Secure Login: 2FA, Security Keys, and Passkeys Compared
Compare all login protection methods side by side. Learn how authenticator apps, hardware keys, and passkeys work and which to use.
Back to Blog
Let’s be honest. Your password is probably terrible.
Maybe it’s your dog’s name followed by your birth year. Maybe you’ve been reusing the same one since 2014. Maybe you have a “system” where you just increment a number at the end. Password1, Password2, Password3… genius, right?
But even a good password isn’t enough anymore. Credential stuffing takes leaked passwords from one breach and tries them everywhere else. Phishing tricks you into typing your password on a fake page. Data breaches keep exposing billions of accounts - you can check if yours was leaked right now.
A password alone is one wall with cracks. You need a second layer. So let’s compare every option and figure out which ones are actually worth using.
SMS and Email Codes
You log in, your phone buzzes, you type a six-digit code. Most common form of 2FA, and also the weakest.
SMS codes travel through your carrier’s network, which can be hijacked through SIM swapping or SS7 exploits. Email codes aren’t much better - if someone has your inbox, those codes are theirs.
We wrote a full deep-dive on why SMS 2FA falls short if you want the details.
Verdict: Better than nothing, but your last resort. Switch the moment something better is available.
Authenticator Apps (TOTP)
This is where things get interesting. Instead of receiving a code via text, an app generates it right on your device. No network involved.
When you set it up, your app and the service exchange a shared secret. Think of it like a secret handshake that changes every 30 seconds. Your app generates a code based on that secret and the current time, the server does the same math, and if they match - you’re in. That’s TOTP (Time-based One-Time Password).
The good: Works offline, free, supported almost everywhere, and your carrier can’t be tricked into handing over your codes.
The catch: Still phishable if an attacker relays your code to the real site in real-time. And if you lose your phone without a backup, you’re locked out.
Important tip: Keep your 2FA app separate from your password manager. If someone compromises your password manager and it has your TOTP codes too, they get everything in one shot. Two separate apps means they’d need to break into both.
Pick an app that’s open-source, supports encrypted backups, and doesn’t require a cloud account.
Push Notification 2FA
Instead of typing a code, you get a notification: “Someone is trying to log in. Was this you?” Tap approve. Done.
The service sends a challenge to your registered device, you confirm with a tap (sometimes with biometrics), and a signed response goes back. No codes to type, no numbers to misread.
The good: Super easy, harder to phish than TOTP since there’s no code to relay.
The catch: Needs internet on both ends. Vendor-locked to whatever the service provides. And there’s a nasty trick called MFA fatigue - an attacker with your password spams push notifications at 3 AM until you groggily tap “Approve” just to make it stop.
If you ever get push notifications you didn’t trigger, always deny them and change your password immediately.
Hardware Security Keys
A small physical USB or NFC device you plug in or tap when you log in. If authenticator apps are a solid deadbolt, these are a bank vault door.
The key generates a unique key pair: a private key (locked inside the device forever) and a public key (shared with the service). When you log in, the service sends a challenge, the key signs it, and the service verifies. Simple.
The killer feature is origin binding. The key checks the actual website domain before signing anything. On google.com? It responds. On g00gle-login.com? It refuses. Automatically. The most convincing phishing page in the world won’t work because the key literally will not cooperate with a fake site.
The good: Strongest phishing protection available. Private key can never be extracted. Works offline. Nothing to type. No battery to die.
The catch: Costs money, you must carry it, and losing your only key without backup codes is a nightmare.
Practical tip: Always buy two keys. Register both everywhere. One on your keychain, one safe at home. Look for FIDO2 certification and USB-C/NFC support.
Worried about someone stealing your key? Don’t be. They’d still need your password, and most keys support PIN protection too.
Passkeys
Same crypto as hardware keys, but the key lives on your phone, laptop, or password manager instead of a separate device. This is the one that finally makes strong security effortless.
Your device generates a key pair, stores the private key in its secure enclave, and when you log in, you verify with a biometric (fingerprint, face) or PIN. No password to remember, no code to type, no device to plug in. And just like hardware keys, it checks the domain automatically - phishing blocked.
The good: Phishing-resistant, nothing to remember, built into all major OS and browsers, can sync across devices, replaces password AND 2FA in one step.
The catch: Not all sites support them yet. Cross-platform sync can be confusing if you switch ecosystems. And if synced through a cloud account, you’re trusting that provider.
There are two flavors: synced passkeys back up to the cloud and appear on all your devices (convenient, but trust the cloud), and device-bound passkeys live only on one device (more secure, but lose it and they’re gone). Hardware security keys are essentially device-bound passkeys in physical form.
For most people, synced passkeys in a reputable password manager are the sweet spot.
The Comparison
| Feature | SMS/Email | Auth Apps | Push | Hardware Keys | Passkeys |
|---|---|---|---|---|---|
| Phishing protection | None | None (real-time relay) | Partial | Strong | Strong |
| Works offline | No | Yes | No | Yes | Yes |
| Ease of setup | Very easy | Easy | Easy | Moderate | Easy |
| Daily use ease | Easy | Easy | Very easy | Easy (plug+tap) | Very easy (biometric) |
| Recovery if lost | Easy | Hard without backup | Moderate | Need backup key | Depends on sync |
| Cost | Free | Free | Free | One-time purchase | Free |
| Website support | Universal | Very wide | Limited | Growing | Growing fast |
Notice how passkeys hit a sweet spot: strong security with very easy daily use. That’s why the whole industry is pushing toward them.
Which Method to Use Where
Critical accounts (email, password manager, banking): hardware keys or passkeys. Ideally both - passkey for daily use, hardware key as backup.
Important accounts (social media, cloud storage, work): passkeys if supported, otherwise TOTP with an authenticator app. Always save backup codes.
Everything else (forums, newsletters): authenticator app if available, SMS only if there’s nothing else. Any second factor beats just a password.
General rules: Use passkeys first whenever available. Always set up a backup method. Move away from SMS starting with your most important accounts.
Bottom Line
Here’s your action plan:
- Check your current 2FA. Start with email and banking.
- Switch SMS to an authenticator app wherever possible.
- Enable passkeys on every service that supports them.
- Consider hardware keys for your most critical accounts. Two keys, both registered.
If you’re still relying on SMS codes, now’s the time to move on.
Start with your most important accounts, upgrade one at a time, and you’ll have a setup that’s genuinely hard to break into. Your future self will thank you.