where Most People Land¶
This is typically a dedicated app on your device(s) that generates a new six-digit code every 30 seconds. The code is generated locally on your device, so there's no internet required, with no dependency on your phone number or email provider.
TOTP codes can theoretically be phished in a real-time relay attack, but for most people TOTP is a solid place to be since it's free, an open standard, works offline, and provides protection that meaningfully raises the cost of account compromise.
Hardware Security Keys, The Ceiling for Security¶
This is a physical device you plug in or tap (USB-A, USB-C, or NFC) to authenticate. Hardware keys use the FIDO2/WebAuthn standard and public-key cryptography to generate an authentication signature that's cryptographically bound to the specific website you're logging into. This means a hardware key physically cannot be used on a phishing site, even a good one, because the cryptographic check verifies the domain. This is the strongest practical protection available for account security today. What it looks like is a site asks you to tap your security key, you just plug it in and tap it and that's all it takes.
The limitation is you need to purchase a security key...ideally two or more in case you lose one. And not all services support security keys. But they're actually a very convenient option that can be more efficient than TOTP when logging in.
Choosing Apps and Planning for Recovery¶
A good TOTP app is open source, generates codes locally, and lets you export your seeds. Ente Auth & Proton Authenticator are strong cross-platform picks that are open source, offline-first, with optional E2EE sync. Aegis is the go-to for Android users who want full local control. 2FAS works well with a browser extension workflow. For hardware keys, YubiKey is the most widely supported; open-source alternatives include Nitrokey and OnlyKey.
Recovery is something to set up the same day you enable 2FA, not the day you need it. Three things cover almost every scenario: save the backup codes the service generates at enrollment (your password manager's secure notes works fine), enroll a second factor wherever the service allows it, and if you're using a cloud-synced authenticator make sure you can sign back into it on a new device. Never let account recovery depend on a single device you could lose.
π― Why It Matters¶
In a Veritasium video, Derek Muller demonstrated SS7 vulnerabilities live using Linus Sebastian (from Linus Tech Tips) as a test subject. Starting with nothing but Linus's phone number, Derek intercepted his calls, read his text messages, and captured a one-time login code sent to his phone. No phishing email. No malware. No physical access to the device. Linus never received the intercepted messages, and he had no idea anything happened.
That demonstration is why SMS sits at the bottom of the 2FA tier list. Any account protected only by an SMS code is protected by infrastructure that can be exploited without the account holder ever knowing. TOTP and hardware keys remove carrier infrastructure from the equation entirely, which is a big security boost.
The threat model here scales naturally. An everyday user enabling TOTP on their email and banking accounts gets a dramatic improvement in account security against the most common attack vectors. A journalist or activist who faces targeted threats should treat hardware keys as essential.
Your password is the first factor, 2FA is the second. Together, account compromise becomes a significantly harder problem for an attacker to solve.
π‘ Common Misconceptions¶
"I have a strong password so 2FA is overkill."¶
Strong passwords are essential, but 2FA protects against other threats: credential reuse from a breach you didn't know about, real-time phishing, malware that captures a typed password, social engineering. The point of 2FA isn't that good passwords are bad, it's that even good passwords can fail you without a second layer of safety.
"All 2FA is roughly the same."¶
SMS sits at the bottom of the list because SIM swapping and SS7 attacks bypass it without the account holder ever noticing. TOTP and hardware keys remove the carrier from the equation entirely. Hardware keys also remove phishing as a threat by design, because the cryptographic check verifies the domain you're actually on. These can result in massive shifts in real-world security.
"Storing 2FA codes in my password manager defeats the purpose."¶
It does, if an attacker breaks into your vault. For higher-value accounts like email, banking, or the password manager's own 2FAβkeeping codes in a separate authenticator app can better preserve the second-factor guarantee. For lower-stakes accounts, keeping TOTP in the password manager is generally fine, and the autofill convenience genuinely helps adoption. The two approaches can coexist.
"Authenticator apps will lock me into their ecosystem."¶
Some do, and they shouldn't. TOTP is an open standard, so any authenticator app should let you export your seeds and move them somewhere else. Always pick a 2FA app that supports export. An authenticator that won't give you your seeds back is using an open standard against you. (Authy...)
"Barely any services support security keys."¶
This was true several years ago and is increasingly not. Google, Apple, Microsoft, GitHub, Coinbase, many banks, most major password managers, and a growing list of government services all support hardware keys today. Support isn't universal, but it's broad enough that a key is practically useful for people's highest-value accounts.
"I only need one security key."¶
One key is a single point of failure...lose it, damage it, or leave it at home and you're locked out. The standard recommendation is at least two: a primary you use daily and a backup stored somewhere secure like a safe or lockbox. Most services that support hardware keys let you enroll multiple, and enrolling a backup key the day you set up the first one takes a few minutes. Skipping this step is the most common way people end up locked out of accounts they care about.
"Security keys are inconvenient to use."¶
In practice, hardware keys are often faster than TOTP. There's no app to open, no code to read and type before it expiresβyou just tap or insert the key and you're in. If the key stays plugged into your computer, authentication is a single tap with no extra steps at all. The concern that a permanently plugged-in key is a security risk is mostly unfounded since the key only responds when a site initiates an authentication request. The only risk is physical theft of an unlocked machine with the key still in it.
π£οΈ Henry's Take¶
A lot of the standard advice is binary: either keep all 2FA codes in your password manager (convenient, but the manager becomes a single point of failure) or move every code to a dedicated authenticator app. The honest middle ground that works for many people is to keep the most important accounts like your email, bank, government login in a separate authenticator app, and keep everything else inside your password manager where autofill is fast and the trade-off is small. That captures most of the security benefit of a separate authenticator without turning 2FA into a burden.
On hardware keys: I use them wherever they're supported. They're the only 2FA method that's resistant to phishing by design. For accounts where compromise is consequential, it's worth it.
The reality is most people will have a blend of all 2FA methods. I use security keys, TOTP, Email OTP, and SMS 2FA. Many services still use SMS 2FA, and the goal is to shift the methods over time to gravitate towards the more secure ones.
The principle I will not move on: the TOTP app you pick must let you export your seeds. TOTP is an open standard. Apps that refuse to export are using that open standard to trap users in a closed ecosystem, and they do it on purpose. Authy is my most-cited example, and my position is straightforward: I do not recommend it under any circumstances, and if you're currently in Authy, plan the migration now. It's annoying since every account needs to be re-enrolled in your new app (since Authy refuses to let people export their seeds!) but it's far better than discovering later when you have even more services to migrate. Pick an authenticator that respects the standard.
β Henry's Picks¶
These are the apps and keys I've actually tested and/or use.
TOTP authenticator apps:
- Ente Auth: Open source, works fully offline, optional E2EE cloud sync.
- Proton Authenticator: Open source, supports seed export, cross-platform sync via Proton account. Natural fit if you're already in the Proton ecosystem.
- Aegis Authenticator: Open source, Android-only, fully local with no cloud. Best for users who want zero cloud exposure.
- 2FAS: Open source, iOS + Android with an optional browser extension. Friendly starting point.
Hardware security keys:
- YubiKey: Most widely supported across services. The 5 Series covers nearly every workflow.
- Nitrokey: Open hardware and open firmware. The right pick if FOSS-on-the-hardware itself matters to you.
Inside your password manager: Proton Pass, Bitwarden, and KeePassXC all store TOTP seeds.
Avoid: Authy. No seed export means migrating off is a hostage situation built on top of an open standard.
See the broader recommendation set at Techlore's SPA Tools.
π Go Deeper¶
Related wiki articles:
Techlore content:
- Go Incognito v2, Lesson 3.3βTwo-Factor Authentication
External sources:
- EFFβTwo Factor Authentication
- NIST SP 800-63B Rev 4βDigital Identity Guidelines
- 2FA Directoryβcheck which sites support which 2FA types
Found an error? Report it here β