2FA done right: authenticator apps and hardware keys
Two-factor authentication is one of the most effective security measures available. We explain why SMS 2FA is weak, and how to do it better.
2FA done right: authenticator apps and hardware keys
Two-factor authentication (2FA) adds a second verification step alongside your password. Even if someone knows your password, they also need the second factor.
Not all 2FA is equally strong. This article explains the differences.
SMS 2FA: avoid it where possible
SMS 2FA — a code via text message — is better than nothing but has serious weaknesses.
SIM swapping: An attacker convinces your carrier to transfer your number to a new SIM card in their possession. After that, they receive your SMS codes.
SS7 vulnerabilities: The phone system has known security weaknesses that allow SMS messages to be intercepted.
Carrier access: Law enforcement can request SMS messages from carriers.
Use SMS 2FA only when there is no better alternative available.
TOTP: time-based codes via an app
TOTP (Time-based One-Time Password) generates a six-digit code that changes every 30 seconds. The calculation happens locally on your device — no server connection is needed.
Aegis Authenticator
Open-source, local storage, encrypted backup file. Available via F-Droid.
This is our recommendation for most users. You can create an encrypted export as a backup and store it safely.
Avoid: Google Authenticator (syncs to Google account), Microsoft Authenticator (cloud-dependent), Authy (cloud backup enabled by default).
Setting up 2FA
- Install Aegis
- Go to the 2FA settings for the service you want to secure
- Scan the QR code with Aegis
- Enter the generated code to confirm
- Save the backup codes the service gives you — on paper or in an encrypted file
Hardware keys: the strongest option
A hardware security key is a physical device you plug in via USB or tap via NFC. When logging in, you press the button on the key — proof that you are physically present.
Hardware keys are resistant to phishing: a fake website cannot hijack the authentication because the key verifies the actual domain name.
YubiKey 5 NFC
The most widely used hardware key. Supports multiple protocols (FIDO2, WebAuthn, OTP). Works via USB-C and NFC.
Compatible with most major services: Google, GitHub, Proton, Bitwarden, and more.
Price: around €55–65
Nitrokey 3
Open-source alternative to YubiKey. The firmware is fully visible and updatable — an advantage for those who distrust closed hardware.
Price: around €29–49
Which one do you choose?
For most users: YubiKey 5 NFC. Wide support, proven reliability, NFC works directly with GrapheneOS.
For those where open-source firmware is a hard requirement: Nitrokey 3.
Always buy two keys — one as primary, one as backup. If you lose the only key, you cannot access your accounts.
Backup codes: the part everyone forgets
Every service that supports 2FA gives backup codes when setting it up. Store these:
- Not in the app on your phone — if your phone is gone, the codes are gone too
- Not in an online document — that is the same as no backup
- Do: printed in a secure location, or in an encrypted file on an offline medium
Which services support hardware keys?
Hardware keys (FIDO2/WebAuthn) are supported by: Google, GitHub, Proton, Bitwarden, Dropbox, and most major international services.
How to start, step by step
- Install Aegis
- Move your most critical accounts to TOTP: email, password manager, cloud storage
- Save backup codes
- Consider a hardware key for accounts that support it
- Remove SMS 2FA where you already have it set up and replace it with TOTP
See also:
- Aegis review — open-source TOTP app for Android
- YubiKey vs Nitrokey review — hardware security keys
- KeePassXC review — password manager with 2FA support