Learn
Choosing MFA the right way: what 'phishing-resistant' means, and why SMS is weak
SMS, authenticator apps, and passkeys form a ladder of MFA strength. Why SMS falls to phishing and SIM-swap, what 'phishing-resistant' really means, and which factor to put on which account.
For: anyone about to turn on MFA (two-factor / two-step verification), or who already has it but wonders "is SMS good enough?" No attack mechanics here — just which methods are strong, and what to put where.
This site's view: 'has MFA' isn't a checkbox
The "two-factor authentication: on" you see in settings actually carries almost no information about strength. The same "on" defends against wildly different attacks for SMS versus a passkey. Most takeovers happen not because "there was no MFA" but because it was weak MFA. So for important accounts we recommend grading by "is it phishing-resistant or not," never by "MFA: on/off."
Why you need MFA
A password should be treated as "going to leak eventually" on its own. Reuse, breach dumps, guessing, phishing — there are many ways through. MFA is the insurance that stops things at the second layer even when the first is broken.
The email account matters most of all. Many services recover "forgot password" by email, so the moment your email is taken, other accounts get reset in a chain. That's why email is the "key to the kingdom" to guard with the strongest MFA (→ Tier 0 of the baseline checklist).
The ladder of strength (this is the essence)
Even called "two-factor," the methods differ enormously in strength. Left is weak, right is strong. The dividing line is "can it be presented to a fake site?"
✗ SMS / email
type a number by hand; relay phishing & SIM-swap break it
△ authenticator (TOTP)
stronger than SMS, but the code can be relayed to a fake site
○ passkey
device biometrics; domain-bound = phishing-resistant
◎ security key
a FIDO2 hardware key; sturdiest; keep a spare
SMS / email codes
- the code is just digits — it can be pasted into a fake site
- SIM-swap (hijacking your number) steals the receipt
- relay phishing forwards it to the real site, defeating it
- better than nothing, but not a last line of defense
Passkey / security key (FIDO2)
- the key is bound to the destination domain — no signature on a fake site
- phishing-resistant by design (doesn't rely on human judgment)
- device biometrics or a hardware key = no "string" to steal
- use this for the keys to the kingdom
What "phishing-resistant" actually means
This is the key concept. With SMS or an authenticator code, in the end a human has to judge with their eyes whether they're entering it on the right site — but people can't tell a perfect look-alike domain apart. A passkey or security key (FIDO2), by contrast, knows which domain it is for, so it returns no signature to a fake site. In other words, even if the human is fooled, the key isn't. That's "phishing resistance," and it's the decisive difference between weak and strong methods.
How to set it up (order matters)
Start with the keys to the kingdom
MFA on the password manager itself
If unsupported, use an authenticator (TOTP)
Store recovery codes safely
Have one backup factor
Even with MFA, stop reusing passwords
MFA is insurance, not an excuse for weak passwords. On services where only non-phishing-resistant MFA (like SMS) is available, the strength and uniqueness of the password is still your last line. Gauge it with the password strength checker.
What this site does itself
This site locks down its important accounts — especially email, domains, server admin, and payments — with phishing-resistant MFA wherever possible. The reason is simple: these are the keys to the kingdom where "lose one and you lose all." Daily logins live in a password manager, and the manager itself carries MFA. And we don't stop at "MFA is on" — we periodically review which method is in place. When we find an important account with only SMS, we treat that as a hole and prioritize upgrading it to a passkey/security key. Manage by strength, not by presence — that's our policy.
Read next
- Foundation: the security baseline checklist (keys to the kingdom first)
- Storage: how to store passwords safely
- Glossary: SPF/DKIM/DMARC (anti-spoofing email auth)
- Glossary: what phishing is (the threat phishing-resistant MFA is built for)
- Tool: password strength checker
FAQ
QIf I turn on MFA, am I safe?
Far safer than without it, but 'on' isn't the same as 'safe.' The method changes strength by three tiers: SMS and email codes fall to phishing (a relay attack that lures your code onto a fake site) and SIM-swap. For important accounts, use a passkey or security key (phishing-resistant MFA) that can't be presented to a fake site.
QWhy is SMS called weak?
Because the code is just a string of digits, and a human has to judge whether the place they're entering it is real or fake. Relay phishing (you type the code into a perfect look-alike) and SIM-swap (your phone number is hijacked) defeat it. It's better than nothing, but it isn't a last line of defense.
QWhich method should I actually pick?
The strongest are passkeys (your device's biometrics) and physical security keys (FIDO2). The key is bound to the destination domain, so on a fake site no signature is produced — that's phishing resistance. Where they aren't supported, use an authenticator app (TOTP); keep SMS as a last resort when nothing else is offered.