2FA — short for two-factor authentication — is the catch-all label most exchanges use to mean "something on top of the password." That phrasing hides the fact that 2FA has at least four distinct tiers, and the gap between the lowest and the highest is two orders of magnitude in real-world resistance.
The four tiers
Tier 1 · SMS one-time codes. The most widespread implementation: a six-digit code arrives by text. It is also the weakest. SIM-swap attacks — where an attacker convinces T-Mobile, Verizon, or AT&T to port your number to a new SIM — bypass this entirely. The FCC reported over 1,600 SIM-swap complaints in 2023 alone, with losses exceeding $68 million.
Tier 2 · TOTP authenticator apps. Google Authenticator, Authy, 1Password built-in OTP, or Microsoft Authenticator. A 30-second rotating six-digit code, with the seed stored on your device. Beats SMS because there is no carrier in the middle, but a phishing site can still relay the code in real time — and that exact attack hit hundreds of Coinbase users in 2022 and 2023.
Tier 3 · Hardware security keys. YubiKey, Solo Key, Token2. Based on FIDO2 / WebAuthn, the browser only releases authentication to the legitimate domain — phishing relays fail at the protocol level. Coinbase, Kraken, Gemini, and Binance.US all support this tier.
Tier 4 · Passkey. Same protocol family as hardware keys but stored on the device itself (iPhone Secure Enclave, Android TEE, macOS Keychain), synced across your devices via iCloud Keychain or Google Password Manager. The biggest UX improvement in account security in a decade.
What blocks what
Only tiers three and four block phishing-site relay. Only tiers two through four block SIM swap. SMS 2FA is technically "two factors" but practically a single point of failure tied to your carrier's customer-service desk.
How to choose
Under a five-figure stack: TOTP plus printed backup codes in a drawer. Five figures and up: hardware key or Passkey. A YubiKey 5C NFC retails for about $55 on the official Yubico US store; buy two — one primary, one in a fire safe. Passkey is free if you already use an iPhone or a current Android device.
Whatever the dollar size: drop SMS 2FA today on any exchange account. Further reading: The 2FA truth, SIM Swap, YubiKey.