TOTP vs SMS 2FA vs Hardware Keys: A Practical Security Comparison

Two-factor authentication is one of the few security improvements that actually moves the needle. Microsoft and Google have published numbers showing that any 2FA blocks more than 99% of automated account takeover attempts. But not all 2FA is the same — and the gap between the weakest and strongest options is larger than most users realise. The three you'll encounter are SMS, TOTP, and hardware security keys. Each has a specific threat model it solves and a specific one it doesn't.

SMS: Better Than Nothing, Worse Than Most

SMS 2FA sends a one-time code to your phone number. It's by far the most common second factor because it requires no app, no hardware, and no setup beyond a phone number the service already has. The convenience is real. The security is a different story.

The fundamental problem is that phone numbers are not bound to devices — they're bound to SIM cards, and SIM cards are bound to whatever the carrier's customer service rep believes. SIM-swap attacks, where an attacker convinces a carrier to port a victim's number to a SIM the attacker controls, have been used to drain bank accounts and crypto wallets repeatedly since at least 2016. NIST SP 800-63B explicitly deprecated SMS-based authenticators in 2017 for high-assurance use cases.

SMS is also vulnerable to SS7 protocol attacks (interception at the carrier level), phishing (a fake login page asks for the code), and plain malware on the phone itself. Use SMS only when no other option is available.

TOTP: Good, Cheap, Phishable

TOTP (RFC 6238) generates a 6-digit code by hashing the current 30-second time window with a shared secret stored in your authenticator app. The code never travels over the network — both sides compute it independently — so SIM swaps and SS7 don't apply. The secret is stored on your device, not your carrier, so an attacker has to compromise the device to get it.

TOTP defeats every remote attack against the second factor itself: there's no message to intercept, no carrier to social-engineer. It's a massive jump in security over SMS at no cost. Google Authenticator, 1Password, Authy, and dozens of others implement the standard.

TOTP's remaining weakness is phishing. If an attacker builds a fake login page that proxies your credentials and your TOTP code in real time to the real site, they get a valid session. The 30-second window doesn't help — the attacker only needs one valid code. Modlishka, Evilginx, and similar phishing kits automate this attack and have been used in successful campaigns against employees of major tech companies.

Hardware Keys: Phishing-Resistant by Construction

FIDO2 hardware keys (YubiKey, Google Titan, Feitian, etc.) use public-key cryptography. During enrollment, the key generates a unique keypair scoped to the exact website domain. During login, the key signs a server challenge with the private key — and crucially, the signature includes the actual domain the browser is connected to.

That domain binding is the kingslayer. If a user is on a phishing site (say, g00gle.com), the browser tells the key it's on g00gle.com, the key signs for g00gle.com, and the real Google servers reject the signature because it's for the wrong origin. The user can't be socially engineered into bypassing this — there's nothing to type and no code to read.

FIDO2 keys also store the private key in tamper-resistant hardware that never exports it. Even malware on the host machine can't exfiltrate the secret the way it can with a TOTP database. A 2020 IEEE study found FIDO2 had both higher security and better usability scores than TOTP and SMS in controlled testing.

Practical Comparison

• SMS — defeats password-only attacks. Vulnerable to SIM swap, SS7, phishing, malware. Use only when nothing else is available.
• TOTP — defeats SMS attacks and password-only attacks. Vulnerable to real-time phishing and device compromise. The right baseline for most accounts.
• Hardware key (FIDO2) — defeats all of the above including phishing. Costs $25–$70 per key. Recommended for any account whose loss would matter.

The Real-World Recommendation

Buy two hardware keys. Register both on your most important accounts — primary email, password manager, financial accounts, and your domain registrar if you own a domain. Keep one on your keyring and one in a drawer somewhere safe. Use TOTP for everything else that supports it. Use SMS only for services that offer no other option, and lobby them in writing to add TOTP.

The cost of two YubiKeys is less than the cost of one stolen weekend dealing with a compromised email account. Most people who've been through it pay the upgrade tax once and never go back.

What 2FA Doesn't Solve

2FA protects the login event. It does not protect a session that's already open, a device that's been compromised, or a password reset flow that falls back to email. If your email is protected only by SMS, every account that does password reset via email inherits that weakness. The strength of the chain is the strength of the weakest factor on your most-trusted account — usually email. Start there.