Is Your Business Security Wide Open? Every Type of 2-Step Verification Ranked (Worst to Best)

Cyber SecurityGoogle WorkspaceIT Security
Written By James Kimbley

Most people assume that as long as they have "two-factor authentication" (2FA) turned on, they’re safe. They tick the box, get the text message, and get on with their day.

But here is the uncomfortable truth: having the wrong type of 2FA is almost as dangerous as having none at all.

One of our clients actually asked recently: "James, with so many options out there, which ones actually protect me?"

It’s a valid question. Some methods are now so outdated that using them is effectively leaving the door wide open for scammers. So, we have ranked every major type of 2-step verification from "dangerous" to "bulletproof," so you can see exactly where your business stands.

The One Setting You Must Check Today

Before we get into the ranking, here is the most important thing you’ll read today: If your team members are securing their Google Workspace or banking accounts with SMS text messages, you need to stop.

Hackers have outsmarted the mobile network. They don’t need to steal a phone to steal a text message code. If you rely on SMS, you are relying on infrastructure built in the 1990s to protect your business in 2026. Audit your team today. If you see "SMS" listed as their primary verification method, moving them to an Authenticator App or Passkey is your top priority.

The 2FA Hierarchy: From Dangerous to Unbreakable

We’ve ranked these methods based on how easy they are for a determined scammer to bypass.

7. Voice and Text Messages (Dangerous)

This is the "OG" of two-step verification, and frankly, it belongs in a museum, not your security settings.

How it works: You try to log in, and you get a text or a robot call with a six-digit code.

Why it’s dangerous: This is a scammer’s delight. Sophisticated attackers can perform a "Man-in-the-Middle" attack, intercepting the signal between the cell tower and your device to grab the code before you even see it.

Even simpler? They just call you. They pretend to be your bank or IT support, claim there’s fraud on the account, and ask you to "read back the code" that was just sent. If you do, you’ve just handed them the keys .

The Verdict: Only use this if you have absolutely zero other options.

6. Magic Links

You’ve likely seen this with services like Slack or Monzo.

How it works: You enter your email address, and the service emails you a special link. You click it, and you’re in. No password required.

Why it’s risky: It’s incredibly convenient, but it assumes your email account is secure. Your email inbox is the skeleton key to your entire digital life. If a hacker has access to your email—perhaps because of a reused password from years ago—they can request these links, intercept them, and delete the email before you even notice.

The Verdict: Convenient, but it’s only as strong as your email security.

5. Authenticator Apps (The "Minimum Standard")

This is where most businesses should be as a baseline. You’ll know these names: Google Authenticator, Microsoft Authenticator, or Authy.

How it works: You install an app that generates a new six-digit code every 30 seconds. The code is generated on your device using a "secret key," meaning it doesn’t travel over the mobile network.

Why it’s better: It kills "SIM Swap" attacks dead. Even if a hacker steals your phone number, they can’t generate the code without your physical device. However, it’s not perfect. You can still be tricked into typing this code into a fake website (phishing).

The Verdict: Safe, but not bulletproof. Pro-tip: Only download apps from brands you recognise to avoid fake, malicious apps.

4. Push Notifications

Attempts to balance security with laziness.

How it works: You log in, and your phone buzzes with a prompt: "Is this you trying to sign in?" You just hit "Yes" or "No".

The Risk: Hackers use a technique called "MFA Fatigue". They will spam your login at 2:00 AM, hoping you’ll get so annoyed or groggy that you’ll hit "Yes" just to silence the phone.

The Fix: Turn on "Number Matching." The system shows a number on your computer screen (e.g., "45") and asks you to select that number on your phone. This forces you to be awake and looking at the screen, stopping the fatigue attack.

3. Physical Security Keys

You might know these by the brand name YubiKey.

How it works: A physical USB stick that sits on your keyring. To log in, you plug it in or tap it against your phone.

Why it’s strong: It is "Phishing Resistant". If you land on a fake website that looks like Google, the key fundamentally won’t work because it cryptographically checks the website address.

The Verdict: The "Gold Standard" for security, but a hassle if you leave your keys at home.

2. Biometrics

This is where physical reality meets digital security: FaceID, TouchID, Windows Hello.

How it works: You prove you are who you say you are using your face or fingerprint.

Why it’s strong: Modern systems use 3D depth mapping. A scammer can’t just hold up a photo of you to unlock your account. It binds access to you physically, making remote hacking incredibly difficult.

1. Passkeys (Bulletproof)

This is the future. If you can switch to Passkeys today, do it.

How it works: A Passkey relies on a pair of cryptographic keys. One is public (on the website), and one is private (locked deep inside your device). You never see a password; you just unlock your device with your face or fingerprint to approve the login.

Why it’s the best: It makes phishing mathematically impossible. Just like the physical key, a Passkey will not function on a fake website. It stops password reuse, database leaks, and human error.

How to Enable Passkeys in Google Workspace Today

Since most of you are running your businesses on Google Workspace, here is exactly how to upgrade your security to the "God Tier" right now.

For Business Admins: Before your team members can set this up, you need to allow it.

  1. Go to Security > Authentication > Passwordless.

  2. Check the box for "Allow users to skip passwords at sign-in".

For You and Your Team:

  1. Go to myaccount.google.com.

  2. Click Security on the left-hand menu.

  3. Scroll down to "How you sign in to Google".

  4. Click Passkeys.

  5. Click + Create a passkey.

  6. Select Continue and verify with your face, fingerprint, or screen lock.

Don't forget your backup codes!

When you set up strong security, such as Passkeys or Authenticator Apps, you are effectively closing the back door. But what happens if you lose your phone?

Every time you set up 2FA, the service will offer you Backup Codes (sometimes called Recovery Codes). Do not ignore these. Print them out or save them in a secure, encrypted note (like in 1Password). These are your "break glass in case of emergency" codes.

Summary

If you are still using SMS for your business banking or email, you are taking a risk you don't need to take. Upgrade to an Authenticator App as a minimum, but aim for Passkeys wherever possible.

If you’d like an expert to help you audit your current security setup and implement this for your team, the next step is to book a video call with us using the form below.

James Kimbley
I am the founder of Kimbley IT.
www.kimbley.com
Next

Is the ICO Data Protection Fee Legitimate? (And Do I Really Need to Pay It?)