TGM-102 Active

Beyond the Password: A Practical Guide to 2FA and Passkeys

Issued
April 15, 2026
Effective
April 15, 2026
Category
Security
Author
Rebecca Murphy

Executive Summary

A password alone is no longer enough to protect your online accounts. Two-factor authentication (2FA) adds a critical second layer of defense, and a newer technology called passkeys may eliminate the need for passwords entirely. This memo explains what these tools are, why they matter, and which ones to use — all in plain language.

The stakes are real. The vast majority of cloud account breaches trace back to compromised passwords (Bonneau et al., 2012). State-linked attackers have targeted journalists and activists by bypassing weak authentication (Scott-Railton & Kleemola, 2015). Yet the solutions are accessible: enabling 2FA blocks the overwhelming majority of automated attacks, and hardware security keys have reduced successful phishing at major organizations to zero (Krebs, 2018). The federal government now classifies SMS-based authentication as "restricted" and recommends phishing-resistant alternatives (Temoshok et al., 2025). This memo walks you through what these technologies are, how they compare, and what steps to take today.

Three ways to prove you're you

Every time you log in to an account, you're proving your identity. Security experts have long recognized three fundamental ways to do this — three "authentication factors." Think of them as three different types of evidence you can present at the door.

Something you KNOW is the most familiar factor. Passwords, PINs, and security questions all fall into this category. When you type your password, you're proving you know a secret that (hopefully) only you know. The problem is that knowledge can be stolen. Attackers phish passwords through fake login pages, guess weak ones through brute force, and exploit the fact that people reuse passwords across sites — a practice called credential stuffing. A landmark study evaluating two decades of authentication proposals found that despite their well-known weaknesses, passwords have persisted because no alternative could match their combination of convenience and universal compatibility (Bonneau et al., 2012). That calculus is finally changing.

Something you HAVE means proving you possess a physical object — a phone, a hardware security key, a smart card. Think of it like a house key: even if someone knows your address, they can't get inside without the key in hand. When a website sends a code to your phone or asks you to tap a security key, it's checking that you have a specific device. This factor is powerful because an attacker halfway around the world can steal your password, but they can't reach into your pocket and grab your phone.

Something you ARE refers to biometrics — your fingerprint, your face, your iris. These are unique physical characteristics that are extremely difficult to forge. When you unlock your phone with your fingerprint or face, you're using this factor. A critical point that trips up many people: in modern systems like passkeys, your biometric data never leaves your device (Lassak et al., 2021). Your fingerprint doesn't get sent to a website. Instead, the biometric scan unlocks a cryptographic key stored locally on your device, and that key does the authenticating. Your fingerprint is the gatekeeper, not the credential.

What two-factor authentication actually does

Two-factor authentication — often written as 2FA or, when more than two factors are involved, multi-factor authentication (MFA) — requires you to present evidence from two different categories when logging in. Typically, that means combining something you know (your password) with something you have (your phone or security key) or something you are (your fingerprint).

The analogy is straightforward. Imagine your online account is a safe deposit box at a bank. A password alone is like needing only a signature to open it — someone who forges your signature is in. Two-factor authentication is like requiring both a signature and a physical key. An attacker who steals your password still can't get in without your second factor, and a pickpocket who swipes your phone can't get in without your password. Both layers must be defeated simultaneously.

This matters because passwords fail constantly. They get phished, leaked in data breaches, guessed, and reused. The Electronic Frontier Foundation's security guide puts it plainly: even a strong, unique password can be compromised if the service storing it suffers a breach (Electronic Frontier Foundation, 2024). Two-factor authentication ensures that a compromised password alone isn't enough. The Cybersecurity and Infrastructure Security Agency (CISA) states that users who enable MFA are significantly less likely to have their accounts compromised (CISA, 2022). Microsoft's internal data has shown MFA blocks over 99% of automated account attacks.

Not all second factors are created equal

Once you decide to enable 2FA — and you should — the next question is which kind. There are four main methods, and they differ dramatically in how much protection they actually provide. Think of them as a spectrum from good to gold standard.

SMS codes are the most common form of 2FA. You log in with your password, and the service texts a six-digit code to your phone number. You type it in and you're through. This is better than a password alone — significantly better. But SMS has well-documented weaknesses that make it the least secure form of 2FA. The most dangerous vulnerability is SIM swapping: an attacker calls your mobile carrier, impersonates you, and convinces them to transfer your phone number to a SIM card the attacker controls. A Princeton University study tested all five major U.S. prepaid carriers and found that every carrier used authentication procedures that could be easily subverted — sometimes requiring only knowledge of recently dialed numbers (Lee et al., 2020). The researchers further identified 17 websites where a successful SIM swap alone would be sufficient to take over an account, without needing the password. FBI data shows SIM swapping complaints surged over 400% between 2018 and 2021, with victims losing over $68 million in a single year. Beyond SIM swapping, the SS7 signaling protocol that carries text messages between carriers has known interception vulnerabilities that sophisticated attackers — including state-sponsored groups — can exploit (CISA, 2022). The federal government's digital identity guidelines now formally classify SMS-based authentication as a "restricted authenticator" — the only method singled out for that designation — and require any organization still using it to offer alternatives and maintain a migration plan toward stronger methods (Temoshok et al., 2025).

Authenticator apps like Google Authenticator, Authy, and Microsoft Authenticator represent a significant step up. These apps use a protocol called TOTP (Time-based One-Time Password): during setup, the app and the website agree on a shared secret, and then every 30 seconds, both independently calculate the same six-digit code using that secret and the current time. You open the app, read the code, and type it in. The crucial difference from SMS is that nothing is transmitted over a phone network. The code is generated entirely on your device, which means SIM swapping and SS7 attacks are irrelevant (Shelton, 2026). The Freedom of the Press Foundation recommends authenticator apps as more secure than SMS because codes "can't be intercepted on the phone network" (Shelton, 2026). A USENIX usability study found that TOTP apps scored well on usability and users generally gave them high marks (Reese et al., 2019). The remaining weakness: authenticator apps are still vulnerable to real-time phishing. If an attacker creates a convincing fake login page, a user might type in both their password and their TOTP code, and the attacker can relay both to the real site immediately.

Push notifications — used by services like Duo and Microsoft Authenticator's push mode — send a prompt to your phone when you log in. You see the request and tap "Approve" or "Deny." No code to type, which is convenient. But this convenience introduced a new attack vector: MFA fatigue, also called push bombing. An attacker who already has your password repeatedly triggers login attempts, flooding your phone with dozens of push notifications, hoping you'll eventually tap "Approve" out of frustration or confusion. This is not hypothetical. In September 2022, attackers from the Lapsus$ group breached Uber by bombarding a contractor with push notifications while simultaneously contacting them via WhatsApp pretending to be IT support — the contractor eventually approved a prompt (CISA, 2022). Mitigations now exist: number matching (where you must enter a specific number displayed on screen) has proven effective at eliminating MFA fatigue when enabled.

Hardware security keys — physical devices like YubiKey or Google Titan Key — sit at the top of the security hierarchy. These small USB or NFC devices use the FIDO2 standard and public-key cryptography. When you register a key with a website, the key generates a unique cryptographic key pair: the public key goes to the website, and the private key stays locked inside the hardware, never extractable. To log in, you insert or tap the key and touch a button. The website sends a challenge, the key signs it, and the website verifies the signature. What makes hardware keys phishing-resistant is origin binding: each credential is cryptographically locked to the specific website domain it was created for. If you visit a fake login page at the wrong domain, the key simply will not respond — there is nothing for you to accidentally hand over (FIDO Alliance, n.d.). When Google required all 85,000+ employees to use hardware security keys in early 2017, the company reported zero successful account takeovers from phishing afterward (Krebs, 2018). A formal mathematical proof has confirmed the security properties of the FIDO2/WebAuthn protocol (Barbosa et al., 2021). CISA calls FIDO/WebAuthn authentication "the gold standard" for MFA (CISA, 2022).

The comparative data is stark. A 2019 study by Google in collaboration with researchers at New York University and UC San Diego measured how well each method blocks three types of attacks:

Attack type SMS codes On-device prompts Security keys
Automated bots 100% blocked 100% blocked 100% blocked
Bulk phishing 96% blocked 99% blocked 100% blocked
Targeted attacks 76% blocked 90% blocked 100% blocked

Against targeted, sophisticated attacks — the kind directed at specific individuals — SMS codes let nearly one in four attacks through. Security keys blocked every single one.

Passkeys: the next chapter in login security

Passkeys are the most significant shift in authentication technology in decades. Backed by the FIDO Alliance, Apple, Google, and Microsoft, and formalized through the W3C's Web Authentication (WebAuthn) standard (Jones & Jones, 2026), passkeys are designed to replace passwords entirely — not just supplement them. Over a billion people have already activated at least one passkey, and 48% of the top 100 websites now support them (FIDO Alliance, n.d.).

At their core, passkeys use the same public-key cryptography as hardware security keys but make it seamless and accessible to everyone. Here's how to think about it.

The lock-and-padlock analogy. Imagine you're setting up a mailbox. You buy a padlock, keep the key, and give the locked padlock to the post office. The post office can now lock messages for you by snapping the padlock shut, but only you can open them with your key. In passkey terms, the padlock is your public key (shared with the website), and the key in your pocket is your private key (which never leaves your device). When you log in, the website sends a "challenge" — think of it as a sealed envelope that only your key can open. Your device uses the private key to sign the challenge, and the website verifies it with the public key. At no point does your private key travel across the internet. There is no password to steal, no code to intercept, and no shared secret stored on the website's server that could be leaked in a breach (Hoffman-Andrews, 2023).

Registration works like this: you visit a website, choose to create a passkey, and verify yourself with your device's built-in security — a fingerprint scan, a face scan, or a PIN. Your device generates a unique key pair for that specific website and sends only the public key to the server. The private key is stored in secure hardware on your device (FIDO Alliance, n.d.).

Login is even simpler: you visit the website, your device recognizes that a passkey exists for that site, you approve with a fingerprint or face scan, and you're in. No typing. No codes. No waiting for a text message. Google reports that passkey sign-ins are four times more successful and 40% faster than password-based logins.

Why passkeys can't be phished. This is the key insight. A passkey is cryptographically bound to the exact website domain where it was created. The browser and operating system enforce this binding automatically. If you visit a fake banking site at a slightly misspelled domain, your passkey for the real bank simply will not appear and cannot be triggered — the domain doesn't match. Unlike a password, which you can type into any text field on any website, a passkey has a built-in sense of direction. It knows where it belongs. As the EFF explains, passkeys are "quite well designed from a privacy point of view" and represent "a tremendous increase in security" for most people (Hoffman-Andrews, 2023).

Synced vs. device-bound passkeys. There are two flavors. Synced passkeys store your private key in a password manager — Apple Passwords, Google Password Manager, 1Password, Dashlane — and sync it across your devices using end-to-end encryption. If you create a passkey on your iPhone, it's available on your iPad and Mac too. This solves the biggest usability concern researchers identified with hardware-based authentication: the fear of being locked out if you lose a device (Lyastani et al., 2020). Device-bound passkeys store the private key on a single physical device — typically a hardware security key — and it can never be copied or exported. These provide the highest assurance and can meet the most stringent federal requirements (NIST AAL3), but losing the device means losing the passkey (Temoshok et al., 2025). For most people, synced passkeys offer the best balance of security and convenience. For those facing sophisticated threats, device-bound passkeys on hardware keys remain the gold standard.

What to do: practical guidance for real life

Security is not one-size-fits-all. The right approach depends on what you're protecting and who might be trying to compromise it. Here is a decision framework, from baseline protection to maximum security.

For everyone — the baseline. Turn on 2FA on every account that offers it, starting with your email, banking, and social media accounts. Your email account is especially critical because it's the master key: password resets for almost every other service flow through it. Prefer passkeys where available — they are now supported by Google, Apple, Microsoft, Amazon, and a rapidly growing list of services. Where passkeys aren't available, use an authenticator app (Google Authenticator, Authy, or Microsoft Authenticator) rather than SMS. Use a password manager for any remaining password-based accounts. Keep your backup codes: most services generate a set of single-use recovery codes when you set up 2FA. Print these and store them somewhere physically secure — not on the device you're protecting.

For people at elevated risk — journalists, activists, lawyers, executives, political figures, anyone who might be individually targeted — the Freedom of the Press Foundation and CISA recommend going further (Shelton, 2026; CISA, 2022):

  • Use hardware security keys (such as YubiKey 5 series or Google Titan) as your primary authentication method
  • Register at least two keys — carry one and store the backup in a separate, secure location
  • Enroll in advanced protection programs (such as Google's Advanced Protection Program), which require a security key and disable less secure fallback methods
  • Avoid SMS-based authentication entirely
  • Prefer device-bound passkeys over synced passkeys for your most sensitive accounts

If you lose your device. For synced passkeys, this is usually not an emergency — your passkeys are available on your other devices linked to the same Apple, Google, or Microsoft account. If you lose all devices, cloud recovery mechanisms exist (such as Apple's iCloud Keychain escrow or Google's account recovery). For hardware security keys, this is why having a registered backup key matters. Without one, you'll need to go through account recovery, which may involve identity verification and waiting periods. For authenticator apps, backup codes are your safety net. This is the single most important practical habit: always set up a recovery method before you need it.

A note on biometrics and privacy. A common worry — identified in research where nearly 70% of users mistakenly believed their fingerprint was sent to websites — is that biometric data could be stolen in a breach (Lassak et al., 2021). It cannot. When you use a fingerprint or face scan with a passkey, your biometric data stays entirely on your device. It is used only to unlock the local cryptographic key. The website never sees, receives, or stores your biometric information. This is true for Apple's Face ID and Touch ID, Android's biometric system, and Windows Hello.

Conclusion

The authentication landscape is shifting beneath our feet. Passwords, for all their familiarity, are a technology whose fundamental weaknesses have been understood for decades (Bonneau et al., 2012). SMS-based 2FA, while better than nothing, is a restricted and actively discouraged method due to SIM-swapping and network interception vulnerabilities that have been empirically demonstrated (Lee et al., 2020; Temoshok et al., 2025). Authenticator apps occupy a solid middle ground but remain susceptible to sophisticated real-time phishing.

Passkeys and hardware security keys represent a genuine step change. They are the first widely deployable authentication technologies whose phishing resistance has been both formally proven in cryptographic analysis (Barbosa et al., 2021) and validated at scale in practice — Google's experience of zero account takeovers across 85,000+ employees stands as the most compelling real-world evidence (Krebs, 2018). With over a billion passkeys already activated and major platforms making them the default, the transition is underway.

The single most impactful action you can take today is to enable passkeys or strong 2FA on your email account. Everything else flows from there. Security is not about perfection — it is about raising the cost of an attack high enough that attackers move on. Every step up this ladder, from SMS to authenticator app to passkey to hardware key, makes your accounts dramatically harder to compromise. Start where you are, and move up when you can.

References

Barbosa, M., Boldyreva, A., Chen, S., & Warinschi, B. (2021). Provable security analysis of FIDO2. In T. Malkin & C. Peikert (Eds.), Advances in Cryptology – CRYPTO 2021 (pp. 125–156). Springer. https://doi.org/10.1007/978-3-030-84252-9_5

Bonneau, J., Herley, C., van Oorschot, P. C., & Stajano, F. (2012). The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In 2012 IEEE Symposium on Security and Privacy (pp. 553–567). IEEE. https://doi.org/10.1109/SP.2012.44

Cybersecurity and Infrastructure Security Agency. (2022, October 31). Implementing phishing-resistant MFA [Fact sheet]. U.S. Department of Homeland Security. https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf

Electronic Frontier Foundation. (2024). How to: Enable two-factor authentication. Surveillance Self-Defense. https://ssd.eff.org/module/how-enable-two-factor-authentication

FIDO Alliance. (n.d.). How passkeys work. Passkey Central. https://www.passkeycentral.org/introduction-to-passkeys/how-passkeys-work

Hoffman-Andrews, J. (2023, October 26). What the !#@% is a passkey? Electronic Frontier Foundation. https://www.eff.org/deeplinks/2023/10/what-passkey

Jones, M. B., & Jones, J. C. (Eds.). (2026, January 13). Web Authentication: An API for accessing Public Key Credentials — Level 3 (W3C Candidate Recommendation Snapshot). World Wide Web Consortium. https://www.w3.org/TR/webauthn-3/

Krebs, B. (2018, July 23). Google: Security keys neutralized employee phishing. Krebs on Security. https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/

Lassak, L., Hildebrandt, A., Golla, M., & Ur, B. (2021). "It's stored, hopefully, on an encrypted server": Mitigating users' misconceptions about FIDO2 biometric WebAuthn. In Proceedings of the 30th USENIX Security Symposium (pp. 91–108). USENIX Association. https://www.usenix.org/conference/usenixsecurity21/presentation/lassak

Lee, K., Kaiser, B., Mayer, J., & Narayanan, A. (2020). An empirical study of wireless carrier authentication for SIM swaps. In Proceedings of the Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020) (pp. 61–79). USENIX Association. https://www.usenix.org/conference/soups2020/presentation/lee

Lyastani, S. G., Schilling, M., Neumayr, M., Backes, M., & Bugiel, S. (2020). Is FIDO2 the kingslayer of user authentication? A comparative usability study of FIDO2 passwordless authentication. In 2020 IEEE Symposium on Security and Privacy (SP) (pp. 268–285). IEEE. https://doi.org/10.1109/SP40000.2020.00047

Reese, K., Smith, T., Dutson, J., Armknecht, J., Cameron, J., & Seamons, K. (2019). A usability study of five two-factor authentication methods. In Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019) (pp. 357–370). USENIX Association. https://www.usenix.org/conference/soups2019/presentation/reese

Scott-Railton, J., & Kleemola, K. (2015). London Calling: Two-factor authentication phishing from Iran (Research Report No. 61). The Citizen Lab, Munk School of Global Affairs & Public Policy, University of Toronto. https://citizenlab.ca/2015/08/iran_two_factor_phishing/

Shelton, M. (2026, February 13). Two-factor authentication for beginners. Freedom of the Press Foundation. https://freedom.press/digisec/blog/2fa-beginners/

Temoshok, D., Fenton, J., Choong, Y.-Y., Lefkovitz, N., Regenscheid, A., Galluzzo, R., & Richer, J. (2025). Digital identity guidelines: Authentication and authenticator management (NIST Special Publication 800-63B-4). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.SP.800-63b-4

← Back to All Memos