From SMS Codes to Passkeys: The Complete Guide to Two-Factor Authentication

Two-factor authentication and passkeys explained You've probably been told to turn on two-factor authentication — also called 2FA or MFA — on all your accounts. And it's good advice. But here's something most guides skip over: not all two-factor authentication is the same. Some forms are genuinely strong. Some can be bypassed by a hacker in under five minutes. And one type — passkeys — works so differently from everything else that it barely feels like a security measure at all, even though it's the most secure option available today.

This guide covers every major type of MFA, ranks them honestly, and then spends some real time on passkeys — because they're new, they're confusing, and once you understand how they work, you'll want to use them everywhere they're available.

First: What Is Two-Factor Authentication?

Authentication is how a system confirms you are who you say you are. Traditionally, that's a username and password — something you know. Two-factor authentication adds a second check from a different category:

Something you know (password, PIN)
Something you have (your phone, a hardware key)
Something you are (your fingerprint, your face)

The idea is that even if an attacker gets your password, they still can't log in without the second factor. That's sound in principle — but how secure it is in practice depends heavily on which second factor you're using.

The MFA Methods, Ranked from Weakest to Strongest

1. SMS Text Message Codes — Convenient but Fragile

When you log in and a six-digit code arrives by text message, that's SMS OTP (One-Time Password). It's the most widely used form of 2FA in the world, and unfortunately one of the weakest.

How it works: The service generates a short-lived code and sends it to your phone number. You enter the code to complete login.

Why it's vulnerable:

SIM swapping: An attacker calls your mobile carrier, pretends to be you, and convinces them to transfer your phone number to a SIM card they control. Your texts — including 2FA codes — now go to the attacker.
Real-time phishing: A fake login page collects your username, password, and the SMS code you receive, then instantly relays all three to the real site before the code expires.
SS7 protocol vulnerabilities: The underlying mobile network protocol has known weaknesses that can allow SMS interception at the network level.

The FBI and CISA both issued warnings in 2025 against using SMS for authentication. NIST's updated Digital Identity Guidelines (SP 800-63-4, finalised July 2025) significantly downgraded SMS-based authentication, no longer considering it a robust second factor.

Bottom line: SMS 2FA is dramatically better than no 2FA. But if you have any other option, use it.

2. Email OTP — Same Problem, Different Channel

Email one-time codes work the same way as SMS — a code is sent to your email address, you enter it to log in. The security is roughly equivalent: if your email is compromised, so is this second factor. A phishing page can capture an email OTP just as easily as an SMS one.

Bottom line: Marginally better than SMS in some threat models, worse in others. Not a strong second factor.

3. Authenticator Apps (TOTP) — The Current Sensible Default

Apps like Google Authenticator, Microsoft Authenticator, and Authy generate six-digit codes that refresh every 30 seconds. These are called TOTP codes — Time-based One-Time Passwords. They're generated entirely on your device, with no network transit.

How it works: When you set up 2FA with an authenticator app, the service shares a secret key with your app (usually via a QR code). From that point on, both your app and the server independently generate the same code every 30 seconds using that shared secret and the current time. When you enter a code, the server checks whether it matches what it would have generated.

Why it's better than SMS:

The code is never sent over a network — it's generated locally on your device
SIM swapping doesn't work — there's no SMS to intercept
No carrier infrastructure is involved

Where it still falls short:

TOTP codes are still phishable in real time. A convincing fake login page can capture your username, password, and TOTP code and replay them to the real site before the 30-second window expires. Verizon's 2025 Data Breach Investigations Report lists Adversary-in-the-Middle attacks as an active technique used to bypass TOTP-based MFA.
If malware on your device steals the shared secret seed, valid codes can be generated indefinitely.

Bottom line: Authenticator apps are the sensible default for most people today. Use them over SMS wherever available. But they are not phishing-resistant.

4. Push Notifications — Convenient but Prompt-Bombable

Some services send a push notification to your phone asking you to approve a login. You tap "Yes" and you're in. Microsoft Authenticator and Duo use this model.

Why it can be weak: "MFA fatigue" or "prompt bombing" — attackers who have your password send repeated login requests at 3am hoping you'll tap approve just to make the notifications stop. Verizon's 2025 DBIR reports prompt bombing appearing in 14% of incidents in its dataset.

Modern push implementations mitigate this with number matching (you must enter a specific number shown on the login screen into the app). If your provider offers this, enable it.

Bottom line: Convenient and reasonably secure with modern protections. Still not phishing-resistant.

5. Hardware Security Keys — The Gold Standard (for Now)

Physical hardware keys — YubiKey being the most well-known — are small USB or NFC devices you plug in or tap to authenticate. They use FIDO2/WebAuthn standards and are completely phishing-resistant.

How it works: The key stores a private key that never leaves the device. When you authenticate, the server sends a challenge that the hardware key signs using its private key. The server verifies the signature with the corresponding public key it stored during setup.

Why they're the strongest option available:

The private key never leaves the physical device — it cannot be phished, stolen remotely, or extracted by malware
The authentication is tied to the specific domain you're logging into — if you're on a fake site, the key simply won't work
No codes to type, no codes to intercept

The downsides:

They cost money ($25–$70 per key)
You need to carry one with you
Not every service supports them

Bottom line: The strongest MFA option currently available. Recommended for anyone with access to highly sensitive systems.

6. Passkeys — A Different Thing Entirely

And now we get to passkeys. Passkeys are genuinely new, and they work so differently from everything above that it's worth taking the time to understand them properly.

The short version: A passkey lets you log in with your face, fingerprint, or device PIN — with no password and no code to type. It's faster than any other method, and it's completely phishing-resistant. If you've signed into an app recently by just looking at your phone, you may have already used one without realising it.

How Passkeys Actually Work

This is the part most guides skip. Let's go through it properly.

The Setup: Two Keys, Not One

When you create a passkey for a website or app, your device generates two mathematically linked keys:

A private key, which is stored securely on your device (in a secure chip or your device's secure enclave — it never leaves)
A public key, which is sent to and stored by the website

Think of the public key as a padlock you give to the website. The private key is the only key that can open it. You keep the private key; the website keeps the padlock.

Logging In: Challenge and Signature

When you come back to log in:

The website sends your device a random challenge — essentially a unique piece of data saying "prove it's you"
Your device asks you to verify your identity — Face ID, fingerprint, or PIN
Once you verify, your device uses the private key to cryptographically sign the challenge
The signed response is sent back to the website
The website uses its stored public key to verify the signature

If the signature checks out, you're in. The whole thing takes less than a second.

Why This Is Fundamentally Different

No shared secret. With a password or TOTP code, there's a secret that both you and the server know. If the server is breached, or if someone tricks you into entering it on a fake site, that secret is compromised. With a passkey, your private key never leaves your device — the website only ever sees your public key, which is useless to an attacker on its own.

Origin binding. A passkey is cryptographically tied to the specific domain it was created for — for example, google.com. If an attacker creates a fake site at g00gle.com and tricks you into trying to log in, your device won't find a passkey for that domain. The authentication simply won't proceed. This is what "phishing-resistant" actually means in practice — not that it's hard to phish, but that it's technically impossible to phish.

Your biometric stays on your device. When you use Face ID or a fingerprint with a passkey, your biometric data never leaves your phone. It's used locally to unlock the private key. The website never sees your face or your fingerprint — it only sees a cryptographic signature.

Two Types of Passkeys

Synced passkeys are stored in your password manager or cloud account — iCloud Keychain for Apple devices, Google Password Manager for Android, or a third-party manager like 1Password or Bitwarden. When you create a passkey on your iPhone, it syncs automatically to your iPad and Mac. NIST's updated 2025 guidelines officially recognise synced passkeys as meeting the standard for strong multi-factor authentication (AAL2).

Device-bound passkeys are stored on a single physical device and never leave it — including hardware security keys like YubiKeys. These are the highest assurance option, appropriate for highly regulated environments or elevated-risk accounts. The trade-off is that losing the device means losing the passkey.

For most people, synced passkeys are the right choice.

The State of Passkeys in 2025

Passkeys have moved from early adopter to mainstream quickly. A few highlights:

Passkeys are now available on over 90% of iOS and Android devices
Based on data from one million real authentication transactions, passkeys now account for 62% of all authentication challenges processed by Authsignal — compared to 33% for SMS
Uber, Roblox, DocuSign, Google, Amazon, PayPal, and Microsoft have all deployed passkeys
Roblox reported a 15% drop in account takeovers after rolling out passkeys, with an 82.5% login success rate compared to 67.7% for SMS OTP
NIST finalised SP 800-63-4 in July 2025, mandating phishing-resistant MFA for all federal agencies — with synced passkeys now qualifying

Passkeys are not experimental. They are the direction authentication is heading.

Which Should You Use?

SMS OTP — Better than nothing, but replace it if you can
Email OTP — Similar to SMS; avoid if you have better options
Authenticator app (TOTP) — Use this as your default today
Push notification — Good if your provider includes number matching
Hardware security key — The strongest option for high-value accounts
Passkey — Use it wherever it's available; faster and more secure than all of the above

The honest ranking from weakest to strongest: SMS ≈ Email OTP < TOTP < Push (with matching) < Passkey / Hardware key.

A Note on Passkey Limitations

Passkeys are not perfect yet:

Account recovery is still evolving. If you lose all your devices and have no backup, getting back into an account protected only by passkeys can be complex.
Cross-ecosystem movement is improving but not seamless. Moving passkeys between Apple and Android ecosystems is getting easier but isn't frictionless for every user yet.
Not every service supports them yet. Adoption is growing fast, but many sites haven't implemented passkeys. If unavailable, use an authenticator app.

What We Believe at Evolving Cyber

Authentication is one of the places where software design decisions have the most direct impact on security. Passkeys exist because the FIDO Alliance — backed by Apple, Google, and Microsoft — decided to build a standard that was phishing-resistant by design, not by policy. That's the kind of thinking we believe in: security that works because of how it's built, not because users follow instructions correctly.

Enable passkeys wherever you can. And for everything else, use an authenticator app over SMS.

Quick Reference: Your Authentication Upgrade Checklist

Check what you're using now. Go to the security settings of your most important accounts and see what 2FA method is enabled.
Replace SMS 2FA with an authenticator app on any account that supports it.
Enable passkeys on every account that offers them — Google, Apple, Microsoft, PayPal, and Amazon all support them now.
Consider a password manager with passkey support — Bitwarden, 1Password, and Dashlane all sync passkeys across devices.
For high-value accounts, consider a hardware security key as a backup authenticator.
Set up account recovery options before you need them.