This article breaks down security keys, passkeys, authenticator apps, and SMS codes so you can pick protection that actually holds up under real attacks.
The Question Most People Get Wrong
People often frame this as “hardware security keys vs 2FA vs SMS.” That is technically wrong. 2FA or MFA is the category. Security keys, passkeys, authenticator apps, and SMS codes are different methods inside that category. ACSC defines MFA as using two or more factors, and NIST evaluates those methods by how strongly they resist theft, replay, phishing, and recovery abuse.
Here is the blunt answer: use phishing-resistant authentication first. That means FIDO2 security keys or passkeys. Use an authenticator app when that is not available. Leave SMS as a fallback, not as your main plan. That hierarchy matches current guidance from NCSC, ENISA, ACSC, and NIST.
The Ranking That Actually Matters
The simplest way to think about it is this:
| Method | Phishing resistance | Main weakness | Best use |
|---|---|---|---|
| FIDO2 security keys / device-bound passkeys | Strongest | Recovery, lost key handling, fallback mistakes | Email, banking, admin, work, highest-value accounts |
| Synced passkeys | Strong | Cloud sync and recovery design matter | Best everyday default for most people |
| Authenticator apps | Better than SMS, but not phishing-resistant for OTP codes | Real-time phishing, weak recovery setup | Accounts that do not support passkeys or keys |
| SMS codes | Weakest mainstream option | SIM swap, phone-number abuse, message interception risk | Fallback only |
That summary reflects NCSC’s ordering of MFA methods, ENISA’s recommendation to prefer phishing-resistant MFA, ACSC’s guidance that SMS is less secure than stronger options, and NIST’s requirement that AAL2 systems offer a phishing-resistant option.
Important: not every “hardware token” is a real security key. If a device only shows a six-digit code, it behaves like an OTP generator and can still be phished. A FIDO2 security key is different: it uses domain-bound public-key cryptography instead of a shared code.
SMS Codes: Convenient, Common, and Still the Weak Link
SMS survives because it is everywhere. It is easy to understand, easy to roll out, and familiar to users. That convenience is real. The security is not. ACSC says SMS authentication is typically less secure than other MFA forms, and NCSC puts message-based methods at the bottom of its recommended order. ENISA also flags SMS-style OTP as less secure because of SIM-swapping risk.
The real problem is that SMS ties your account security to your phone number, your carrier processes, and any weak recovery path attached to them. That gives attackers more than one place to break in. In the UK, Cifas reported that unauthorised SIM swaps surged by 1,055% in 2024, with nearly 3,000 cases recorded. That does not mean every attacker uses SIM swapping, but it does prove the risk is active, not theoretical.
The direction of travel is clear. In 2025, the UK government announced a move to roll out passkeys across digital services as an alternative to SMS-based verification. That matters because it shows where serious defenders are heading: away from code-by-message, toward phishing-resistant sign-in.
Use SMS only when a service gives you no stronger option. It is still better than password-only login. It just should not be the method you trust most.
Authenticator Apps: A Clear Upgrade, but Not the Finish Line
Authenticator apps improve on SMS because they generate codes locally instead of sending them through a phone network. ACSC explicitly says authenticator apps are more secure than receiving a code by SMS or email. That alone makes them a solid upgrade for ordinary accounts.
But there is a hard limit to what a code can do. NIST states that OTP authenticators are never considered verifier-impersonation resistant because the user can still be tricked into typing the code into a fake site. NCSC says app-based code generators are vulnerable to OTP interception phishing attacks. That is the core problem: a six-digit code does not know which website you are on.
Not all app-based MFA is equal. NCSC ranks challenge-based authenticator apps above plain code generators. A push approval flow with number matching is stronger than a simple TOTP code because it is harder to steal with basic phishing tricks, even though it still does not match FIDO2 for phishing resistance.
So the practical rule is simple: if a site supports passkeys or security keys, use those first. If it does not, use an authenticator app. That is the right middle ground for most people today.
Passkeys: The Strong New Default
Passkeys matter because they change the game. FIDO defines passkeys as phishing-resistant credentials built on public-key cryptography. They can be stored on a phone, laptop, tablet, or security key, and they can be either synced across devices or device-bound to one device.
That design solves the biggest weakness of passwords, SMS codes, and OTP apps: fake sites can trick users into handing over reusable secrets. Passkeys do not work that way. ACSC says passkeys are faster and more secure than passwords and can stop criminals from stealing access by tricking users into logging in to fake websites. FIDO says the same thing in technical terms: the credential is unique to the service and resistant to phishing.
For most people, synced passkeys are becoming the strongest practical default because they combine phishing resistance with easier cross-device use and recovery. FIDO notes that synced passkeys are available across a user’s devices, while NIST says syncable authenticators can support up to AAL2 when protected properly. That makes them strong enough for a huge share of consumer and business accounts.
There is a trade-off. NIST is explicit that syncable authenticators cannot be used at AAL3 because the private key must be exportable to sync. That does not make synced passkeys weak. It means they are not the top-assurance option for the most sensitive environments.
Hardware Security Keys: Still the Best Option for What Matters Most
A real hardware security key is still the cleanest answer for high-value accounts. NIST says AAL3 requires a phishing-resistant cryptographic authenticator with a non-exportable private key, and syncable authenticators are not allowed there. That is why dedicated FIDO2 security keys still sit at the top end of the stack.
The case for them is not just theoretical. FIDO’s Google case study says that after Google required physical security keys, there had not been a successful phishing attack against its 85,000+ employees. That is not proof that hardware keys stop every possible compromise. It is strong evidence that they dramatically reduce one of the most common and damaging ways accounts get stolen.
ACSC’s passkey guidance makes the consumer case too: a physical FIDO2 security key can provide increased protection for your most important accounts, and it recommends storing a backup passkey on a second FIDO2 security key in case the first is lost, stolen, or damaged. That is the right way to use them. One key for daily life. One key in reserve.
The mistake people make is thinking a security key makes them untouchable. It does not. It shifts the risk away from stolen codes and fake login pages and toward recovery, fallback methods, lost-key handling, and endpoint security after sign-in. ENISA recommends secure fallback methods, and NIST’s guidance on authenticator binding and syncable recovery makes the same point: weak recovery can undercut strong authentication.
What You Should Use for Different Accounts
Email, banking, cloud storage, and primary identity accounts
Use a hardware security key or passkey first, then add a backup key or backup passkey. Remove SMS as a sign-in or recovery method wherever the service allows it. These accounts are the blast radius accounts. If one falls, the rest often follow. ACSC specifically says to start MFA with important accounts such as user and email accounts, financial services, and accounts holding personal information.
Everyday accounts that support passkeys
Use passkeys. They are fast, phishing-resistant, and easier to live with than password-plus-code setups. This is where passkeys shine. They give most people strong protection without forcing them to buy extra hardware.
Accounts that do not support passkeys or security keys
Use an authenticator app. It is not the best method on the board, but it is still a meaningful step up from SMS. Prefer challenge-based app approvals or number matching where available.
Legacy accounts that only offer SMS
Turn on SMS rather than nothing, but treat the account as lower-trust. Review recovery settings, watch your phone-number security, and move to a better method the moment the service offers one. NCSC says message-based methods are only likely to be appropriate when no other strengthening method is possible.
How to Upgrade Without Locking Yourself Out
Do not change everything at once and hope for the best. Use a clean order:
- Start with your email account and primary identity account. If those are weak, the rest do not matter.
- Enable a passkey or register two FIDO2 security keys for your highest-value accounts.
- Save backup codes and add a secure recovery method before you switch devices. ACSC specifically recommends backup codes and recovery planning for authenticator-based MFA.
- Remove SMS anywhere a stronger option exists, especially on important accounts.
- Test your backup method on a non-critical account first, so recovery is not a surprise when something breaks. That approach matches NIST’s emphasis on authenticator lifecycle events such as binding, loss, theft, and replacement.
The Bottom Line
If an account matters, stop asking whether any 2FA is enough. Ask whether the method is phishing-resistant, what the recovery path looks like, and whether SMS is still sitting there as a weak backdoor. NIST, ENISA, ACSC, and NCSC all point in the same direction: stronger authentication now means moving away from phishable codes and toward FIDO-based methods.
SMS is the fallback. Authenticator apps are the upgrade. Passkeys are the new default. Hardware security keys are still the best option for your most important accounts. That is the hierarchy that makes sense in 2026, and it is the one worth acting on now.