The Truth About 2FA, Passkeys, and Recovery Codes

The hierarchy of 2FA in 2026

Not all second factors are equal. The defensive gap between SMS 2FA and a hardware security key is roughly the same as the gap between using a four-digit PIN and using a hardware-encrypted full-disk password. Both are "security," but they protect against entirely different threat models.

Here is the actual ranking, from least to most defensive:

The five tiers, ranked

• Tier 5 — SMS 2FA. Better than nothing, worse than almost any other option. Vulnerable to SIM-swap attacks, where the attacker convinces your carrier to port your number to a SIM they control. SIM-swap attacks against crypto holders cost a documented $7M+ in 2024 alone.
• Tier 4 — Email 2FA. Slightly better than SMS because email accounts are harder to compromise than phone carriers — but only slightly. If your email is breached, every "second factor" that flows through email is now a single factor.
• Tier 3 — TOTP via authenticator app (Google Authenticator, Authy). The minimum acceptable tier for any crypto account. The TOTP code is generated on your device and never transmitted; the attacker needs the device itself.
• Tier 2 — Push-based 2FA (Duo, Microsoft Authenticator push). Better than TOTP because the prompt includes context ("Sign-in from Lagos at 3am — approve?") that a sleep-deprived user can still notice. Vulnerable to "MFA fatigue" attacks where the attacker spams approve requests until the user taps yes.
• Tier 1 — Hardware security key (YubiKey, Titan, SoloKey). The defensive ceiling. The key proves possession via cryptographic challenge-response that cannot be replayed, phished, or intercepted. Passkeys are functionally equivalent for most purposes.

The practical allocation

For US-based crypto holders in 2026, the working allocation is: tier 1 (YubiKey + passkey) on email and primary exchange; tier 2 or 3 on secondary exchanges; tier 3 or higher on everything else. SMS 2FA should be removed wherever possible — and where the service requires SMS as a fallback, treat the phone number itself as a sensitive credential.

The carrier-level lockdown

Call your mobile carrier — AT&T, T-Mobile, Verizon — and add a "port-out PIN" or "account passcode" to your account. This is the second factor on the SIM swap itself. It does not eliminate the risk, but it raises the bar from "social engineer the call-center rep" to "social engineer the call-center rep plus extract the PIN from another source." Worth the 15-minute phone call.

What changes after a hardware key

You will get used to carrying it. You will eventually buy a second one as a backup. You will register both on every important account. Then the recovery flow looks like this: lose key #1 — use key #2 — buy a replacement for key #1 — re-register. The whole process is calmer than any other 2FA failure mode, because there is no support call, no carrier negotiation, no waiting for a code that does not arrive.