In 2024, over 99.9% of automated account takeover attacks targeted weak or absent two-factor authentication. At a fintech startup I co-founded in 2021, we discovered that our SMS-based 2FA was not a shield — it was a welcome mat. After a credential-stuffing campaign drained $340,000 in customer funds across 11 days, we tore down our entire second-factor stack and rebuilt it from scratch. This article walks through every decision, every line of code, and every benchmark that got us to a phishing-resistant 2FA system that has blocked 14,000+ attacks in the past 18 months with zero successful bypasses.…