Two-Factor Authentication and Passkeys

Two-factor authentication adds something you have to something you know, so that a stolen password is no longer enough to break in. Turning it on is one of the highest-value security actions available, and it is worth understanding that not all second factors are equal.

Codes sent by text message are the weakest option. They work against basic automated attacks but can be defeated by SIM swapping, where a criminal tricks your mobile carrier into moving your number to their device. Use text codes only when nothing better is offered.

Authenticator apps generate codes directly on your phone, offline, which makes them immune to SIM swapping. This is the right default for most accounts. Save the recovery codes your accounts provide, so losing your phone does not lock you out.

Hardware security keys and passkeys are the strongest. They use cryptography that verifies you are on the genuine website before responding, which means they cannot be phished even by a perfect fake page. Passkeys let you log in with your face, fingerprint, or device PIN, and major services increasingly support them.

The strategy: protect your most important accounts with a passkey or hardware key, use an authenticator app everywhere else, and start with your email today, because password resets for everything else flow through it.