“Two-factor authentication” describes a category, not one level of protection. A security key can verify the real site; an authenticator code can still be typed into a fake one; SMS depends partly on the phone account.
Security keys and passkey-style authentication are strongest; authenticator apps are a practical fallback; SMS is better than password-only. Pick the strongest method the service supports and you can maintain. For a critical account, convenience should include a tested backup—not just the fastest prompt.
List current factors beside each critical account and mark which depend on the same phone number or device. That reveals backups that would fail together.
Not every second factor stops phishing
Prefer phishing-resistant methods where the account supports them. Choose security keys or platform-bound phishing-resistant authentication for the highest-value accounts when supported. They verify the legitimate service, not just a code.
Match strength to account value
Use an authenticator app when a security key is impractical
Authenticator apps avoid carrier dependence but codes can still be entered into a fake site. Read the domain before typing.
Keep SMS as a fallback only when the risk and recovery tradeoff make sense
SMS is better than password-only when stronger choices are unavailable, but number ports and SIM swaps add carrier-account risk.
Register two independent recovery methods
Push approval is convenient; never approve a prompt you did not start. Repeated prompts can be an attacker hoping fatigue wins.
Review methods after changing phones or numbers
Register an independent backup method and review the list after changing phones or numbers. Remove factors tied to devices you no longer control.
Risk is not identical across accounts. A streaming service can tolerate a convenient fallback; primary email and the password manager deserve the most phishing-resistant method and the most carefully stored recovery material.
Build a backup for the chosen method
- Any second factor is not equally resistant to phishing.
- Push notifications should not be approved automatically.
- Do not remove a working factor before its replacement succeeds.
Review the setup after a new phone, phone-number change, lost key, or unexplained push notification rather than waiting for the next login failure.
Review factors after a phone change
Check current menu names, limits, and recovery language against “More than a Password” and “Digital Identity Guidelines: Authentication and Authenticator Management” before acting; platform behavior can change after publication, and each source should be used only for the claim it actually supports.
CISA identifies phishing-resistant MFA as the strongest option and encourages MFA even when only less-resistant methods are available.
NIST distinguishes authenticator types and sets requirements for managing authentication secrets.
Sources & methodology2 sources - evidence for this revision
The records below show what each source supports in this published revision.
- More than a PasswordCISAreference - Retrieved Jul 12, 2026
What it supportsCISA identifies phishing-resistant MFA as the strongest option and encourages MFA even when only less-resistant methods are available.
- Digital Identity Guidelines: Authentication and Authenticator ManagementNISTreference - Retrieved Jul 12, 2026
What it supportsNIST distinguishes authenticator types and sets requirements for managing authentication secrets.



