Two-factor authentication is one of the most effective security improvements available to ordinary users — but it spans an enormous range of actual protection. SMS codes and hardware security keys are both "2FA." They are not remotely equivalent. The idea behind two-factor authentication is simple: require a second proof of identity beyond a password. Even if an attacker steals your password, they cannot log in without the second factor. In practice, the security you get depends almost entirely on which second factor you use — and the gap between the best and worst options is significant. SMS One-Time Codes When a service texts you a six-digit code at login, it's using SMS as a second factor. This is the most widely deployed form of 2FA — and also the most fragile. SMS has three significant attack vectors that do not require compromising your device: SIM swapping — An attacker calls your carrier, impersonates you, and convinces them to transfer your number to a SIM the attacker controls.…