I know what you're thinking. You set up two-factor authentication on everything important. You use an authenticator app, not SMS. You're set.

Here's the uncomfortable truth: SMS 2FA has been effectively broken for years, and even TOTP authenticator codes have a bypass that requires no technical sophistication whatsoever from the attacker. Let me explain what's actually happening.

How Attackers Bypass SMS 2FA

SIM swapping. Attackers call your mobile carrier, social-engineer them into transferring your number to an attacker-controlled SIM, and then use "forgot password" flows to take over your accounts. This requires no technical skills. It's social engineering against undertrained customer support representatives. High-profile cryptocurrency theft cases have been executed this way repeatedly since at least 2018, and it still works.

If you have SMS 2FA on anything important, change it. Today. SMS 2FA is better than nothing but it's far from secure.

The More Surprising Problem: Authenticator Apps

TOTP (the six-digit codes from Google Authenticator, Authy, etc.) is significantly better than SMS. But it has one critical weakness: real-time phishing.

Here's how it works. An attacker sets up a convincing fake login page for your bank. When you enter your email and password, they relay those credentials to the real bank in real time. The real bank asks for your 2FA code. The fake site asks you for the same code and relays it to the real bank. Within the 30-second validity window of the code, they're logged in and you've handed them your session.

This is automated, it's common, and TOTP codes are entirely unable to prevent it because the code is valid on any device that presents it within the time window. The code doesn't care whether it's being used by you or by someone relaying it on your behalf.

What Actually Works: Passkeys and Hardware Keys

Passkeys (FIDO2 credentials, also called WebAuthn) are cryptographically bound to the domain they were created for. When you authenticate with a passkey, the cryptographic challenge is site-specific. A fake site physically cannot complete the authentication because the passkey will only respond to challenges from the legitimate domain.

Real-time phishing attacks are impossible against passkeys. SIM swapping doesn't apply. The credential never leaves your device. This is why Apple, Google, Microsoft, and every serious security organisation has been pushing passkeys hard — it's not just marketing, it's a genuine security improvement that addresses the attack vectors that currently bypass 2FA.

What to Do Right Now

  1. Remove SMS 2FA from every account and replace with an authenticator app as a minimum
  2. Set up passkeys on every service that supports them (Google, Apple, Microsoft, GitHub, and many others do now)
  3. For high-value accounts (email, banking, work SSO), add a hardware key like a YubiKey as a backup — these are also phishing-resistant
  4. Never use your email as recovery for other critical accounts — email takeover cascades into everything else

Two-factor authentication was a significant improvement when it was introduced. In 2026, it's the table stakes, not the finish line. Passkeys are where actual security is heading, and the adoption curve has made them practical for daily use.