Your passwords are fine. Your 2FA isn't.

TL;DR

• SMS-based two-factor authentication is broken and has been for years. Authenticator apps are better, but still bypassable by modern phishing kits.
• The only 2FA that actually works is a physical security key. One costs about fifty dollars and replaces the entire mess.

Background

The story every security person is tired of telling: you have a great password, it lives in a manager, you turned on 2FA because you're a responsible adult, and you feel safe. You're not[^1]. The protocol you're probably relying on — a six-digit code sent by SMS, or typed out of an authenticator app — was bolted onto the internet as a retrofit. It was never designed to resist an attacker who can ask your phone carrier a question.

What happened

Federal guidance has been clear for years: SMS-based two-factor authentication is "significantly less secure" than alternatives, and attackers use SIM-swapping to bypass it as routine, not as an elite move[^2]. A SIM swap is not a hack. It is a phone call to a carrier, placed by someone with your publicly findable details and a persuasive story. Within ten minutes your number is forwarded to a SIM in a drawer somewhere else, and every "we'll text you a code" login is now theirs.

Authenticator apps — Google Authenticator, Authy, the one your employer made you install — fix the SIM-swap problem but not the phishing one. The six digits on your screen are one proxy away from being captured and replayed. Modern phishing kits do this relay in real time: the attacker's fake login page forwards your code to the real site within the 30-second window. You never see a lock icon wrong. You just get breached forty minutes later and wonder how.

The fix is not "be more careful." Nobody is that careful, consistently, at 2 AM, on a phone, after a flight. The fix is to take your authentication off the thing that can be tricked. That thing is your eyes, your judgment, and the cellular network. A physical security key — the little USB-C or NFC dongle that costs less than a nice dinner — binds the login to the domain cryptographically. Type your password into a pixel-perfect fake Amazon page, tap the key: nothing happens. The key knows it isn't the real Amazon. The site has to actually be the site, or the key stays silent. There is no code to read aloud, no push to approve at 3 AM when you're half asleep. It either works or it doesn't, and the attacker has no path in.

Why it matters

The math on this is almost embarrassing. Two hours on a Saturday, six critical accounts — email, bank, password manager, GitHub, the crypto wallet you forgot you owned — and you have closed the door that most real-world account takeovers walk straight through. The keys are standardised (FIDO2/WebAuthn), supported by every major service, and they don't run out of batteries. You keep one in your pocket and a spare in a drawer. That is the entire system.

What still surprises me is how few people own one. The average technically literate reader of this site almost certainly does not. They have a password manager, they feel pretty good about their setup, and they are one carefully crafted email away from losing access to the thing their life runs on. This is not paranoia. It is arithmetic: every serious account-compromise post-mortem I have read in the last three years had a moment where a hardware key, in a pocket, would have ended the story at page one.

If you take one action from this piece, let it be: buy a key, set it up for your email account this weekend, and spend thirty minutes on the recovery flow so future-you doesn't get locked out in an airport. That's it. You've just eliminated the threat model responsible for more ordinary financial damage than ransomware ever managed.

Practical example

Imagine Maria. Freelance designer, 34, uses Gmail for everything — client invoices, tax receipts, and the account her password manager recovery is bound to. Monday morning she gets a text: "Google: new sign-in from Berlin. Was this you? Reply Y or N." She reasons she is in Hamburg, replies N, thinking she is being helpful. It was a phishing test: the attacker already had her password from a years-old breach, and her N was the decisive 2FA signal they needed to pin the session. By lunchtime her Google account is gone, her password manager is emptied, and three of her clients get invoices pointing at a new IBAN. Now rerun that Monday with a hardware key on the account. The attacker's pixel-perfect Google login page asks the key for a signature. The key checks the domain, sees it isn't accounts.google.com, and does nothing. There is no prompt for Maria to misread. Maria's Monday stays boring.

Related gear

The one most people should own: USB-A with NFC so it works on a laptop and tap-to-auth on a phone, FIDO2-certified, and from the vendor whose implementation everyone else benchmarks against.