The weakest second factor in widespread use is SMS: a six-digit code sent to your phone number, which is vulnerable to SIM swapping, SS7 interception, and real-time relay attacks. Moving off SMS is the single most impactful authentication improvement most people can make. But "moving off SMS" encompasses a range of options with meaningfully different security properties.
How TOTP Authenticator Apps Work
TOTP stands for Time-based One-Time Password, defined in RFC 6238. When you set up an authenticator app (Google Authenticator, Authy, 1Password TOTP, Bitwarden, etc.) on an account, the service gives you a shared secret — typically encoded as a QR code. Both the service and your app now share that secret.
To generate a code, the app combines the shared secret with the current Unix timestamp, truncated to a 30-second window, and runs it through an HMAC-SHA1 function. The service does the same computation on its end and compares. If they match, you're in. Codes expire after 30 seconds, which limits replay attacks.
The TOTP secret is a symmetric shared key. Its security depends on: keeping it confidential (if someone extracts the QR code secret from your app or the service leaks it, they can generate valid codes indefinitely), and keeping your device clock synchronized (off-by-more-than-90-seconds and codes stop working).
How Hardware Keys Work (FIDO2/WebAuthn)
Hardware security keys — YubiKey, Google Titan Key, and others — implement the FIDO2 standard, which uses asymmetric cryptography rather than shared secrets. When you register a key with a service, the key generates a new key pair (public and private). The public key is sent to the service. The private key never leaves the hardware device.
To authenticate, the service sends a challenge — a random string, plus the origin (the exact domain you're authenticating to). The key signs the challenge with its private key. The service verifies the signature against the public key it stored. Crucially, the origin is cryptographically included in what gets signed.
A FIDO2 key will not sign a challenge from accounts-google.com.attacker.com. It checks that the origin matches the domain it was registered for. This is what makes hardware keys phishing-resistant: no legitimate-looking fake site can extract a valid credential from your key.
The Phishing Gap
This is the core practical difference between TOTP and hardware keys. TOTP codes are phishable. A realistic fake login page can capture your username, password, and TOTP code, immediately relay them to the real service, and establish a session before your 30-second code expires. This attack is documented in the wild and is straightforward to execute.
Hardware keys are not phishable via this mechanism. The key won't produce a valid signature for a domain it wasn't registered on. An attacker running a fake version of your bank's login page cannot trick your YubiKey into authenticating you to the real bank. The origin check is enforced in the hardware's cryptographic operations, not in the browser or operating system where an attacker might have more influence.
Google ran an internal study beginning in 2017, before broadly deploying hardware keys to employees: zero phishing-related account compromises in the population using hardware keys, compared to continued incidents in the TOTP population. The company published the result publicly. It's the strongest real-world evidence of the gap.
Real-World Tradeoffs
| Property | TOTP App | Hardware Key (FIDO2) |
|---|---|---|
| Phishing resistant | No | Yes |
| SIM swap resistant | Yes | Yes |
| Cost | Free | $25–$70 per key |
| Works without internet | Yes | Yes |
| Works on mobile | Yes | Via NFC or USB-C (key-dependent) |
| Recovery if lost | Re-scan backup QR codes (if saved) | Register a backup key in advance |
| Service support | Near-universal | Broad but not universal |
| Shared secret exposure risk | Secret exists on both sides | Private key never leaves hardware |
Which to Use for What
For most people, the honest recommendation is: use TOTP for everything it covers, and use a hardware key for the accounts where phishing is a plausible threat and compromise would be most damaging.
Email accounts deserve hardware keys. Whoever controls your email controls your password reset flow for everything else. Corporate accounts in high-risk roles (finance, executive, IT admin) deserve hardware keys. Cryptocurrency exchange accounts that can't be reversed deserve hardware keys.
For secondary accounts — streaming services, forums, lower-stakes social media — TOTP is a proportionate and sufficient improvement over SMS. The marginal value of a hardware key decreases as the account's blast radius decreases.
Recovery planning matters for both methods. TOTP users should store their backup QR codes — printed or in a password manager's TOTP field — so that a lost phone doesn't mean locked-out accounts. Hardware key users should register two keys (a primary and a backup) to every important account before relying on either. Both of these steps are frequently skipped and frequently regretted.
Passkeys — a newer standard built on the same FIDO2 cryptography — are worth mentioning. They offer hardware-key-level phishing resistance but are stored in device keystores or password managers rather than dedicated hardware. The security model depends on your device and key manager's security; well-implemented passkeys on a non-compromised device are strong. The recovery story varies by platform and is still maturing.
The bottom line: if you're currently on SMS 2FA for important accounts, switching to TOTP is a meaningful improvement you can do today for free. If you're on TOTP and your primary concern is a targeted phishing attack, a hardware key closes the gap that TOTP leaves open.