2FA Done Right: SMS vs Authenticator Apps vs Passkeys (What to Use)

“Enable 2FA” is good advice… but it’s not the whole story.

Different 2FA methods stop different attacks. If you pick the right one for the accounts that matter, you reduce takeover risk a lot without making logins miserable.

Quick recommendation (most people)

• Best (if available): passkeys
• Great: authenticator app (TOTP)
• Okay: SMS (better than nothing)

Now let’s unpack why.

What 2FA is trying to stop

Most account takeovers happen when a password is:

• Reused and leaked
• Phished
• Guessed (weak passwords)

2FA adds a second proof so a stolen password alone isn’t enough.

SMS 2FA (text messages)

Pros

• Easy to set up
• Works on almost any phone

Cons

• Vulnerable to SIM swap attacks
• Vulnerable to some phishing flows
• Messages can be delayed or intercepted

When it’s okay: low-risk accounts where the alternative is “no 2FA.”

Authenticator apps (TOTP)

Examples: Google Authenticator, Microsoft Authenticator, Authy, 1Password/Bitwarden authenticator features.

Pros

• Not tied to your phone number
• Stops a large chunk of automated attacks

Cons

• Still phishable if you type the code into a fake site
• Device loss can lock you out if you didn’t save recovery codes

Best practice:

• Save recovery codes
• Prefer app backups / secure sync if available

Push approvals

Some apps send a “Approve sign-in?” prompt.

Pros

• Very convenient

Cons

• “Push fatigue” attacks (spam prompts until someone taps approve)

Fix: require number matching or additional confirmation when available.

Hardware security keys (FIDO2 / WebAuthn)

Pros

• Excellent phishing resistance
• Strong protection for admin accounts

Cons

• Costs money
• You should have a backup key

Best for: business admins, developers with production access, finance roles.

Passkeys

Passkeys are a modern replacement for passwords in many places.

Pros

• Strong phishing resistance
• Often the easiest to use (Face ID / fingerprint)
• No code to type

Cons

• Cross-device recovery depends on your platform ecosystem

Recommendation: enable passkeys for your Apple/Google/Microsoft account first.

The setup checklist (do this for your important accounts)

1. Start with email (Gmail/Microsoft/Apple). If email is lost, everything else falls.
2. Turn on passkeys or authenticator 2FA.
3. Store recovery codes in a password manager.
4. Review “trusted devices” and sign out old sessions.

If you got phished and shared a 2FA code

Treat it like compromise.

1. Change password immediately.
2. Sign out all sessions.
3. Reset 2FA (remove old authenticators and re-enroll).
4. Check forwarding rules and security settings.

FAQs

Is 2FA enough if my password is weak?

It helps, but don’t rely on it alone. Use a password manager and unique passwords.

Should I disable SMS 2FA?

If you can replace it with passkeys or an authenticator app, yes. If SMS is your only option, keep it.

Related reading

• Password Managers Explained: How to Choose One (and Set It Up Right)

• Phishing Emails in 2026: 9 Red Flags and What to Do

• Public‑WiFi Safety: What’s Actually Risky (and How to Protect Yourself)

• About AviWebSquad

• Privacy Policy

• Disclaimer

Sources

• FIDO Alliance: Passkeys