SB · DOSSIER 01
securebyteguide
Security

2FA Methods Compared — SMS, TOTP, and Hardware Keys (Google's Real Attack Data)

Google's 2019 study tracked compromise rates across 2FA methods. SMS prevented 76% of bulk phishing. Hardware keys prevented 100%. Here is what the data means for everyday users.

· 12 sources cited · 7 visuals
2FA Methods Compared — SMS, TOTP, and Hardware Keys (Google's Real Attack Data)

In 2019, Google published the most comprehensive study of 2FA effectiveness ever done — tracking actual account compromise rates across 350,000+ users facing real attacks. The numbers contradicted some accepted wisdom (SMS works much better than security experts claimed) and confirmed others (hardware keys are essentially unbreakable). Five years later, the FIDO Alliance and NIST have updated guidance, but the core data remains the most cited reference for 2FA decisions.

This article walks through the Google data, what’s changed in attacks since 2019, the FIDO2/WebAuthn standard that’s becoming the new default, and which 2FA method makes sense for which threat model.

Google’s effectiveness data

Google’s 2019 research divided account compromise attempts into three categories:

  1. Automated bots — credential stuffing using leaked password databases
  2. Bulk phishing — generic phishing emails sent to millions
  3. Targeted phishing — specific attacks on individuals (executives, high-value)

Their measured prevention rates:

2FA MethodBot attacksBulk phishingTargeted phishing
No 2FA0%0%0%
SMS code100%76%96%
App-based (TOTP)100%99%90%
Hardware key (FIDO)100%100%100%

The data shows three things:

  1. Any 2FA blocks 100% of bot attacks. Credential stuffing is defeated by any second factor. This is the easy win.

  2. SMS underperforms TOTP for bulk phishing. 76% vs 99%. The reason: SMS codes can be phished — attackers can build a fake login page that prompts for the SMS code and forwards it to the real site in real time. TOTP codes are time-bound and harder to relay.

  3. Hardware keys are uniquely phishing-resistant. 100% across all categories. Hardware keys verify the actual website domain (via WebAuthn) — they refuse to authenticate against a phishing domain even if the user is fooled.

Watercolor still life of three small physical hardware security keys arranged in a row on a wooden desk, top-down view
Hardware keys: 100% prevention across every attack type Google measured.

SMS 2FA — the controversial baseline

NIST officially deprecated SMS 2FA in 2017 (SP 800-63B), citing the SS7 protocol’s susceptibility to interception. The deprecation was widely interpreted as “SMS 2FA is broken” — but Google’s data shows it still blocks 76-96% of attacks.

The reality: SMS 2FA is “broken” against sophisticated targeted attacks, fine against everything else.

When SMS fails

  • SIM swap attacks. Attacker calls your carrier and convinces them to transfer your number. FBI IC3 reported $48M in SIM swap losses in 2023.
  • SS7 interception. Telecom protocol vulnerabilities allow message interception with carrier-level access. Mostly state-level threats.
  • Real-time phishing relay. Attacker builds fake login page, prompts for SMS code, forwards to real site within the 30-60 second code validity window.

When SMS is fine

  • Defending against bulk credential stuffing (leaked password reuse)
  • Bulk phishing (generic attacks, not targeted)
  • Most everyday account compromise scenarios

For 95%+ of users, SMS 2FA is a meaningful upgrade over no 2FA. The “SMS is dead” advice is overcalibrated for high-threat-model users (crypto holders, executives, journalists). For your bank account, your Amazon account, your Netflix — SMS 2FA blocks the realistic threats.

TOTP — the practical default

Time-based One-Time Password (TOTP) apps generate 6-digit codes that change every 30 seconds. The code is computed from a shared secret + current time, with no network communication required.

Major TOTP apps:

  • Google Authenticator — basic, free, can sync to Google account (since 2023)
  • Authy — multi-device sync, encrypted backup, free
  • 1Password — included in password manager subscription
  • Microsoft Authenticator — for Microsoft ecosystem
  • Authy / Twilio Authy — popular general-purpose

Google’s 2019 data shows TOTP blocks 99% of bulk phishing — substantially better than SMS’s 76%. The improvement comes from two factors:

  1. No interception channel. TOTP codes don’t traverse SMS networks; they’re generated locally on your device.
  2. Phishing-resistant by accident. A fake login page can prompt for a TOTP code and relay it, but only within the 30-second window. Real-time relay is technically possible but operationally harder than SMS relay.

The TOTP win case: defends against everything except real-time phishing relay attacks (which require sophisticated adversaries) and fancier targeted methods.

Watercolor still life of a smartphone displaying an authenticator app with rotating codes beside a small notebook on a wooden desk, top-down view
TOTP apps: free, no SIM swap risk, 99% effective against bulk phishing.

Hardware keys — the only phishing-immune option

FIDO Alliance’s WebAuthn/FIDO2 standard creates the only 2FA method that’s truly phishing-resistant. The mechanism:

  1. When you register the key with a website, the key generates a unique cryptographic key-pair tied to the website’s domain.
  2. When you log in, the browser sends a challenge to the key, which signs it using the domain-bound private key.
  3. The key refuses to sign for a different domain. A phishing site at “googIe.com” (with capital I) can’t get a signature from a key registered to “google.com”.

Even if a user is completely fooled by a phishing page, the hardware key itself won’t authenticate. This is why Google’s data shows 100% effectiveness. The mechanism doesn’t depend on user vigilance.

Major hardware keys:

  • YubiKey 5 series ($55-65) — supports FIDO2, U2F, OTP, smart card
  • Google Titan ($30-50) — supports FIDO2, U2F
  • Apple’s Passkeys (free, software-based) — FIDO2 in iCloud Keychain

Apple’s 2023 introduction of Passkeys made FIDO2 effectively free for Apple users — no hardware key required. Microsoft and Google followed with similar implementations. Passkeys are FIDO2-class authentication for everyday use, syncing across devices via cloud. They’re as phishing-resistant as hardware keys for most threat models.

Threat model — picking the right level

Match 2FA to your threat model:

Level 1: Casual user, average accounts

Threat: credential stuffing, bulk phishing, opportunistic attackers. Recommendation: SMS 2FA on all important accounts. Effort: Low (already supported by most services). Cost: Free. Coverage: 76-100% of attacks.

Level 2: Aware user, important accounts (banking, email, crypto)

Threat: Above + targeted phishing. Recommendation: TOTP via Authy or 1Password. SMS as fallback. Effort: Medium (one-time app setup per account). Cost: Free (or included with password manager). Coverage: 99-100% of attacks.

Level 3: High-value target (executive, journalist, crypto holder, public figure)

Threat: Above + sophisticated targeted attacks, SIM swap, real-time relay. Recommendation: Hardware keys (YubiKey 5C NFC, $55) on critical accounts. Two keys minimum. Passkeys for everything else. Effort: High (requires consistent backup management). Cost: $100-150 for two keys. Coverage: 100% of attacks.

Watercolor illustration of a laptop on a desk with a small hardware security key inserted into a USB port, beside a notebook and coffee cup
Hardware key + WebAuthn: the gold standard for high-value account protection.

What’s changed since 2019

Google’s data is from 2019. Several attack patterns have evolved:

1. Bot attacks more sophisticated

Credential stuffing now uses real browser automation (puppeteer, playwright) that bypasses simple bot detection. Still defeated by any 2FA method.

2. Real-time phishing relay tools commoditized

EvilProxy, Modlishka, and similar phishing-as-a-service kits enable real-time relay attacks against TOTP. TOTP effectiveness against bulk phishing has likely dropped from 99% in 2019 to 95-97% in 2024. Hardware keys remain unaffected.

3. SIM swap attacks more common

Cellular carriers have improved verification but SIM swap remains a documented threat. FBI IC3 2023 data: $48M in confirmed losses from SIM swaps. Particularly concentrated in crypto holders.

4. Passkeys reduce hardware key barrier

Apple’s Passkeys (2022), Google Passkeys (2023), and Microsoft’s WebAuthn make FIDO2 authentication available to consumers without buying hardware. For most users, Passkeys provide hardware-key-level security at zero cost. This is the biggest 2024 development.

Setup recommendations

For non-technical users:

Step 1: Enable 2FA on these accounts (priority order)

  1. Primary email (Gmail, Outlook, iCloud)
  2. Banking and credit card accounts
  3. Phone carrier account (Verizon, AT&T, T-Mobile portal)
  4. Apple ID / Google Account / Microsoft Account
  5. Password manager (1Password, LastPass, Bitwarden)
  6. Government accounts (IRS, SSA, state DMV)
  7. Social media (especially if used professionally)

Step 2: Choose your method

  • Easiest: SMS for all accounts. Better than nothing.
  • Better: Authy or 1Password TOTP for accounts that support it.
  • Best: Passkeys via your device’s biometric (Face ID, Touch ID, Windows Hello) for sites that support it.
  • Best for high-value: YubiKey 5 + Passkey backup.

Step 3: Set up backup recovery

  • Print backup codes (most providers offer them).
  • Store in safe or fireproof box.
  • Use Authy or 1Password (multi-device sync) over Google Authenticator (single-device).
  • Enable account recovery email.

Step 4: Carrier port-out PIN

Call your cellular carrier and request a port-out PIN — a separate password required to transfer your number to a new SIM. This blocks the most common SIM swap attack vector.

The bottom line

Google’s data is unambiguous: any 2FA blocks 96-100% of casual attacks; hardware keys block 100% of all attacks. The gap between SMS and TOTP is real but smaller than security experts often suggest. The gap between TOTP and hardware keys matters mostly for targeted-attack users.

For everyday users, free TOTP apps (Authy, 1Password) are the optimal trade-off. For high-value accounts, add hardware keys. SMS 2FA is “deprecated” but still vastly better than no 2FA.

Don’t let perfect be the enemy of good. Turn on whatever 2FA your accounts support today; upgrade the method later.

Hardware security keys worth pairing with 2FA

Phishing-resistant FIDO2 hardware keys are the only 2FA factor that survives credential-phishing attacks. Three keys cover ~95% of users: a USB-C universal pick, an NFC mobile-friendly variant, and a Google ecosystem option.

YubiKey 5C NFC (USB-C + NFC)

Price · $55-65 — most-recommended hardware key

+ Pros

  • · FIDO2 + WebAuthn + OTP + Smart Card — handles every modern 2FA standard
  • · NFC works with iPhone and Android — no cable needed for mobile
  • · 5-year battery-free lifespan (no battery to fail)

− Cons

  • · Premium pricing vs no-name alternatives
  • · USB-C only — pair with adapter for older USB-A hosts
View on Amazon →

YubiKey 5 NFC (USB-A + NFC)

Price · $50-60 — USB-A version for desktops

+ Pros

  • · Same FIDO2 / WebAuthn / OTP support as 5C variant
  • · USB-A fits older desktop and laptop ports without adapter
  • · Pair one USB-A + one USB-C for full coverage across devices

− Cons

  • · USB-A is being phased out on modern laptops
  • · No USB-C support — separate purchase needed for newer machines
View on Amazon →

Google Titan Security Key (USB-C + NFC)

Price · $35-45 — Google's FIDO2 key

+ Pros

  • · Google-branded — most polished setup for Google Account 2FA
  • · FIDO2 + U2F — works across most major platforms
  • · Lower price than YubiKey 5C for same core feature set

− Cons

  • · Less OTP / Smart Card support vs YubiKey
  • · Tied to Google's hardware supply — periodic stock issues
View on Amazon →

Buy two keys minimum — one primary, one backup. The YubiKey 5C NFC + 5 NFC (USB-A) pair covers every device you’ll plausibly use over the next 5 years.

Related Reading