Passkeys vs Hardware Keys vs SMS 2FA: The Real Comparison

The 2FA that still protects people, ranked

Two-factor authentication has become table stakes. Every bank, every SaaS, every government portal now requires it. But "2FA" isn't a single thing. The gap between the strongest and weakest options is the difference between "nearly unphishable" and "attackers already bypass this routinely."

This is the practical comparison — what actually protects you against the 2026 threat model, including SIM swap attacks, phishing kits, and session hijacking.

The tier list

1. Hardware security keys (YubiKey, Titan, Nitrokey). Gold standard. Physical device, unphishable by design, immune to remote attacks.
2. Passkeys (platform-bound FIDO2/WebAuthn). Same cryptographic guarantees as hardware keys, integrated into your phone's secure enclave or laptop's TPM. Unphishable. Convenient.
3. TOTP authenticator apps (Google Authenticator, Authy, 1Password, Bitwarden). Shared secret, 6-digit rotating code. Phishable but requires real-time interception.
4. Push-based 2FA (Duo, Microsoft Authenticator, Okta Verify). Convenient, but susceptible to MFA fatigue attacks.
5. Email-based 2FA. Weak. Your email password is usually the weakest link.
6. SMS codes. Broken. Routinely bypassed by SIM swap attacks.

Let's walk through why each one is where it is.

SMS 2FA is security theater

SMS-based two-factor authentication has been the industry default for a decade. It is also the most routinely bypassed.

How SIM swap attacks work. Attackers contact your mobile carrier (sometimes through bribed insiders, sometimes through social engineering, sometimes through SS7 exploits) and convince them to port your phone number to a SIM card they control. Every SMS 2FA code now goes to the attacker's phone. Over the next 20 minutes, the attacker drains your cryptocurrency exchanges, takes over your email, and locks you out of your bank.

The numbers:

• $200+ million stolen through SIM swap attacks tracked by the FBI between 2018 and 2024
• One case: Michael Terpin lost $24 million in a single SIM swap. AT&T paid an undisclosed settlement.
• 2024 celebrity SIM swaps: dozens of cryptocurrency influencers hit in coordinated attacks
• Carrier insider complicity: multiple convictions in 2023-2025 of T-Mobile, AT&T, and Verizon employees selling SIM swaps for $500-$5,000 per target

Beyond SIM swap:

• SS7 interception. State actors and some criminal networks can intercept SMS in transit by abusing the SS7 signaling protocol. No visibility to the victim.
• Stalker attacks. A malicious partner with physical access to your unlocked phone can read SMS 2FA codes directly.
• Phishing proxies. Evilginx, Modlishka, and other phishing-kit frameworks intercept SMS codes in real-time during a phishing attack.

CISA recommendation, December 2024: federal officials should stop using SMS for sensitive accounts entirely. That recommendation came after the Salt Typhoon breach revealed Chinese state actors had owned US telecom carriers for over a year and were likely intercepting SMS 2FA codes for senior government officials.

Verdict: Do not use SMS 2FA for anything that matters. If a service forces it, complain. If it's the only option, use a Google Voice number or a dedicated VoIP number not tied to your real carrier.

Email-based 2FA: slightly better, still bad

Email 2FA is less often bypassed because your email account is usually harder to compromise than your SIM. But it has a fatal weakness — your email is the password reset channel for most of your other accounts. If your email is compromised, the 2FA that flows through email is useless.

Verdict: Fine as a backup fallback if your email has strong 2FA itself. Not acceptable as a primary second factor.

Push-based 2FA (Duo, Microsoft Authenticator, Okta Verify)

Push-based 2FA sends an approve-or-deny prompt to your phone. You press approve, authentication succeeds.

The advantage: more convenient than typing TOTP codes. Push prompts can include contextual information (location of the login attempt, IP address, requested app).

The attack: MFA fatigue (also called MFA bombing). Attackers who have already stolen your password trigger authentication attempts repeatedly, usually at 3am. Push notifications flood your phone. Eventually you tap "approve" just to make it stop — or you're half-asleep and don't notice what you approved.

Real cases:

• Uber 2022 breach. 18-year-old attacker harvested an Uber contractor's password, spammed MFA prompts for over an hour, then messaged the contractor on WhatsApp posing as Uber IT claiming the prompts would stop if they approved. Contractor approved. Attacker accessed Uber's internal systems.
• Cisco 2022 breach. Similar pattern. Vishing plus MFA fatigue led to a full compromise.

Mitigation — number matching. Microsoft, Duo, and Okta now support number matching. Instead of "approve or deny," the push shows a 2-digit number. The user types that number on the login screen. This defeats MFA fatigue because the attacker does not know which number to display.

Verdict: Good if you have number matching enabled. Dangerous without it. Not as strong as FIDO2/hardware keys against sophisticated phishing.

TOTP authenticator apps

TOTP (Time-based One-Time Password) generates a 6-digit code that rotates every 30 seconds. The code derives from a shared secret stored in both the server and your authenticator app.

Apps worth using:

• Bitwarden Authenticator / 1Password. Integrated with your password manager. Auto-fills on login.
• Aegis (Android) / Raivo (iOS). Open source, encrypted backups.
• Ente Auth. E2EE cloud sync with open-source clients.
• 2FAS. Open source, encrypted iCloud / Google Drive backup.

Avoid:

• Google Authenticator. No backup for years, now has cloud sync with unclear encryption guarantees.
• Authy. Owned by Twilio, suffered a 2024 data breach that leaked 33 million phone numbers tied to 2FA accounts. Customers complained about lock-in for years.
• Microsoft Authenticator for non-Microsoft accounts. Gets weird with personal vs work tenants.

The phishing attack. TOTP is phishable. A phishing site prompts for username, password, and TOTP code. The attacker forwards those to the real service in real-time. The victim gets redirected to the real login success page. Attacker now has a valid session cookie.

Evilginx and similar reverse-proxy phishing kits have automated this to the point where TOTP phishing is trivial for criminal operators. Every hour your code is valid is an attack window.

Verdict: Much better than SMS. Significantly better than email. Still phishable.

Passkeys (platform-bound FIDO2/WebAuthn)

Passkeys are FIDO2 credentials stored in your phone's secure enclave or laptop's TPM. They never leave the device in usable form. Instead, the authentication flow uses public-key cryptography — the device signs a challenge with a private key, the server verifies with the public key.

Why passkeys are unphishable. FIDO2 credentials are scoped to a specific domain. The passkey for bank.com only works when your browser is actually communicating with bank.com. A phishing site at b4nk.com cannot trigger the passkey even if the user tries to use it.

How they synchronize. Platform-bound passkeys sync through the platform's cloud keychain:

• Apple: iCloud Keychain
• Google: Google Password Manager (Android + Chrome)
• Microsoft: Windows Hello with Microsoft Account

That syncing has a consequence. If your iCloud account is compromised, an attacker with access to iCloud Keychain can authenticate as you on any passkey-enabled service. Your passkey security is only as strong as your platform account security.

Passkey adoption (April 2026):

• Google, Microsoft, Apple accounts: all support passkeys
• Amazon, eBay, PayPal, X, LinkedIn, Shopify, Best Buy, GitHub: all enrolled passkey support
• Banks and brokerages: partial adoption, improving in 2026
• Over 15 billion user accounts now support passkey authentication

Verdict: The best consumer 2FA option. Unphishable, relatively convenient. Major caveat — your platform account security matters more than ever.

Hardware security keys (YubiKey, Titan, Nitrokey)

Hardware keys are physical FIDO2 devices. You plug them into USB-A, USB-C, Lightning, or tap them via NFC. They store the same FIDO2 credentials as passkeys but in a physical device you own that never syncs anywhere.

Why hardware keys are the strongest option.

• Unphishable, like passkeys.
• Not tied to a platform account. If your iCloud is compromised, your YubiKey still protects your bank.
• Tamper-resistant. Physical extraction requires destructive attacks.
• Portable across platforms.
• No cloud-sync attack surface.

Recommendations:

• YubiKey 5 Series (Yubico). Current standard. Multiple form factors including USB-C and Lightning. $55-75 each.
• Google Titan Security Key. Integrated with Google Advanced Protection Program. Cheaper at $30-50.
• Nitrokey. Open-source firmware. More expensive. Favored by privacy-focused users.
• SoloKeys (discontinued but still in use). Fully open-source hardware and firmware.

Best practice: buy two. Store one in your wallet, one in a safe deposit box or home safe. Enroll both at every service that supports them. Losing your only hardware key locks you out of everything.

Google Advanced Protection Program (APP). Google's highest security tier for high-risk users (journalists, activists, senior executives). Requires two hardware security keys. Blocks app-password fallbacks. Blocks non-Google clients from most services. Has defeated every known phishing campaign targeting Google accounts since launch. Free. Enable it if your Google account matters.

Verdict: The most secure option. Inconvenient. Essential for cryptocurrency exchanges, admin accounts, journalist accounts, executive accounts, or any account whose compromise would be catastrophic.

What actually happens in real attacks

Based on 2024-2025 incident response data and published breach reports:

| 2FA Method | Routine bypass rate in the wild |

|---|---|

| SMS | Very high. Standard phishing kit capability. |

| Email | High if email is compromised. |

| TOTP | Moderate. Phishing kits handle it. |

| Push | Low if number matching enabled. High without. |

| Passkeys | Not publicly documented bypass in phishing attacks. |

| Hardware keys | Not publicly documented bypass. |

The specific accounts where this matters most

Must be on hardware keys or passkeys:

• Email (your primary account, the root of all password resets)
• Cryptocurrency exchanges
• Cloud provider consoles (AWS, GCP, Azure)
• Password manager account
• Any account tied to financial transactions

Strong 2FA acceptable (TOTP minimum):

• Social media
• Shopping accounts
• Streaming services

Anywhere that only offers SMS:

• Demand an alternative. If they don't have one, assume the account will eventually be stolen.

How to actually set this up

1. Buy two YubiKey 5 NFC units ($55 each) or start with passkeys on iCloud / Google.
2. Enable hardware keys on your email first. Gmail, Proton, Outlook — whichever you use as primary.
3. Enroll Google Advanced Protection Program if your main account is Google.
4. Move your password manager to hardware-key 2FA. 1Password, Bitwarden, Dashlane all support it.
5. Add hardware keys to every cryptocurrency exchange. Coinbase, Binance, Kraken all support FIDO2.
6. Add hardware keys to every cloud provider console. AWS supports FIDO2. GCP and Azure too.
7. Remove SMS from every account that will let you.
8. Store the second hardware key off-site. Safe deposit box, trusted family member, or home safe.

The honest summary

SMS 2FA is security theater. Email 2FA is theater plus a denial-of-service for yourself. TOTP is meaningful but phishable. Push with number matching is good. Passkeys are excellent for consumer accounts. Hardware keys are the only answer for high-value accounts.

The cost difference between SMS and hardware keys is $55. The damage difference is your entire financial life.

Sources

1. [FBI IC3 SIM Swap Reports](https://www.ic3.gov/Media/Y2022/PSA220208)
2. [Michael Terpin v. AT&T Settlement Coverage](https://www.theverge.com/2022/7/14/23218928/at-t-michael-terpin-sim-swap-lawsuit)
3. [CISA Mobile Communications Best Practice Guidance, December 2024](https://www.cisa.gov/sites/default/files/2024-12/guidance-mobile-communications-best-practices.pdf)
4. [Uber September 2022 Security Update](https://www.uber.com/newsroom/security-update/)
5. [Authy Breach 2024 - 33M Phone Numbers](https://www.bleepingcomputer.com/news/security/twilios-authy-service-breached-by-hackers/)
6. [Passkey Adoption Dashboard — FIDO Alliance](https://fidoalliance.org/)
7. [Google Advanced Protection Program](https://landing.google.com/advancedprotection/)
8. [YubiKey 5 Series](https://www.yubico.com/products/yubikey-5-overview/)