Skip to main content
Back Two-factor authentication: which methods actually work and which are security theatre

Two-factor authentication: which methods actually work and which are security theatre

Not all 2FA is created equal. SMS codes are better than nothing but can be intercepted, whilst authenticator apps and hardware keys offer proper protection. We break down what's worth using and what just makes you feel safer.

Published 2026-07-10

6 min read
Insights →

Two-factor authentication: which methods actually work and which are security theatre

Two-factor authentication has become one of those things everyone knows they're supposed to use, rather like flossing or backing up files. The general principle is sound enough: even if someone nicks your password, they still can't get into your account without a second form of verification. The trouble is, not all second factors are created equal, and some offer considerably more protection than others.

Understanding which methods actually keep intruders out—and which merely provide the illusion of security—matters rather more than the tech industry's relentless cheerleading might suggest. After all, there's little point in the faff of two-factor authentication if the method being used can be bypassed by anyone with modest technical skills and an afternoon to spare.

SMS codes: convenient but compromised

Text message codes remain the most common form of two-factor authentication, largely because they're easy to implement and most people have a mobile phone. A service sends a six-digit code via SMS, the user types it in, and access is granted. Simple, familiar, and unfortunately, not particularly secure.

The fundamental problem with SMS is that the infrastructure underlying mobile networks was designed decades ago with rather different priorities. Security wasn't especially high on the list. This means SMS messages can be intercepted through various methods, some requiring sophisticated equipment and others requiring merely persistence and social engineering.

SIM swapping represents perhaps the most common attack vector. A criminal convinces a mobile network operator—through impersonation, bribery, or exploiting lax verification procedures—to transfer a phone number to a SIM card they control. Once they've done this, any SMS codes sent to that number arrive on their device instead. This isn't a theoretical vulnerability; it happens with depressing regularity, particularly to individuals with valuable cryptocurrency holdings or high-profile social media accounts.

Then there's SS7 exploitation, which sounds rather more technical because it is. SS7 (Signalling System No. 7) is a protocol used by mobile networks to communicate with one another. It has known security flaws that allow attackers with the right access to intercept calls and messages. This requires more sophisticated capabilities than SIM swapping, but it's well within reach of organized criminal groups and state actors.

Despite these vulnerabilities, SMS-based two-factor authentication is still considerably better than no second factor at all. It raises the bar from "anyone who knows your password" to "anyone who knows your password and can also compromise your phone number," which is a meaningful improvement. Just don't mistake it for proper security.

Authenticator apps: the practical sweet spot

Authenticator apps—Google Authenticator, Microsoft Authenticator, Authy, and others—generate time-based one-time passwords (TOTP) using a shared secret key. Unlike SMS codes, these aren't transmitted over any network. The app and the service both know the same secret, and they use it along with the current time to generate matching codes. An attacker can't intercept what isn't being sent.

This approach eliminates the entire category of vulnerabilities associated with SMS. No one can intercept network traffic or convince a mobile operator to redirect messages, because there are no messages to redirect. The code exists only on the device running the authenticator app and in the service's authentication system.

The security model here is straightforward: someone needs both your password and physical access to your phone (or at least access to the app, which should be protected by the phone's own security). This represents a substantial increase in difficulty for potential attackers.

Authenticator apps do have some practical considerations worth noting. Setting them up requires scanning a QR code or manually entering a secret key, which is slightly more involved than simply receiving a text message. More significantly, if the phone is lost or replaced without backing up the authenticator app's data, access to accounts can become complicated. Most apps now offer cloud backup options to address this, though doing so introduces a new element into the security model—the security of that cloud backup itself.

There's also the matter of multiple devices. Some authenticator apps allow the same account to be set up on several devices, which is convenient but does mean more devices need to be kept secure. Others restrict accounts to a single device, which is more secure but less flexible.

Hardware security keys: proper security for those who need it

Hardware security keys—physical devices like those made by Yubico or Google's Titan keys—represent the most robust form of two-factor authentication generally available. These use cryptographic protocols, most commonly FIDO2/WebAuthn, to prove possession of the physical key without ever revealing a secret that could be phished or intercepted.

The cryptographic details are rather involved, but the practical upshot is elegant: each service gets a unique credential stored on the key, and the key proves it has that credential without revealing it. This means even if someone creates a perfect replica of a website and tricks a user into trying to log in, the hardware key simply won't cooperate because the domain doesn't match. Phishing attacks, which remain remarkably effective against other authentication methods, are essentially neutered.

Hardware keys also eliminate many of the attack vectors that compromise other methods. There's nothing to intercept over networks, and unlike authenticator apps, the keys are purpose-built devices with minimal attack surface. They don't run other apps, connect to Wi-Fi, or do anything except authentication.

The trade-offs are mainly practical rather than security-related. Hardware keys cost money—not a fortune, but more than free alternatives. They're physical objects that can be lost, though having backup keys (which is recommended) addresses this. And they require services to support them, which not all do, though adoption has improved considerably.

For accounts protecting anything of substantial value—financial accounts, email accounts that could be used to reset other passwords, business systems—hardware keys make sense. For a social media account used primarily for looking at pictures of other people's dinners, they're probably overkill.

Backup codes and recovery: the often-overlooked bit

Regardless of which two-factor method is chosen, account recovery mechanisms deserve attention. Most services provide backup codes—typically a set of single-use codes that can be used if the primary authentication method becomes unavailable. These should be saved somewhere secure, ideally not on the same device used for two-factor authentication, rather defeating the point of having two factors.

Account recovery procedures themselves can become security vulnerabilities. If a service allows password reset via SMS, for instance, then SMS-based two-factor authentication on that account is only as strong as the recovery mechanism. An attacker who can intercept SMS messages can potentially reset the password and bypass the two-factor authentication entirely.

Making sensible choices

The appropriate level of two-factor authentication depends on what's being protected and from whom. For most people and most accounts, authenticator apps represent the sensible choice—substantially more secure than SMS without the additional complexity and cost of hardware keys. They work offline, can't be intercepted, and resist phishing considerably better than codes delivered via text.

SMS-based authentication remains worthwhile for accounts where it's the only option, or where convenience substantially outweighs security concerns. It's not robust protection, but it does make casual account compromise considerably more difficult.

Hardware security keys make sense for high-value accounts or situations where security requirements are particularly stringent. They're the only method that provides genuine phishing resistance, and they remove most practical attack vectors available to remote adversaries.

The worst option, of course, is using no second factor at all. Even imperfect two-factor authentication represents a substantial improvement over passwords alone. But understanding the limitations of different methods allows for informed decisions rather than false confidence—and in security, knowing what doesn't work is just as important as knowing what does.

To See How We Use Security In Every App We Build

The only way to know is to see! Here are just two of our apps which security is the first thing that is built in. Its not an afterthought. First we have RiCreate our content and social media creator and then RiOrganise, our personal and team organiser. Both have important information inside, security is a must!

RiOrganise (Demo Available)

RiCreate (Demo Available)

Security is something else we used when making TrailTrack our massive Outdoor Hiking website!

Visit TrailTrack

And if you want to read more Security Articles, we've got you covered.

Beyond Passwords: Why Your Business Needs a Digital Deadbolt

Stop Using Your Dog’s Name: The Easy Way to Handle Passwords

You can of course, read them all here:

Cyber Security

Is SMS two-factor authentication actually secure?

It's better than nothing, but not particularly secure. SMS codes can be intercepted through SIM swapping (where criminals convince your mobile provider to transfer your number to their device) or through vulnerabilities in mobile network protocols. It raises the bar for attackers but shouldn't be relied on for protecting anything valuable.

What happens if I lose my phone with my authenticator app on it?

You'll need backup codes (which most services provide when you set up two-factor authentication) to regain access. Many authenticator apps now offer cloud backup options to prevent this problem, though you should save those backup codes somewhere secure before you need them.

Can two-factor authentication be bypassed?

Yes, depending on the method. SMS codes can be intercepted through SIM swapping or network vulnerabilities, and even authenticator apps can be defeated by phishing. Hardware security keys using FIDO2/WebAuthn are the only method that effectively prevents phishing attacks because they verify the actual website domain.