Two-Factor Authentication - Protect yourself (and others) using 2FA

Regarding security, especially in crypto, we want to avoid one thing: a single point of failure.

This doesn’t apply only to crypto-related secrets like our seed phrases or private keys but also to all the digital accounts we use. Whether it’s your Centralized Exchange account, your X account, or your Gmail account, you want to protect your credentials at all costs.

The biggest mistake you can make is not using 2FA at all. But before we proceed, let’s recap what 2FA is and why it’s so helpful.

What is 2FA, and why would I need it?

2FA, also known as Two-Factor Authentication or Multi-Factor Authentication, is a method that adds a second layer of protection beyond a password to your accounts. Combining something you know (your password) with something you have (like your phone) mitigates the vulnerability of relying on only one element.

An authentication code, usually six characters, is sent to you, which you must enter after entering your password during the login process.

If someone tries to log into your account, using 2FA makes it much harder for them to succeed. The reason? If you use 2FA, you need your password for the given account and access to the 2FA code sent to your phone or app to validate your login. Generally speaking, there are four approaches to using 2FA, the worst being oblivious.

Not using 2FA at all

Your goal is to protect yourself from bad actors. Since security is about creating obstacles for bad actors, the worst choice is not to use 2FA at all.

You’ll have the fastest login experience with no additional devices or apps. Still, at the same time, you leave your important or sensitive accounts extremely vulnerable to phishing, hacking, or password leaks. Have you ever seen a list of past password breaches? If "Hello123" was the password guarding your Google Drive account with all your data, photos, and everything else you might store in the cloud, you’re in trouble. Not only do you leave yourself highly vulnerable by using a password-only strategy, but you’re also creating that single point of failure you want to avoid. A single point of failure means that if your password is compromised, so is your account. Game over.

SMS as 2FA (and email)

Game over is not the route we teach at Boring Security, so we can quickly disregard that option. Next, let’s look at the weakest 2FA option: SMS.

Yes, as in Short Message Service, SMS is a text message sent to your cell phone. SMS is the most widely adopted 2FA option because it’s familiar to a wide demographic and easy to set up (just enter your phone number, right?). Almost every service supports SMS as a 2FA option, and many, like banking apps, don’t allow for anything other than SMS or email as a 2FA option. We advise against using SMS or email as 2FA, but any 2FA is better than none.

Cellular reception is essential for SMS, but the main reason to avoid it is straightforward: bad actors could SIM-swap your phone number. While it’s less likely in some countries due to strict laws, it happens more often than you might think. Attackers may obtain your data (like your name, address, and phone number) from a data leak and then call your phone service provider, pretending to be you. Once successful, they can port your phone number to another SIM card/device, allowing them to receive your 2FA SMS codes instead of you. See why SMS isn’t ideal for 2FA? The attacker doesn’t need physical access to your phone if the information is out there.

Similarly, an email address that isn’t protected by 2FA and is used to receive your 2FA codes is also not secure.

Note: Cell phone carriers use some techniques to implement SIM-swap protection, but these services are usually not enabled by default. One such service is a Number Transfer PIN (NTP), which requires users to enter a PIN to port the phone number. However, there are reports of people getting SIM-swapped even if SIM protection is enabled, which leads us to conclude that SMS should be avoided as a 2FA whenever possible.

By now, it should be clear that not using 2FA isn’t an option, and neither is SMS.
So, what should you use to stay safe?

Apps as 2FA

The third option for 2FA is using TOTP (Time-Based One-Time Password) apps like Authy or Google Authenticator. Which app you choose is ultimately up to you; just ensure you interact only with trusted services.

These apps generate a one-time code that expires after a short time. App-based 2FA adds more security than SMS-based 2FA because it’s not vulnerable to SIM-swapping or phone-based attacks when set up correctly. Although setting up a 2FA app might be a bit more complex, it has the benefit of your 2FA codes being available offline once set up, meaning no cellular coverage is required.

If you use a dedicated device (like a spare phone) for your 2FA codes, you must ensure that this device syncs the current time correctly. 2FA codes are time-based, so the phone must be synchronized correctly.

However, app-based 2FA requires a secure backup strategy for your secret keys. If you lose or damage your device, accessing accounts secured by the app becomes challenging. Cloud backups aren’t recommended here. Let’s assume you synchronized Google Authenticator with your Google account for convenience. From a security standpoint, that’s risky. If your cloud service is breached, bad actors will have easy access to your 2FA codes, a scenario you want to avoid.

Note: TOTP apps are based on a shared secret, which is known to the client and the server side - which, in theory could become a problem if one of the services providing TOTP solutions gets breached.

Physical keys as 2FA

The ultimate 2FA choice is using small physical devices, often called keys. Examples include YubiKey, Titan Security Key, or even a Ledger. Just like we do in crypto, these physical keys use public key-cryptography. Means: No shared secrets.

Physical keys are considered extremely secure and phishing-resistant because they don’t rely on a phone or network. Plus, they require user presence—meaning physical access—usually by touching a button on the device during login, eliminating remote attacks.

Another benefit is that you can simultaneously use these keys on unlimited accounts, as they aren’t tied to just one login.

If physical keys are the strongest option, why don’t we all use them? Simple: they come with a price. If you’re not using an extra Ledger, you must buy physical keys (always buy from trusted sources). For reliable backup, you’ll want at least two keys in case one is lost, stolen, or damaged, as otherwise, you might lock yourself out of your accounts permanently or at least for a significant amount of time or until you get through the service’s account recovery process.

Sometimes, security keys aren’t supported as a 2FA option, but more services are continuously adding support for them.

There’s also a standard called FIDO U2F (Universal 2nd Factor) that aims to make logging in with keys seamless. Crypto users may be interested in this since Ledger devices (Nano S, Nano X, Stax, Flex) support that standard, allowing them to be used as 2FA physical keys at no additional cost. 

Final words of advice

Think about your online presence in terms of reputation and financial risk. Is it worth risking these to save on security? Consider adding 2FA to your most crucial accounts. If compromised, these would do more damage than the time it takes to set up a reliable 2FA solution.

Be aware that if your email accounts or identity services don’t use strong 2FA (like app-based or hardware key authentication), they are weak points.

Attackers could break in if these accounts are only protected by passwords or weak SMS-based 2FA.

Once inside, hackers could reset passwords for other accounts linked to that email.

This makes your email’s security the same as your weakest form of 2FA across all connected accounts.