What This Means for You
Knowing how SMS, TOTP, and hardware keys differ is only useful if it changes what you actually do next. This phase is the practical payoff: what to turn on, what to keep in a safe place, and the one failure mode that catches people who did everything else right.
What to actually enable
Given the tradeoffs from Phase 2, a simple ranking holds up in practice:
1st choice: Hardware key (WebAuthn) or your phone's built-in passkey -> for anything that matters
2nd choice: Authenticator app (TOTP) -> the solid default everywhere else
3rd choice: SMS codes -> better than nothing, not much more
For accounts where a takeover would genuinely hurt — your primary email, your password manager, your bank, anything that could be used to reset other accounts — reach for a hardware key or a passkey if the service offers one. Your primary email deserves special attention here: it's usually the account every other "forgot your password" flow routes through, so it's worth more protection than an average account, not the same amount.
For everything else, an authenticator app is the right default. It's free, it takes two minutes to set up, and it closes off SIM-swap attacks entirely. If a site only offers SMS, turning it on is still meaningfully better than no second factor at all — keep in mind it's the weakest link, and avoid using that same phone number as the recovery method for your highest-value accounts if you can help it.
If a service offers a choice, the ranking is hardware key/passkey, then authenticator app, then SMS — in that order, every time.
Backup codes: the thing everyone ignores until they need it
When you set up 2FA, most services offer you a batch of one-time backup codes — usually eight to ten random strings meant to be used once each, in the exact scenario where your normal second factor isn't available. Your phone gets lost, stolen, factory-reset, or run over. Your hardware key falls out of your bag on a train. It happens more than people expect, and when it does, backup codes are the one thing standing between you and being locked out of your own account.
The habit that actually works: download them the moment they're offered, and store them somewhere that isn't the device they're meant to back up. A password manager's secure notes, a printed page in a drawer, anything except a screenshot saved on the same phone that just became your single point of failure. Skipping this step is the single most common way people turn a minor inconvenience — a lost phone — into a genuine crisis.
The tradeoff nobody warns you about: lockout
Here's the part that flips the whole conversation on its head. 2FA exists to keep attackers out — but a security measure with no escape hatch doesn't just block attackers, it can block you, permanently, with no way back in. If you lose your phone, lose your hardware key, and can't find your backup codes, you've built a lock that now has no key at all. Some services can verify your identity another way and restore access; many can't, or won't, because a convenient recovery path would hand attackers the same shortcut.
This is why "add 2FA" isn't automatically a pure win — it's a real design decision, and reasonable, well-run services put real thought into the recovery path so that a moment of bad luck doesn't become a permanent one. For a builder, that means recovery isn't an afterthought bolted on after shipping 2FA; it's part of the same feature. A few patterns that hold up:
- Multiple registered factors. Let a user register more than one hardware key, or both a hardware key and an authenticator app, so losing one device doesn't fully lock them out.
- Backup codes, generated and shown once, with a clear "you can only see these now" warning.
- A deliberately slow, verified human recovery path for the worst case — one that takes real effort to complete precisely so it can't be used as a shortcut by an attacker who merely knows the victim's name and email.
The honest summary: 2FA is a clear net win against the attacks that matter most day to day — reused passwords, phishing, breached credential lists. It earns its place on nearly every account you have. But it's not a switch you flip and forget; it's a lock, and every lock needs a thought-out way back in for the day you're the one standing outside it.
← Phase 2: How the common methods actually work | Overview