What Is Multi-Factor Authentication and Which Type Is Safest?
MFA means a stolen password is no longer enough to break in, but not all MFA is equal. Here we compare SMS codes, authenticator apps, hardware keys, and passkeys, ranked from good to best.

Table of contents
Multi-factor authentication (MFA) is the single most effective thing most people can add to their accounts, because it means a stolen password is no longer enough to break in. But not all MFA is equal. Some types are convenient and hugely better than nothing; others are genuinely phishing-resistant. This guide explains the main types in plain language and ranks them from "good" to "best," so you can prioritise the strongest option on the accounts that matter most.
What MFA actually is
MFA, sometimes called two-step verification (2SV), simply asks for a second proof of identity in addition to your password. The idea is that even if an attacker steals or guesses your password, they still cannot log in without the second factor.
The UK's National Cyber Security Centre (NCSC) is emphatic that getting any second factor on is the priority: "Any 2-step verification is better than not having it at all." So the ranking below should not stop you from turning on the only option a service offers. Some MFA always beats none.
The four common types, ranked
SMS text codes (good)
A code is texted to your phone. It is the most widely offered option and far better than a password alone. The NCSC notes that "text messages are not the most secure type of 2SV, but still offer a huge advantage over not using any 2SV." The weakness: codes can be intercepted, and a convincing fake login page can trick you into typing the code into the attacker's hands.
Authenticator apps (better)
Apps like Google Authenticator or Microsoft Authenticator generate a rotating six-digit code on your device. The NCSC highlights that these "eliminate dependency on mobile signals and message delays," and they are not exposed to phone-number hijacking. They are still phishable, though, because you can be tricked into typing the code into a fake site.
Hardware security keys (best, with passkeys)
A physical key (such as a USB or NFC device) proves your identity cryptographically. It is phishing-resistant: it will not authenticate to a fake site, because the check is bound to the real website's identity, not to a code you might mistype somewhere.
Passkeys (best)
Passkeys use the same phishing-resistant cryptography as hardware keys, but are built into your phone, laptop, and password manager and unlocked with your face, fingerprint, or PIN. There is no code to type and nothing to capture, which is why they sit at the top alongside hardware keys.
Quick comparison
| Type | Strength | Phishing-resistant? | Best for |
|---|---|---|---|
| SMS code | Good | No | Any account that offers nothing better |
| Authenticator app | Better | No | Most everyday accounts |
| Hardware key | Best | Yes | High-value accounts (email, finance, work) |
| Passkey | Best | Yes | Everyday and high-value accounts alike |
How to prioritise
You do not need to migrate everything at once. The NCSC advises focusing on "important" accounts first, "especially email (since compromised email enables password resets on other services)." A sensible order:
- Secure your email with the strongest method it supports.
- Add MFA to banking and finance, ideally a passkey or hardware key.
- Cover everything else with at least an authenticator app.
- Set up a backup method (such as recovery codes) so losing your phone does not lock you out.
Bottom line
Any MFA dramatically beats a password alone, so turn on whatever a service offers. When you have a choice, climb the ladder: SMS is good, authenticator apps are better, and passkeys or hardware keys are best because they cannot be phished. Start with your email, add a backup method, and you will have closed the door that most account takeovers walk through.
Sources and further reading
Sources
- NCSC: Setting up two-step verification (2SV) ncsc.gov.uk


