Additional protection

Multi-factor authentication: a second barrier attackers can’t bypass

2FA adds something you have or are to the password you know. Even if your password leaks, the attacker will be blocked without the second factor. Let’s review the options and decide which one fits best.

Why MFA matters

Password reuse and credential leaks are inevitable. Adding a real-time check (one-time code, push prompt, hardware key or biometric) cuts your risk dramatically—especially for admin, finance and email accounts.

Common 2FA methods

SMS (least secure)

Widely supported but vulnerable to SIM swapping, SS7 interception and phishing. Only use SMS when no stronger option exists.

Messaging apps (WhatsApp, Telegram, etc.)

A slight upgrade over SMS because the message is encrypted, but it still depends on your phone number and can be hijacked if that account is compromised.

Authenticator apps (TOTP)

Generate offline codes every 30 seconds from a shared secret. Highly recommended for most services. Popular choices:

  • Google Authenticator
  • Microsoft Authenticator
  • Authy
  • 1Password/Bitwarden built-in TOTPs
  • Duo Mobile, Aegis, 2FAS

Push-based authenticators

Some services (Okta, Duo, Microsoft, Google) send a push notification to approve logins. Convenient, but beware of fatigue attacks: always deny unexpected prompts.

Hardware security keys

FIDO2/WebAuthn devices such as YubiKey, Feitian or SoloKeys offer phishing-resistant 2FA. They validate the domain before approving the login and can also support passkeys and PGP.

Platform authenticators & passkeys

Built into devices (Windows Hello, Touch ID, Face ID, Android passkeys). They rely on WebAuthn and are highly convenient while still resisting phishing.

Strength vs. convenience

Method Security Ease of use Main risks
SMS Low Very high SIM swap, interception, fake reset emails
Authenticator app High Medium Device loss, missing backups
Push prompt High High Push bombing/fatigue attacks
Hardware key Very high Medium Physical loss, cost, limited port availability
Passkeys/biometric Very high Very high Service compatibility still rolling out

Best practices

  • Prefer authenticator apps or hardware keys over SMS.
  • Register at least two factors (backup device or key + recovery codes).
  • Store recovery codes securely offline.
  • For shared or admin accounts, enforce hardware keys where possible.
  • Enable passkeys whenever supported—they streamline secure logins.

FAQ

What if I lose my hardware key?

Use your backup key or recovery codes. Always enrol multiple keys during setup so you’re not locked out.

How do I move authenticator codes to a new phone?

Authy syncs to the cloud; other apps let you export or re-scan QR codes. Keep the original device until the new one is confirmed.

Can attackers phish my app-based codes?

Yes, via real-time relay attacks. Hardware keys and passkeys offer phishing resistance because they verify the origin before signing in.

Multi-factor checklist

  • Enable 2FA everywhere, starting with email, banking and cloud admin consoles.
  • Use strong unique passwords stored in a zero-knowledge manager.
  • Enforce phishing-resistant factors (FIDO2 keys) for critical roles.
  • Train your team to reject unexpected MFA prompts or code requests.
  • Review and rotate backup codes after any incident response.

Disclaimer

password.es is provided “as is”. We do not guarantee service availability, information accuracy or the security of generated passwords. Users remain responsible for combining 2FA with robust password hygiene and device security.