What is FIDO2/WebAuthn and why is it phishing-resistant?

FIDO2 (Fast IDentity Online) is a set of standards for public-key authentication. During login, the hardware key signs a challenge that includes the domain name of the site you are authenticating to. If you are on a phishing site (fake-bank.com) rather than the real bank, the signed challenge will not include the correct domain — the authentication will fail. This cryptographic domain binding is what makes FIDO2 fundamentally resistant to phishing in a way that TOTP and SMS codes are not.

Can a TOTP code be stolen in a real-time phishing attack?

Yes. Real-time phishing attacks (also called adversary-in-the-middle or AiTM attacks) use a proxy site that presents a convincing replica of the target login page. The victim enters their credentials and TOTP code, which is immediately forwarded to the real bank — the attacker logs in with the valid code before it expires. This attack is well-documented and increasingly automated. Hardware FIDO2 keys prevent it because the domain binding means the key will not sign for the phishing domain.

What are the risks of SMS-based two-factor authentication for banking?

SMS OTP is vulnerable to: SIM swap attacks (an attacker convinces your carrier to transfer your number to their SIM), SS7 protocol attacks (interception of SMS at the carrier level), malware that forwards SMS messages, and real-time phishing (the OTP is entered by the victim and forwarded immediately). Multiple major bank account takeovers and crypto exchange hacks have used SIM swap against SMS MFA. The NCSC and NIST both recommend moving away from SMS OTP for high-value accounts.

Which UK and international banks support hardware security keys?

As of 2026, hardware FIDO2 key support among major UK banks is limited — most use app-based OTP or proprietary card readers. Barclays, Halifax, and some business banking platforms support authenticator app TOTP. For investment accounts, Interactive Brokers and Fidelity International support hardware keys. In the US, Fidelity, Schwab, and TD Ameritrade support FIDO2. This is an area of active improvement across the sector following FCA Operational Resilience requirements.

Should I use a backup MFA method and what are the risks?

Yes — always set up a backup method to avoid being locked out if your primary method fails. But backup methods create security trade-offs: a weaker backup method (SMS OTP as backup for a FIDO2 primary) creates a way for an attacker to bypass your strong primary by triggering the backup flow. Where possible, register two hardware keys (one as backup) rather than registering a weaker method as the backup. Store the second hardware key in a physically secure location.

MFA for Financial Accounts: Hardware Keys vs TOTP vs SMS

Multi-factor authentication is widely recommended for financial accounts — but not all MFA provides equivalent protection. A hardware FIDO2 key and an SMS OTP are both "MFA," but they represent vastly different levels of security against the attacks that actually target financial accounts. This guide ranks each method and explains what it protects against.

Why MFA Matters More for Financial Accounts

Your bank, brokerage, and payment accounts are the highest-value targets a criminal can reach. A stolen password alone should never grant entry, which is why multi-factor authentication (MFA) adds a second proof of identity. But not all second factors are equal. The three most common options — hardware security keys, time-based one-time passwords (TOTP), and SMS codes — offer dramatically different levels of protection. Choosing wisely can mean the difference between a blocked intrusion and a drained account.

SMS Codes: Convenient but Weakest

SMS one-time codes are the most widely offered factor because nearly everyone has a phone that receives texts. The convenience is real, but so are the risks. Attackers can hijack your number through SIM-swapping, where they socially engineer your carrier into transferring service to their device. Codes can also be intercepted through SS7 network flaws or phishing pages that relay the code in real time.

Vulnerable to SIM-swap and carrier social engineering
Codes can be phished and replayed instantly
Fails when you have no cellular signal or while traveling abroad
Still far better than no second factor at all

TOTP Apps: A Strong Middle Ground

TOTP generators such as authenticator apps create a fresh six-digit code every 30 seconds, derived from a shared secret stored only on your device. Because nothing travels over the cellular network, SIM-swapping is irrelevant and there is no carrier to deceive. This makes TOTP a significant upgrade over SMS for protecting financial logins.

Works fully offline, with no signal required
Immune to SIM-swap and SS7 interception attacks
Free, fast, and supported by most banks and brokerages
Backups and device migration are easy with a password manager

TOTP has one weakness: a convincing phishing site can still trick you into typing a live code, which the attacker forwards before it expires. Vigilance about where you enter codes remains essential.

Hardware Keys: The Gold Standard

Hardware security keys using the FIDO2 and WebAuthn standards represent the strongest practical defense. The key performs a cryptographic handshake tied to the exact website domain, so a fake login page cannot complete the exchange. This design makes hardware keys effectively phishing-proof — the single biggest advantage for high-value accounts.

Phishing-resistant by design, since authentication is bound to the real domain
No code to type, intercept, or replay
Physical possession is required, defeating remote attackers entirely
Register at least two keys so a lost device never locks you out

Our Recommendation

For accounts holding real money, choose a hardware key wherever the institution supports it, and keep a registered backup key in a safe location. Where keys are not yet accepted, use a TOTP authenticator rather than SMS. Reserve text-message codes only for services that offer nothing else, and disable SMS fallback when a stronger method is active, since attackers will always target the weakest enabled factor.

Titan Passwords helps you store TOTP secrets securely, track which accounts still rely on SMS, and prioritize upgrading your most sensitive financial logins to phishing-resistant protection.

The Attack Landscape for Financial MFA

Two attack types dominate financial account takeovers and determine which MFA methods are truly effective:

Real-time phishing (AiTM): A proxy site captures credentials and TOTP codes as victims enter them, immediately forwarding to the real institution. Any time-based code can be captured this way.
SIM swap: An attacker social-engineers a mobile carrier to transfer your phone number to their SIM, receiving all future SMS OTPs intended for you.

MFA Method Comparison

Method	Phish-resistant	SIM swap-resistant	Malware-resistant	NIST AAL
FIDO2/WebAuthn hardware key	✓ Yes	✓ Yes	✓ Yes	AAL3
Authenticator app (TOTP/HOTP)	✗ No	✓ Yes	Partial	AAL2
Push notification (Authenticator)	✗ No	✓ Yes	Partial	AAL2
SMS OTP	✗ No	✗ No	✗ No	AAL1
Email OTP	✗ No	✗ No	✗ No	AAL1

Practical Implementation

For all financial accounts, implement in this priority order:

Register a FIDO2 hardware key (YubiKey 5 series, Google Titan) as primary MFA where supported
Register a second hardware key as backup — not SMS, not email
Where hardware keys are not supported, use an authenticator app (Aegis on Android, Raivo on iOS) — not Google/Microsoft Authenticator which sync to cloud
Remove SMS OTP from all financial accounts where the institution allows removal
Remove email OTP where the institution allows removal

NCSC guidance: The UK National Cyber Security Centre recommends moving away from SMS OTP for high-value accounts and towards authenticator apps or hardware security keys. The FCA Operational Resilience framework requires financial institutions to implement controls proportionate to the risk of account takeover.

MFA TOTP FIDO2 SMS OTP phishing authentication

For informational purposes only. This does not constitute financial or legal advice. Consult qualified compliance and legal professionals for regulated financial environments.

← How to Secure Your Investment and Brokerage Ac SIM Swap Attacks: How Fraudsters Target Financ →