Every year billions of credentials are leaked in data breaches. Attackers buy stolen username-password pairs on dark web marketplaces and try them across hundreds of services in automated credential-stuffing attacks. If you reuse a password even once, a single breach can compromise every account that shares it.
Even strong and unique passwords are not immune. Phishing pages trick users into typing their credentials on fake login forms. Keyloggers silently record every keystroke. Man-in-the-middle attacks intercept traffic on unsecured networks. A password, no matter how complex, is a single line of defense that can be defeated in many ways.
Two-factor authentication (2FA) adds a second layer. After entering your password, you must prove your identity through a separate channel: a code sent to your phone, a time-based code from an app or a cryptographic challenge tied to your device. Even if an attacker steals your password, they cannot get in without that second factor.
Today there are three dominant 2FA methods: SMS codes, TOTP authenticator apps and passkeys. Each offers a different balance of security, convenience and recovery options. Understanding their tradeoffs is essential for choosing the right protection for your accounts.
SMS-based 2FA is the oldest and most widely deployed method. When you log in, the service sends a 6-digit code to your phone number via text message. You type the code into the login form and you are in. Nearly every online service supports it because virtually everyone has a phone number.
How it works: The server generates a random code, associates it with your login session and sends it to your registered phone number through the cellular network. The code typically expires after 5 to 10 minutes. You enter it on the website and the server verifies the match.
The convenience is undeniable. There is no app to install, no setup beyond providing your phone number and the process is instantly familiar to anyone who has ever received a text message.
Despite these vulnerabilities, SMS 2FA is still far better than no second factor at all. It blocks the vast majority of automated credential-stuffing attacks. If a service only offers SMS as a 2FA option, you should absolutely enable it. But if stronger alternatives are available, you should prefer them.
Time-based One-Time Passwords (TOTP) are the most popular upgrade from SMS. Instead of receiving a code via text message, you generate it locally on your device using an authenticator app. The code changes every 30 seconds and works even without an internet connection or cellular signal.
How TOTP works: During setup, the service provides a shared secret (usually displayed as a QR code). Your authenticator app stores this secret. Every 30 seconds, the app combines the secret with the current Unix timestamp, runs the result through an HMAC-SHA1 hash function and truncates the output to produce a 6-digit code. The server performs the same calculation independently. If the codes match, you are authenticated.
Because the code is generated locally using a time-based algorithm, there is nothing to intercept over the network. No SMS is sent. No carrier is involved. The shared secret never leaves your device after the initial setup.
Popular TOTP apps include Google Authenticator, Microsoft Authenticator and Authy. Each stores your secrets and generates codes on demand. Some offer cloud backup of your secrets (which introduces its own tradeoffs between convenience and security).
Advantages of TOTP over SMS:
Limitations: If you lose your device without a backup of your TOTP secrets, recovering access can be painful. Some services provide backup codes during setup, but users often forget to save them. Additionally, the shared secret must be stored securely. If an attacker gains access to your authenticator app or its backup, they can generate valid codes.
Passkeys represent the newest and most secure form of authentication. Built on the WebAuthn standard (part of FIDO2), passkeys use public-key cryptography instead of shared secrets. There is no code to type, no secret to steal and the entire process is bound to the specific domain you are logging into.
How passkeys work: When you register a passkey with a service, your device generates a public-private key pair. The public key is sent to the server. The private key stays on your device, protected by your biometric (Face ID, fingerprint) or device PIN. When you log in, the server sends a cryptographic challenge. Your device signs the challenge with the private key after verifying your biometric. The server verifies the signature with the stored public key. At no point does any secret cross the network.
The security implications are profound:
bank.com will never respond to a challenge from bank-login.com. Phishing sites simply cannot trigger the passkey.Device-bound vs synced passkeys: Passkeys come in two flavors. Device-bound passkeys stay on a single device and cannot be transferred. Synced passkeys (supported by Apple, Google and Microsoft) are backed up to your cloud account and available across your devices. Synced passkeys are more convenient but introduce a dependency on your cloud account security.
The following table summarizes how the three methods compare across key dimensions:
| Method | Security Level | Convenience | Phishing Resistance | Offline | Recovery |
|---|---|---|---|---|---|
| SMS Codes | Basic | Very easy — no app needed | Low — codes can be intercepted or phished in real time | No — requires cellular signal | Easy — tied to phone number |
| TOTP | Strong | Easy — open app, read code | Medium — codes can be phished, but domain-aware password managers reduce risk | Yes — generated locally | Moderate — backup codes or secret export required |
| Passkeys | Excellent | Seamless — biometric tap, no codes | High — cryptographically bound to domain | Yes — local crypto operation | Complex — depends on device or cloud sync |
The answer depends on what each service supports and your personal threat model. Here is a practical decision framework:
For high-value accounts (email, banking, cloud storage), consider using the strongest method available and storing backup codes in your password manager vault. Your email account deserves special attention because it is the recovery mechanism for nearly every other account you own.
UnveilPass is designed to work with every 2FA method so you can choose the right level of protection for each account and for your vault itself.
Built-in TOTP authenticator: Every vault entry can store a TOTP secret. When you add one, UnveilPass generates the 6-digit codes automatically right next to your username and password. No need to switch between apps. When the browser extension autofills your credentials, your TOTP code is one click away. This is the simplest way to manage dozens of TOTP-protected accounts without juggling a separate authenticator app.
Passkey and Face ID login: On mobile devices, you can register a passkey to unlock your vault with Face ID or a fingerprint instead of typing your master password. The passkey is device-bound for maximum security. Your vault key is encrypted with a device-specific secret that never leaves your phone. Even UnveilPass servers cannot decrypt your vault without the biometric verification on your physical device.
Device trust with email verification: UnveilPass uses its own second factor to protect your vault. When device trust is enabled, logging in from a new device requires a 6-digit verification code sent to your email. Trusted devices are remembered for 7 days. The extension is recognized automatically so it does not interrupt your workflow.
Recovery QR system: Worried about losing access? UnveilPass lets you generate a Recovery QR code that encrypts your master password with a PIN you choose. Print it, store it in a safe and scan it if you ever need to recover your account. The server never sees your PIN or your master password.
UnveilPass gives you built-in TOTP, passkey login and device trust. Enable two-factor authentication in minutes.
Get Started Free