Skip to main content

The definitive ranking of two-factor authentication methods

Google Authenticator 2fa Code
Google Authenticator 2fa Code (Image credit: Alex Dobie / Android Central)

You should be using two-factor authentication on every account that gives you the option. There is no better way to keep your account secure, and no matter who you are, you should want all of your accounts to be as secure as possible. It also doesn't matter which phone you use — 2FA works with a cheap Android phone, the best Android phone, or an iPhone. Of course, you've heard all of this before.

All two-factor methods are not created equal, though. Like every other user-facing security measure, you have to trade some convenience for protection, and the most secure methods of 2FA are also the least convenient. Conversely, the most convenient methods are also the least secure.

We're going to take a look at the different ways you can use two-factor authentication and discuss the pros and cons of each.

Avoid at all costs, though it's still better than nothing

4. SMS-based two-factor authentication

Amazon Two Step Verification screen

Source: Jeramy Johnson / Android Central (Image credit: Source: Jeramy Johnson / Android Central)

Getting a text message with a two-factor code is the most popular way to secure an online account. Unfortunately, it's also the worst way.

SMS-based 2FA is easy and convenient. It's also not very secure.

You give your phone number when you sign up for an account or if you go back and enable 2FA at a later time. Then, after the number is verified, it's used to send a code anytime you need to authenticate that you are really you. It's super easy and convenient, which means plenty of people use it, and many companies offer it as the only means to secure an account.

Ease of use and convenience are great things, but nothing else about SMS is good. SMS was never designed to be a secure means of communication. Since it's an industry standard, even an app like Signal that does offer encrypted and secure messaging still sends SMS messages as plain text. Nathan Collier, a senior malware intelligence analyst at Malwarebytes, describes SMS like this:

SMS text messages, sent and stored on servers in plain text, can be intercepted during transit. Moreover, SMS messages can be sent to the wrong number. And when messages reach the correct number, there is no notification from the recipient as to whether the message was read or even received.

A bigger problem is that carriers can (and have been) tricked into authorizing a new SIM card using the phone number of someone else. So if someone really wanted to get access to your bank account or order a bunch of stuff from Amazon using your credit card, all they need to do is convince someone at your carrier that they're you, you lost your phone, and you need your number moved to a new SIM card that they happen to be holding.

All of this goes for email-based authentication, too. Email is really the only way any account recovery process can work, and plenty of places like your bank will want to send you a code via email to log in from a new device. It's just not very secure, and everyone in the industry knows it. So maybe fixing how email is used as a backbone for this sort of thing is what comes next.

You should just probably use this

3. Authenticator apps

Google Authenticator Pixel 4a 5g

Source: Alex Dobie / Android Central (Image credit: Source: Alex Dobie / Android Central)

Authentication apps like Google Authenticator or Authy offer a significant improvement over SMS-based 2FA. They work using what's called Time-Based One Time Passwords (TOTP) that an application on your phone can generate using a complex algorithm without any network connection. A website or service uses the same algorithm to make sure the code is correct.

Authenticator apps are better than SMS for 2FA, but they are not foolproof.

Since they work offline, TOTP style 2FA isn't subject to the same problems that using SMS is, but it's not without its own set of flaws. For example, security researchers have shown that it is possible to intercept and manipulate the data you're sending when you enter the TOTP on a website, but it's not easy.

The real problem comes from phishing. It's possible to build a phishing website that looks and acts just like the real thing and even passes along the credentials you supply, like your password and the TOTP generated by an authenticator app, to log in to the real service. It also logs itself in at the same time and can act as if it were you without the service you're using, knowing the difference. After all, the proper credentials were supplied.

Another disadvantage is that it might not be easy to get the codes you need if you lose your phone. Some authenticator apps like Authy work across devices and use a central password to set things up to be back up and running in no time. In addition, most companies will provide a set of backup codes you can keep for times when everything goes south. Since that data is also being sent across the internet, it weakens the effectiveness of using TOTP but offers greater convenience to users.

Safe and convenient, but not common

2. Push-based 2FA

Push-based 2FA

Source: Google (Image credit: Source: Google)

Some services, most notably Apple and Google, can send a prompt to your phone during a login attempt. This prompt tells you that someone is trying to log into your account, can also give an approximate location, and asks you to approve or deny the request. If it's you, you tap a button, and it just works.

A notification for 2FA is super easy and super convenient. Don't lose your phone, though.

Push-based 2FA improves SMS 2FA and TOTP authentication in a couple of ways. It's even more convenient because it all works through a standard notification on your phone — all you need to do is read and tap. It's also much more resistant to phishing and so far has shown to be very "hack" resistant. Never say never, though.

Push-based 2FA also magnifies some of SMS and TOTP's disadvantages: you have to be online through an actual data connection (voice and text cell plans won't work), and you have to be holding the right device to get the message. It's also not very standardized, so you can expect to use a login prompt on your Google Pixel to authenticate your other accounts.

Outside of these two genuine drawbacks, push-based 2FA is secure and convenient. It's also going to factor into Google's future plans to enforce 2FA for your Google account.

The winner! But also annoying!

1. Hardware-based 2FA

2FA with a USB key

Source: Jerry Hildenbrand / Android Central (Image credit: Source: Jerry Hildenbrand / Android Central)

Using a separate piece of hardware like an authenticator device or a U2F security key is the best way to secure any online account. It's the method I use, and I will tell you that it's not very convenient and makes it not very popular.

You set it up using the hardware, and whenever you want to login from a new device or after an amount of time set by an account administrator, you need to produce the same device to get back in. It works by the device sending a signed challenge code back to the server that is specific to the site, your account, and the device itself. So far, U2F has been phish-proof and hack-proof. Again, never say never.

Using a U2F key is the least convenient but most secure way to do two-factor authentication. It's probably not for you because it's a PITA.

You can usually set up more than one device on the same account so you won't lose access if you lose your security key, but it still means that you need to have that key with you every time you want to log in to a website or service. For example, I use a U2F key to secure my Google accounts, and every 12 hours, I need to provide the key to get back into my Google Enterprise account for work. That means I have a key in my desk drawer, on my keychain, and in an envelope, a friend keeps for me in case of an emergency.

Source: Jerry Hildenbrand / Android Central (Image credit: Source: Jerry Hildenbrand / Android Central)

Usually, you can also set up a backup method of 2FA if you're using a key, and Google forces you to do so. This is great for convenience, but it also compromises the security of your account because the less secure methods are still viable ways for you — or anyone else — to get back in.

Another drawback to using a hardware token like a security key is cost. Using SMS, an authenticator app, or push-based 2FA is free. To use a security key you'll need to purchase one and they can range from $20 to $100 each. Because you really should have at least one backup key if you're going this route, this can add up. Finally, using a security key with your phone can be clunky. You'll find keys that work via USB, NFC, and even Bluetooth, but no method is 100% reliable 100% of the time when using a key with a phone.

Which is best?

Instagram two-factor authentication settings

Source: Joe Maring / Android Central (Image credit: Source: Joe Maring / Android Central)

All of them and none of them.

Any type of 2FA on an account is better than none at all, and even SMS-based 2FA means you're more protected than you would be if you just relied on a password. If you have the patience, a program like Google's Advanced Protection Program can make your online life very secure and almost worry-free. But you need to weigh the convenience against the security.

Personally, I wish SMS-based 2FA would just go away because even I can hack it. That means you can, too, if you're willing to do a little bit of reading and some copy-pasting. Worse, it means that anyone can hack it, and there are people out there that will take the time and energy to try it on any unsuspecting victim they can find.

In the end, you need to realize that you are a target for online hackers even though you're not a politician or a movie star. This means you really need to take the extra step or two to protect your online accounts. Hopefully, knowing a little more about how the different methods of two-factor authentication work can help you make the right decision.

Jerry Hildenbrand
Jerry Hildenbrand

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • I Always use 2FA when offered. In fact, not only do I use 2FA, but I change recovery email when possible as well to my advanced security Gmail account. Recovery addresses are all I use that alternate email account for.
  • I didn't see email based 2FA mentioned.
  • Good information, thanks for putting this out.....!
  • I don't know of any common banks that use 2FA - why not! The real danger of a compromised
    security event is some bad guy cleaning out someone's bank account.
    What the hell is wrong with banks???
  • Wells Fargo, who I bank with has 2FA, yes via sms. Only way I sign into my accounts. However, think! I type in a password on a secured site, they then send me a six digit code via sms to my phone. For someone to access would require the ID, password (26 characters) and my phone number and be able to intercept all at the same time. Chances are extremely LOW. I'll live with it. However, I would hope that a large corporation hiding access to hundreds of thousands of IDs would use the safest type.
  • Thank you. Just because SMS is clear, doesn't make using it along with other security useless.
  • Wells Fargo also has 2FA via the app notifications.
  • Canadian banks all use 2FA from web based browsers. Also, all Canadian debit and credit cards have chips in them... America is far behind because they don't want to invest the money required. Even something as simple as email bank transfers isn't a thing in America... You need third party apps... What a joke.
  • I'd wager most of the new cards have chips. I've not gotten a card without a chip in years, from my various CC accounts, to my checking accounts. All of them have chips.
  • What do you expect from a people still using paper checks! I moved here 20 years ago from Germany and thought I landed in the stone age! Fortunately, they have caught up a bit! 🤣
  • Yeah and you disliked it here so much you decided to stay 20 years even though we are stuck in the Paleolithic. Well maybe the US could qualify for the Neolithic. The US is quirky not backward.
  • Please. In Germany, you'll short-circuit a waiter's brain if you ask for any sort of change to a menu item. "Nein! Zis is not possible!" The inability to cope with different circumstances probably explains your shock.
  • Texting is not secure
  • 2FA means two different forms, one password the other text....
  • Whichever one any individual is willing to use is the most secure.
  • SMS 2FA is Everywhere though :-/ They use it because it's the least technical and some users really struggle with the most basic technical tasks.
  • I use software baed MFA like Google or Microsoft Authenticator apps...