6 min

Two-factor authentication (2FA): from TOTP to passkeys, the 2026 guide

2026-05-13

I build and run systems where a compromised account is not an inconvenience, it is an incident: national election platforms, high-traffic e-commerce. On that kind of project, the lone password vanished a long time ago. Two-factor authentication (2FA), and multi-factor authentication (MFA) more broadly, are the minimum foundation. Here are the fundamentals, then a clear split between what actually protects you in 2026 and what only feels safe.

What two-factor authentication really is

Two-factor authentication is a special case of multi-factor authentication. The idea fits in one sentence: to prove who you are, a single secret is no longer enough, you need two of a different nature. If an attacker steals your password, they still lack the second factor. The strength of the method does not come from the number of proofs, but from combining two distinct types. Two passwords are still one factor, so a single lock.

The three authentication factors

Every authentication method falls into one of these three families.

  • Something you know: a password, a PIN, the answer to a secret question.
  • Something you have: your phone, an app that generates codes, a physical security key.
  • Something you are: your fingerprint, your face, your iris.

Real MFA draws from two different families. A password (something you know) plus a one-time code read on your phone (something you have) is proper 2FA. A password plus a secret question stays inside one family, and is barely better than a password on its own.

SMS, the weak link

For years, the code sent by text message was the on-ramp to consumer 2FA. In 2026, it is the method I advise against as soon as an alternative exists. SMS has two structural weaknesses. The first is the SIM swap: an attacker convinces (or bribes) your carrier to move your number to their own SIM, and receives your codes instead of you. The second is interception: the legacy phone network (SS7) was never built to carry secrets, and a code shown on a locked screen can be read without even unlocking the device. The NIST has advised against SMS as an authentication channel since 2016. An SMS code beats nothing at all, but treat it as a last resort, never as your main defence.

TOTP, a six-digit code every 30 seconds

The method that comfortably replaces SMS is TOTP, short for Time-based One-Time Password. The principle is simpler than it sounds. When you switch it on, the site shows you a QR code: it holds a secret key, shared just once between the site and your app. From then on, your app combines that key with the current time, sliced into 30-second windows, and derives a six-digit code. The site runs the same calculation on its side and compares. Because both parties know the key and read the same clock, they land on the same code without ever exchanging anything over the network. That is why TOTP works on a plane, with no connection at all: everything is computed locally, and the code changes every 30 seconds.

Which authenticator app to choose

Google Authenticator is still the best known, but it is not the only one, and for a long time it offered neither backup nor export. What truly matters is being able to encrypt and recover your secrets the day you switch phones. My recommendations:

  • Aegis (Android): open source, encrypted vault, clean export. My default on Android.
  • 2FAS (iOS and Android): polished interface, encrypted backups, browser extension.
  • Bitwarden: handy if you already use this password manager, everything sits in one place.
  • FreeOTP: open source and backed by Red Hat. Julian T. recommended it to me years ago, and it has stayed a safe bet.

One word of caution: keeping passwords and TOTP codes in the same vault is convenient, but it gathers both of your factors in one place. For a critical account, keep them apart.

FIDO2 hardware keys and phishing-resistant MFA

TOTP has a limit worth knowing: a code can be phished. A fake site, slipped between you and the real service, asks for your code and replays it in real time before it expires. This is where hardware security keys (YubiKey and the like), built on the FIDO2 and WebAuthn standards, come in. Their trick: the key checks the exact domain of the site before it answers. On a fake domain, it simply refuses. This is called phishing-resistant MFA, and it is a step change, not a minor upgrade. On my projects, administrative access and high-stakes accounts go through a hardware key, no exceptions.

Passkeys, the end of the password

Passkeys are the culmination of everything above, and the big shift of 2024 to 2026. They rest on the same FIDO2/WebAuthn foundation as hardware keys, but take the logic all the way: they replace the password instead of adding to it. In practice, your device generates a pair of cryptographic keys. The private key never leaves the device (or syncs, encrypted, through your ecosystem or password manager). To sign in, you unlock that key with your fingerprint, your face or the device PIN. Three major consequences: nothing to remember or type, native phishing resistance (the key is bound to the domain), and above all no shared secret stored on the server. A database breach then leaks no password to steal. Apple, Google and Microsoft all support them, and the list of compatible sites grows every month. When a service offers a passkey, turn it on.

Backup codes, your safety net

One point too many people overlook, until the day they lose their phone. When you enable 2FA, most services hand you a list of backup codes (often about ten, each usable once). These are your spare keys: they let you get in even without your app or your phone. Write them down offline or store them in your password manager, safely. Without them, losing a device can lock you out of your own account for good. When you have used them all, generate a fresh set.

Where to start

The plan comes down to five moves. Turn on MFA everywhere it exists, starting with your email and your password manager (they are the keys to everything else). Always prefer TOTP over SMS. Enable passkeys the moment a service offers them. Reserve a hardware key for your most sensitive accounts. And keep your backup codes somewhere safe. This is exactly the order I follow when I build secure platforms, and nothing stops you from applying it to your personal accounts today.

A question about rolling out MFA for your organisation? Get in touch, I am glad to help.