Two-factor authentication — what it protects, what it doesn't, and the right second factor

Two-factor authentication is consistently recommended as a security essential. The recommendation is correct. The explanation usually stops at 'adds a second layer of security' without specifying what threat that layer addresses, what happens when it fails, or how significantly the second factor choice matters. SMS verification, TOTP apps, and hardware keys are all called 'two-factor authentication' — they are not equally resistant to the same attacks.

For password managers specifically, 2FA protects vault access rather than protecting individual accounts. A password manager with strong 2FA means an attacker with your master password still cannot access your vault without the second factor. The quality of the second factor matters more here than on most consumer services — the vault is a target worth bypassing 2FA for.

The threat 2FA addresses is clear: an attacker who has your password but not your physical device. The threat 2FA doesn't address is also clear: an attacker who has your device, or who can intercept the second factor in transit.

The assumption that SMS 2FA is meaningfully protective overlooks SIM swapping. A SIM swap attack convinces a mobile carrier to transfer a victim's phone number to an attacker's SIM card, giving the attacker control of all SMS-delivered codes. SIM swapping is disproportionately used against high-value targets — cryptocurrency holders, executives, journalists — but it is not exotic. It has been used in mass targeting operations. SMS 2FA is better than no 2FA; it is not a strong second factor.

A second assumption is that TOTP (time-based one-time passwords from an authenticator app) is resistant to phishing. Standard TOTP is not. A phishing site that captures a username, password, and TOTP code has 30 seconds to use all three credentials before the code expires. Adversary-in-the-middle attacks that relay credentials in real time routinely capture and replay TOTP codes within the validity window. TOTP is a meaningful improvement over SMS; it is still phishable.

A third assumption is that all hardware keys provide the same protection. FIDO2/WebAuthn keys with origin binding provide phishing-resistant authentication: the key's cryptographic response is bound to the specific origin (domain) of the legitimate site, making it impossible to replay on a lookalike domain. Older hardware key standards (YubiKey OTP) do not have this property. The phishing resistance of hardware 2FA depends specifically on FIDO2/WebAuthn, not on having a physical key generally.

The hierarchy of second factor strength: No 2FA < SMS OTP < TOTP app < FIDO2/WebAuthn hardware key. Each step up provides meaningful additional protection. The difference between TOTP and hardware keys is specifically phishing resistance — TOTP codes can be relayed by an attacker in real time; hardware key responses cannot be replayed on a different domain. For accounts where phishing is a realistic threat model — email, banking, high-value work systems — hardware keys provide the only second factor that is genuinely phishing-resistant.

For the password manager vault specifically: 2FA protects against an attacker who has your master password but not your second factor. Given that the vault contains all other credentials, the vault's 2FA deserves the strongest available second factor. All major password managers in this comparison support FIDO2/WebAuthn on paid plans.

The TOTP-in-vault question is related: if your TOTP codes are stored in the same vault as your passwords, both factors become vulnerable to the same vault compromise. For most accounts this trade-off is acceptable. For your most critical accounts — email, master password recovery path — storing TOTP separately from the vault provides genuine additional protection.

2FA protects the login credential step. It does not protect against malware running on an already-authenticated device, session token theft after successful login, or social engineering that bypasses authentication entirely. 2FA is a meaningful layer; it does not make the protected account invulnerable.