Why this matters
Your password is no longer the thing that protects an account. It leaks in a breach, it gets guessed, it gets reused across sites. A second factor is the safety net that catches the moment someone has your password but is not you.
A second factor is a second proof you give on top of the password, something only you can produce. The most common one is a code sent to you by text message. You type your password, a six-digit code arrives by SMS, you enter it, and you are in. It is far better than a password alone, and most people have it switched on somewhere.
The trouble is where that code goes. It goes to your phone number, and a phone number is not as fixed as it feels. Someone can persuade your mobile network to move your number to a SIM card they hold, a trick known as SIM swapping. From that moment your texts, including your login codes, arrive on their phone, and they use them to reset passwords and walk into your accounts.
Two things are true at once. A text code still blocks the everyday attacks, where a stranger has your leaked password and nothing else, so it is worth keeping wherever nothing stronger is on offer. For the handful of accounts that hold your email, your money and your identity, you can do better and move to a second factor that has no phone number to steal and no code to read out. That upgrade is the whole of this guide.
A passkey is a key your own device holds and unlocks with your face or fingerprint. It signs you in to the real site without sending any secret, so there is nothing to phish and nothing to intercept. A hardware key does the same job in a small device you carry.
The three kinds of second factor
Three second factors are in common use. They look similar at the login screen, and they are not equal behind it.
| SMS code | Authenticator app | Passkey or security key | |
|---|---|---|---|
| tied to | your phone number | an app on one device | a key on your device or in your hand |
| survives a SIM swap | no | yes | yes |
| can be phished | yes, you can be talked into reading it out | yes, you can be tricked into typing it | no, it answers only the real site |
| works with no signal | needs a network | yes | yes |
| effort to use | read a text, type six digits | open an app, type six digits | a glance or a fingerprint |
The bottom rung is the SMS code. The United States standards body, NIST, now treats SMS as a restricted method, one it tells organisations to move away from and to back with extra checks such as watching for a recent SIM change. It still counts as a second factor. It is the one to replace first.
An authenticator app is the middle rung. The code lives in an app on your device rather than riding on your phone number, so a SIM swap cannot reach it. You can still be lured into typing a live code into a convincing fake page, so it is better, not bulletproof.
A passkey or a hardware key is the top rung, and the gap is large. Each one checks the real address of the site and refuses to answer a fake, so a phishing page gets nothing. The evidence is plain. When Google required its more than 85,000 staff to sign in with security keys from early 2017, it reported no confirmed account takeovers since.
Where to start
You do not have to convert every account in one sitting. Start where the loss would be worst, and where one account can unlock the rest.
Your email comes first. It is the account that can reset all the others, so whoever holds your inbox holds everything tied to it. Secure your main email before you touch anything else, and the work that follows rests on solid ground.
Money comes second. That means your bank, your card and payment apps, and anywhere your savings or investments sit. These are the accounts a thief turns straight into cash, so they earn a strong second factor early.
Identity comes third. These are the logins other people trust as you: your mobile account, your main social profiles, your shopping accounts with a card saved. Your mobile account belongs here for a particular reason, since locking it down with a strong factor makes the SIM swap itself harder to pull off.
Doing these in order beats doing them all at once and abandoning it half done. Three accounts in three sittings still leaves you far safer by the weekend.
Passkeys, in plain words
A passkey is a FIDO sign-in credential that you use the same way you unlock your phone, with your face, fingerprint or screen lock. There is no code and no password to type.
Under the surface it is a pair of keys. The private half stays sealed on your device and never leaves it. The public half sits with the website. When you sign in, the site sends a challenge, your device signs it with the private key, and the site checks the signature against the public half it already holds. No shared secret passes between you, so there is nothing for a thief to copy in transit or steal from the company later.
Two properties fall out of that design. A passkey cannot be phished, because your device checks the real web address before it answers and will not sign for a lookalike page. And it cannot be caught in a SIM swap, because no phone number is involved at any point.
Passkeys live wherever you keep them. One can sit on your phone, on your laptop, and inside a password manager that syncs it across your devices. A hardware key holds one too, in a device that plugs in or taps. Most people keep a passkey on more than one device so that a single lost phone is never the end of the story.
The fingerprint or face check only unlocks the key locally. That biometric never travels to the website and is never stored by it. The site receives a signed answer from the key, not your fingerprint, so a lost device hands over neither.
Turn it on
The same four moves work on almost every large account. The exact menu names differ, the shape does not. Do them once on your email, then repeat on the next account down the list.
Open the account's security settings
Sign in to the account on a phone or laptop and open its security or sign-in settings. Look for an entry named Passkeys, Security keys, or Two-step verification. This is where every account keeps the controls you need.
Create a passkey on the device you are using
Choose Add a passkey and confirm with the same face, fingerprint or screen lock you use to open the device. The account now has a passkey, and the next sign-in on this device asks for that instead of a code.
Sign out and back in. It should prompt for your face or fingerprint rather than a texted code. That prompt is the passkey doing its job.
Put a second key somewhere else
One passkey on one device is a single point of failure. Add a second so a lost or broken device never locks you out. Register a passkey on another device you own, such as a laptop as well as a phone, or add a hardware security key as the backup. A hardware key is the route the hardware vault guide uses, and the same key can serve here.
Download the recovery codes
Most accounts offer a set of one-time recovery codes. Download or write them down and keep them offline, away from the computer, with your other important papers. They are the route back in if you lose every device at once, and they take two minutes to save now.
Drop SMS without locking yourself out
Once a stronger factor is on and a backup is saved, turn the weak one off where the account lets you. The order matters: add first, remove second.
In the same security settings, look for the SMS or text-message option and remove it as a second factor. Many big accounts now let you sign in with a passkey and drop the phone number entirely. Some still keep SMS as a recovery method you cannot fully delete. That is acceptable as a last resort, as long as your everyday sign-in uses the passkey and your recovery codes are saved.
Then make your mobile number harder to steal in the first place. Ask your network for a port freeze or a number-transfer PIN, an extra check they must clear before moving your number to a new SIM. It is a short call, and it closes the door that a SIM swap walks through.
Never delete SMS until the replacement is working and the recovery codes are saved. Test the new sign-in once, confirm the codes are somewhere safe, then turn the text codes off. Remove the weak factor last, not first.
If something breaks
| Symptom | What to try |
|---|---|
| the account offers no passkey option | Use an authenticator app instead, which still lifts you off SMS. Check back later, as more accounts add passkeys every month. |
| lost the phone with the passkey | Sign in with your second passkey or your hardware key, then remove the lost device from the account’s security settings. |
| no backup device to hand | Use the one-time recovery codes from step 4. If those are gone too, the account’s own recovery process is the last route, which is slower by design. |
| it keeps asking for an SMS code | A recovery method is still set to SMS. Open the security settings, set the passkey as the default, and remove or demote the text option. |
| setting up for a relative | Sit with them for steps 3 and 4. A backup key and saved recovery codes are what turn a future lost phone into a minor event. |
Quick reference
| Step | Do |
|---|---|
| 1 | Open the account’s security or sign-in settings. |
| 2 | Add a passkey, confirmed with your face or fingerprint. |
| 3 | Add a second passkey or a hardware key as backup. |
| 4 | Download the recovery codes and keep them offline. |
| 5 | Remove SMS as a second factor where the account allows it. |
| 6 | Ask your mobile network for a port freeze or transfer PIN. |
Common questions
The questions people ask before they decide whether this is worth an afternoon.
Is SMS two-factor better than no second factor at all?
Yes. A text-message code still stops the common attacks, where someone has only your password from a leak and nothing else. Keep it on any account that offers nothing stronger. The weakness is the targeted attack: a determined person can move your number to their own SIM and receive your codes, or trick you into reading one out to them. Where an account offers a passkey or a security key, move to that and leave SMS as a last resort.
What is a passkey, in one sentence?
A passkey is a key your device keeps and unlocks with your face, fingerprint or screen lock, which signs you in to the real site with no code to type and nothing for an attacker to steal.
Do I have to buy a hardware security key?
No. Passkeys are free and use the phone or laptop you already own, and for most people they are enough. A hardware key is a small device you can add as a stronger backup, useful if you want a second factor that lives nowhere but in your pocket. This guide treats it as optional.
What happens if I lose the device with my passkey on it?
You sign in another way and remove the lost device from the account. Most people keep a passkey on more than one device, or a hardware key as backup, or a set of one-time recovery codes saved offline. Set up one of those the same day you add the passkey, and a lost phone is an inconvenience rather than a lockout.
Can I lock myself out by turning off SMS?
Only if you remove it with no other way back in. Before you switch SMS off, add a passkey or an authenticator app and download the account's recovery codes. With a second method in place and the codes saved somewhere safe and offline, dropping SMS removes a weak point without removing your way in.
Is an authenticator app good enough on its own?
It is a clear step up from SMS, because the code is tied to the app on your device rather than to your phone number, so a SIM swap cannot intercept it. It is still possible to be tricked into typing a code into a fake site. A passkey or hardware key removes that last risk, because it answers only the genuine site. An authenticator app is a sound choice wherever passkeys are not offered.
What is SIM swapping?
Someone contacts your mobile network, pretends to be you, and has your number moved to a SIM card they control. From then on your calls and text messages, including any SMS login codes, arrive on their phone. They use that to reset passwords and get into your accounts. It is the main reason SMS codes are the weakest second factor.
Are passkeys just my fingerprint or face?
No. Your fingerprint or face only unlocks the key on your own device, and that biometric never leaves the device or reaches the website. The site sees a signed answer from the key, not your fingerprint. Losing the phone does not hand anyone your face or your accounts, because they still cannot unlock the key.