Skip to main content

This site is for educational purposes only. Nothing here constitutes financial advice.

Lesson 2 of 8
~22 minCrypto Security Bootcamp

Lesson 2 — 2FA done right: from SMS to hardware keys

Retire SMS forever. The full ladder of phishing-resistant authentication, in the order you should adopt it.

Intermediate
Evergreen
22 min readUpdated 2026-05-17Block Clarity Hub Editorial Team

Two-factor authentication is the single highest-leverage defensive change a regular user can make — and using the wrong kind is actively worse than nothing in some cases because it gives a false sense of safety. This lesson walks the full ladder, from SMS (retire it) up through hardware security keys (the gold standard).

SMS-based 2FA is the floor of the ladder and most people are still on it. It works by texting you a six-digit code; you enter the code; you are 'in.' The problem is that your phone number is not bound to your physical phone — it is bound to your account at the carrier, which a fraudster can transfer to a SIM they control through a process called a SIM swap. SIM-swap rings are well-organised, well-documented, and have produced individual losses in the seven and eight figures. The FBI's IC3 has published direct guidance recommending that anyone with significant assets move off SMS 2FA. Treat SMS as 'better than nothing for legacy services that offer no alternative,' and aggressively move every other account up the ladder.

One step up is the authenticator app — Google Authenticator, Aegis (open source, Android), Raivo (open source, iOS), Authy, 1Password, or your password manager's built-in TOTP. These generate the six-digit code locally from a shared secret. Because the code is not bound to a phone number, SIM swapping a phone does not give an attacker access. Choose an app that lets you back up encrypted copies of the secrets — losing your phone with no backup means losing access to every account. Open-source apps (Aegis, Raivo) let you audit the backup format. Cloud-synced apps (Authy, 1Password) make recovery easier at the cost of trusting one more vendor.

The top of the ladder is a hardware security key implementing FIDO2 / WebAuthn — YubiKey, Solo Key, Google Titan, Nitrokey. These keys do something fundamentally different from TOTP. The browser cryptographically proves to the website that it is talking to the right key, and the key cryptographically proves to the browser that it is talking to the right domain. That domain check means a phishing site at a typo domain cannot capture and replay your second factor, because the key refuses to sign for the wrong domain. This is what 'phishing-resistant' actually means. Most large exchanges (Coinbase, Kraken, Binance, Gemini) now support hardware keys; check your account settings. Always register at least two hardware keys per account so loss of one is not lockout.

Passkeys are a related-but-different technology. They are essentially WebAuthn credentials synced across your devices through Apple iCloud Keychain, Google Password Manager, 1Password, etc. For the average user they offer most of the phishing-resistance of a hardware key with much better UX. The trade-off is trusting your sync provider. For most people, passkeys are an excellent middle layer. For very high-value accounts, dedicated hardware keys remain superior.

Whichever rung of the ladder you choose, recovery codes matter as much as the second factor itself. Most services give you a one-time set of recovery codes when you set up 2FA. Save them to paper or an offline password manager. If you ever lose your second factor without these codes, you are locked out — and 'support' processes for re-enabling 2FA are exactly where social engineers love to operate.

Example

In a well-known 2022 case, a Twitter employee was social-engineered into approving an MFA push notification, giving attackers internal admin access. The breach allowed account takeovers including high-profile crypto-Twitter handles, which were used to push wallet-drainer links to millions of followers. Push-notification 2FA (the 'tap yes to log in' pattern) is the modern equivalent of SMS — it is not phishing-resistant. The same attack would have failed against a hardware key, because the key's signature includes the domain.

Common mistakes

  • Leaving SMS as the 'backup' 2FA method on an account that also has an authenticator app. The attacker only needs to defeat the weakest factor.
  • Storing recovery codes in the same password manager that holds the password. If the manager is compromised, both factors are gone.
  • Buying one hardware key and storing it alone. Register at least two on every account, store one offsite, and use the other daily.
  • Trusting push-notification 2FA. 'Tap yes to approve login' is bypassed by 'MFA bombing' — flood the user with prompts until they tap to make it stop.
  • Forgetting to remove your phone number from the account once you have a stronger factor in place. If SMS remains as a recovery method, it is still the attack surface.

Safety warning

If you are still using SMS 2FA on your email account, that is the most important thing to change this week. Email is the recovery path for nearly every other account, including exchanges. Compromise email → reset exchange password → bypass all other 2FA. Move email to a hardware key or authenticator app first.

Check your understanding

What makes a hardware security key 'phishing-resistant' in a way that an authenticator app is not?

Key terms covered

Sources & further reading

We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.

Go deeper