Text Codes, Authenticator Apps, or Passkeys: Which 2FA Should You Use?
Two-factor authentication protects you when a password leaks, but the method matters. The best choice is the strongest option the service supports that you can still use reliably. For most people, the right answer is not perfection. It is upgrading the accounts that would hurt most if they were taken over.
Strongest options
Passkeys and hardware security keys are the strongest everyday options when a service supports them. They are designed to resist common phishing because the login is tied to the real website or app, not just to a code you can be tricked into typing somewhere else.
Use them first for high-value accounts: email, password manager, banking, cloud storage, developer tools, business admin accounts, and anything that controls money or identity.
Best default for most people
Authenticator apps are a strong default when passkeys or hardware keys are not available. They are usually safer than text messages because the code is generated on your device instead of being delivered through your mobile number. They also work across many services and are easy to store alongside a password manager workflow.
SMS codes are weaker because phone numbers can be moved, intercepted, or socially engineered, but SMS is still better than password-only login. If SMS is the only option, use it until the service offers something stronger.
Recovery matters
The part people skip is recovery. Save backup codes in a password manager or another secure place before you need them. Check that your recovery email and phone number are current. If you lose a phone without recovery options, regaining access can be slow or impossible.
A practical setup is simple: passkeys where available, authenticator app where not, SMS only when necessary, and saved recovery codes for important accounts.