Security & Privacy Guide · Updated March 2026

Two-Factor Authentication: Beyond SMS

SMS codes are better than nothing, but they're also the weakest widely-used 2FA method. Here's what to switch to instead.

Updated March 2026 7 min read Difficulty: Beginner By Amara Williams, Security Lead
Upgrade Now Compare The Methods
3
Methods Compared
7
Step Playbook
7
Min Read
3
Risks SMS Doesn't Cover
YubiKey
Strongest Phishing Resistance
YubiKey — hardware security, works across major platforms
No codes to intercept · Supported by Google, Microsoft, GitHub & more
Shop YubiKey

What's In This Guide

  1. Why SMS Is The Weak Link
  2. Authenticator App vs Hardware Key vs Passkeys
  3. A Closer Look At Each Method
  4. 7 Steps To Upgrading Past SMS
  5. Why SMS Is The Weakest Common Option
  6. Mistakes That Leave You Exposed
  7. Our Verdict: What To Use Where
  8. Glossary: Terms Worth Knowing
  9. Frequently Asked Questions

SMS-based two-factor authentication became the default because it's universally accessible — everyone has a phone number, no app or hardware required. That accessibility came at a real cost: SMS is vulnerable to SIM swapping, network interception, and real-time phishing in ways that newer methods simply aren't.

None of this means SMS 2FA is worthless — it's still meaningfully better than no second factor at all. But for accounts that actually matter, stronger options exist today that take only marginally more effort to set up.

"SMS 2FA stops a casual password thief. It does very little against someone specifically targeting your phone number."

Authenticator App vs Hardware Key vs Passkeys.

Three upgrades from SMS, each with a different effort-to-security tradeoff.

MethodPhishing Resistant?Setup EffortBest For
Authenticator App (TOTP)PartiallyLowMost accounts, easy upgrade from SMS
Hardware Security KeyYes, stronglyModerateHigh-value accounts (email, financial, work)
PasskeysYes, stronglyLow once supportedNewer accounts/services with support

Each Method, Broken Down.

The table tells you the resistance level. This is how each one actually behaves day to day.

Authenticator App

A clear upgrade from SMS, generating codes locally on your device instead of over a vulnerable network.
Strengths
  • Codes generated offline, no cell network dependency
  • Works across nearly every major service offering 2FA
  • Free and simple to set up on an existing phone
Trade-Offs
  • Still phishable if tricked into entering the code on a fake site
  • Losing the device without a backup can lock you out
  • Requires manually entering a code each time

Hardware Security Key

A physical device that cryptographically proves it's really you — resistant to phishing in a way codes never can be.
Strengths
  • Strongest practical phishing resistance for most consumers
  • No codes to intercept or be tricked into entering
  • Works across many major platforms
Trade-Offs
  • Upfront cost to purchase the device
  • Easy to misplace or forget to bring
  • Not yet supported by every service

Passkeys

Built on the same cryptographic standard as hardware keys, but stored on devices you already own.
Strengths
  • Phishing-resistant by design
  • No codes or physical keys to manage
  • Increasingly built into phones and computers by default
Trade-Offs
  • Support still inconsistent across services in 2026
  • Cross-device syncing varies by ecosystem
  • Can be confusing for less tech-savvy users initially
Google Authenticator
Free · Works Across Every Major Service
Google Authenticator — codes generated offline
No network dependency · Backup and transfer support included
Set It Up

7 Steps To Upgrading Past SMS.

Most people only need to act on their top few accounts to get most of the benefit.

01
Identify your highest-value accounts first
Primary email, financial accounts, and work logins carry the highest consequences if breached — start your upgrade there.
02
Upgrade those specific accounts off SMS immediately
Switch to an authenticator app or hardware key — most services offer this as a simple setting change, not a major project.
03
Set up passkeys wherever a service offers them
Where supported, passkeys are often the smoothest upgrade path — phishing-resistant with minimal added friction.
04
Buy a backup hardware key and register both
A single key with no backup creates a new lockout risk — register two from the start, and keep them in separate locations.
05
Store backup codes somewhere offline
Not in the same inbox the codes are meant to protect — a breached email account shouldn't also expose your account recovery codes.
06
Avoid SMS as a fallback where a stronger method is available
Many services still let SMS work as a backup even after you've set up something stronger — disable it where possible to close that gap.
07
Periodically review which accounts still rely on SMS
New accounts you sign up for may default back to SMS — a periodic review catches and upgrades these over time.

Why SMS Is The Weakest Common Option.

Three specific risks, and what actually mitigates each one.

RiskHow It Affects SMSMitigated By
SIM swappingAttacker ports your number to their deviceAuthenticator app, hardware key, passkey
Network interceptionSMS can be intercepted on some networksAny non-network-based method
PhishingCodes can be relayed to an attacker in real timeHardware key, passkeys (phishing-resistant by design)

Mistakes That Leave You Exposed.

Our Verdict

Upgrade Broadly, Then Go Strong Where It Matters Most.

For a quick, broad upgrade from SMS — switch to an authenticator app today on every account that supports it. For your highest-value accounts — a hardware security key, ideally two registered as backups. Where supported — passkeys are the most seamless long-term direction.

The biggest single improvement most people can make is simply moving their primary email off SMS — everything else tends to flow from that one account.

View Our Full Security Rankings

Glossary Of Key Terms.

TOTP
Time-based One-Time Password — codes generated by an authenticator app that change every 30 seconds.
SIM swapping
An attack where someone convinces a carrier to transfer your phone number to a device they control.
Phishing-resistant authentication
A method designed so credentials can't be relayed to an attacker even if a user is tricked onto a fake site.
Hardware security key
A physical USB or NFC device that cryptographically verifies identity without transmitting a code that can be intercepted.
Passkey
A cryptographic credential stored on a device, replacing passwords with a phishing-resistant sign-in method.
Backup codes
One-time-use codes provided as a fallback if your primary 2FA method becomes unavailable.

Common Questions.

Is SMS 2FA really that much weaker than the alternatives? +

For most casual threats it's fine, but against a targeted attack (SIM swapping, real-time phishing), it's meaningfully weaker than app-based or hardware-based methods — the gap matters most for high-value accounts specifically.

What happens if I lose my phone with my authenticator app? +

Most apps support backup and recovery through cloud sync or exported backup codes set up in advance — without this, losing the device can genuinely lock you out, which is why setting up a recovery method ahead of time matters.

Are passkeys actually more secure than passwords? +

Yes — passkeys are phishing-resistant by design and can't be reused across sites the way a leaked password can, eliminating an entire category of common attacks.

Do I need a hardware key for every account? +

No — reserve hardware keys for your highest-value accounts. An authenticator app is a sufficient, much lower-effort upgrade for the majority of lower-stakes accounts.

Can hardware security keys be lost or stolen and used against me? +

A lost key alone typically isn't enough to access your accounts, since it works alongside your password or PIN. That said, losing one is still a reason to consider revoking it from your accounts and registering a replacement.

Should I keep SMS as a backup method? +

Where possible, disable it if a stronger primary method is set up — leaving SMS active as a fallback re-introduces the same weaknesses you upgraded away from.

How do passkeys sync across multiple devices? +

This depends on your device ecosystem — Apple, Google, and Microsoft each have their own passkey syncing systems, and cross-ecosystem syncing (e.g., Apple to Windows) is still inconsistent in 2026.

Related Guides.

See The Full Security & Privacy Rankings.

This guide covers the framework — our category page covers current device and platform support across every 2FA method we've reviewed.