Two-factor authentication dramatically improves account security โ but it doesn't make you immune to phishing. The answer depends on which type of 2FA you use and how sophisticated the attack is.
In This Guide
What Standard 2FA Protects Against
Most account takeovers happen because of leaked passwords โ from data breaches, credential stuffing, or password reuse. In these cases, 2FA is highly effective. Even if an attacker has your correct password, they still can't log in without your second factor. This is why enabling any form of 2FA is far better than having none.
Real-Time Phishing: The Attack 2FA Doesn't Stop
Adversary-in-the-middle (AiTM) phishing uses a proxy server that sits between you and the real site. You think you're logging into the real website, but you're actually logging into the attacker's server, which forwards your credentials and 2FA code to the real site in real time.
Here's how it works: you receive a convincing phishing email, click the link, and land on a fake login page that looks identical to the real one. You enter your username, password, and 2FA code. The attacker's server immediately uses all three on the real site and creates a session, then gives you an error or redirect to cover their tracks.
Tools like Evilginx2 make this attack trivially easy to execute. It's increasingly common against high-value targets โ executives, crypto holders, and people with access to valuable systems.
SMS 2FA and Phishing
SMS codes are the most vulnerable to real-time phishing because they expire in a few minutes, giving the attacker plenty of time to use them. They're also vulnerable to SIM swapping as a separate attack vector. SMS 2FA is better than nothing but provides the weakest protection of any 2FA method.
TOTP Authenticator Apps and Phishing
TOTP codes (from apps like Google Authenticator or Authy) expire in 30 seconds. This makes them harder to use in real-time phishing โ the attack has to be automated and instant. However, sophisticated AiTM attacks do handle this. TOTP is much better than SMS but is not phishing-resistant in the strict technical sense.
The Only Truly Phishing-Resistant 2FA
Hardware security keys using the FIDO2/WebAuthn standard are the only truly phishing-resistant 2FA method. Here's why: the key cryptographically binds its response to the exact domain of the site you're authenticating with. If you're on a phishing site at fake-google.com instead of google.com, the key detects the mismatch and refuses to authenticate โ even if the page looks identical.
This is why security researchers, government agencies, and high-value targets are increasingly using hardware keys. Google reported that after requiring all employees to use hardware keys, account takeovers dropped to zero. Passkeys, the newer standard built into phones and operating systems, work on the same principle.
How to Protect Yourself
Enable 2FA on every account that supports it โ any 2FA is far better than none. Be sceptical of unexpected login prompts, emails asking you to verify your account, and any site that asks for your 2FA code outside of the normal login flow. Legitimate services will never ask for your secret key or backup codes.
For your most important accounts โ email, crypto, work systems โ consider a hardware key or passkey if supported. Check whether you're using the right 2FA method for each account's risk level.
You can verify your TOTP codes are working correctly using a browser-based 2FA generator without your codes ever leaving your device.