What Two-Factor Authentication Is
- **Something you know** — password, PIN
- **Something you have** — phone, hardware key
- **Something you are** — fingerprint, face
Two-factor authentication requires two of these categories. Your password is factor one (something you know). Your phone or hardware key is factor two (something you have).
The security gain: even if an attacker steals your password (via phishing, data breach, or brute force), they can't log in without physical access to your second factor.
SMS / Text Message 2FA
The most common and most criticised method. After entering your password, the service sends a 6-digit code to your phone number. You enter it to complete login.
**Weaknesses:**
**SIM swapping** — an attacker calls your mobile carrier, impersonates you, and convinces them to transfer your phone number to a SIM card the attacker controls. Your number is then forwarded to their phone, and SMS codes go to them. This has been used to drain cryptocurrency wallets and hack social media accounts of high-profile targets.
**SS7 vulnerabilities** — the signalling protocol underlying the global telephone network has known security flaws that allow interception of SMS messages. Sophisticated attackers (nation-states, serious criminals) can exploit this.
**Phishing** — a phishing site can relay your SMS code to the real site in real time. You enter the code on the fake site, the attacker uses it immediately on the real one.
SMS 2FA is significantly better than nothing. But for accounts that matter — email, financial accounts, anything with sensitive data — use a stronger method.
TOTP: How Authenticator Apps Work
TOTP (Time-based One-Time Password, defined in RFC 6238) is used by apps like Google Authenticator, Authy, and 1Password. Here's the technical mechanism:
1. **Shared secret:** When you set up 2FA, the service generates a random secret key (typically 16–32 bytes). This is the string behind the QR code you scan. Both the server and your authenticator app store this secret.
2. **Time counter:** TOTP uses the current Unix timestamp, divided by 30 (the standard step, giving 30-second windows).
3. **HMAC computation:** Your authenticator app computes HMAC-SHA1(secret, counter), truncates it to 6 digits, and displays the result.
4. **Verification:** When you enter the code, the server performs the same computation. If the codes match, you're authenticated. The server also checks the previous and next time steps to account for clock drift.
The 6-digit code is valid for 30 seconds, then changes. An attacker who intercepts the code can only use it for that 30-second window.
**Advantages over SMS:** No phone number required. Works offline. Not vulnerable to SIM swapping or SS7 attacks. Phishing-resistant if you check the URL before entering the code.
**Weakness:** Real-time phishing still works — if you enter the code on a fake site that immediately relays it to the real one. The protection is the 30-second window, not phishing resistance per se.
Hardware Security Keys (WebAuthn/FIDO2)
Hardware keys (YubiKey, Google Titan Key) use asymmetric cryptography. During registration, the key generates a unique key pair for that site and stores the private key on the hardware. During login, the server sends a challenge; the key signs it with the private key; the server verifies with the public key.
**Advantages:** Completely phishing-proof. The private key never leaves the hardware. Each key pair is unique to the origin (domain) — a fake phishing site can't get a valid response because the key pair won't match. Cannot be replicated — you need physical access to the key.
**Weaknesses:** Costs money (£20–£70). Can be lost or stolen. Some sites don't support it.
Ranking 2FA Methods
From weakest to strongest: 1. No 2FA 2. Security questions (not really 2FA, trivially guessable) 3. SMS codes (vulnerable to SIM swap and SS7) 4. Email OTP (only as secure as your email account) 5. TOTP authenticator apps (good, widely supported) 6. Hardware security keys (best available, phishing-proof)
For most people, TOTP apps are the practical best choice. Use hardware keys for extremely sensitive accounts (email, cryptocurrency, work admin panels) if the cost is acceptable.
NoxaKit's TOTP 2FA Code Generator demonstrates the TOTP algorithm — generate valid 6-digit codes from a base32 secret entirely in the browser.