Questions: Setting Up and Using Two-Factor Authentication
5 questions to test your understanding
Score: 0 / 5
Question 1 Multiple Choice
Your friend says: 'I use SMS-based 2FA on my bank account, so I have the same protection as someone using an authenticator app.' Why is this claim incorrect?
AIt is correct — both methods use a second factor, providing identical protection
BSMS codes are weaker because they travel over a network and can be intercepted via SIM-swapping attacks, while authenticator apps generate codes locally
CSMS codes are actually stronger because they are tied to a physical phone number registered with the carrier
DSMS is weaker only for accounts with weak passwords; with a strong password the difference is negligible
SMS codes are transmitted over the phone network, making them vulnerable to SIM-swapping attacks — where an attacker convinces a carrier to transfer your number to their device. Authenticator apps generate codes locally using a shared secret key and never transmit the code over any network, making them much harder to compromise. Hardware security keys are stronger still because they cryptographically verify the specific website being logged into, preventing phishing entirely.
Question 2 Multiple Choice
You are enabling 2FA on your accounts for the first time and can only prioritize one account today. Which should you choose first?
AYour social media account, because it contains the most personal information
BYour email account, because it is used to reset passwords for every other account
CYour bank account, because financial data is the most sensitive
DYour work account, because compromising it would affect your employer
Email is the master key to all other accounts — almost every online service sends password reset links to your email. If an attacker controls your email, they can trigger password resets and take over all your other accounts regardless of their own security settings. Protecting email with 2FA first therefore protects every downstream account. Financial accounts are a strong second priority.
Question 3 True / False
An authenticator app is more secure than SMS-based 2FA because the one-time codes are generated locally on your device and never transmitted over a network.
TTrue
FFalse
Answer: True
Authenticator apps (like Google Authenticator or Authy) use a shared secret key to generate time-based codes (TOTP) entirely on your device. The code is never sent anywhere — only you read it and type it in. SMS codes, by contrast, are sent as text messages over the cellular network, where they can be intercepted through SIM-swapping or SS7 protocol vulnerabilities. This fundamental difference in how the code travels (or doesn't) is why authenticator apps are considered a meaningfully higher security tier.
Question 4 True / False
If you lose your phone while 2FA is enabled on your accounts, customer support can easily restore your access within a few minutes.
TTrue
FFalse
Answer: False
Account recovery without backup codes is typically slow, difficult, and sometimes impossible. Services take identity verification seriously precisely because the recovery process could otherwise be exploited to bypass 2FA. Some accounts require extensive documentation; others may not be recoverable at all. This is why saving backup codes at the time of 2FA setup — in a secure, physically separate location — is the critical step that many people skip and later regret.
Question 5 Short Answer
Why should 2FA backup codes be stored somewhere physically separate from your phone, rather than saved in a note or document on the same device?
Think about your answer, then reveal below.
Model answer: Backup codes exist specifically for the scenario where your phone is unavailable — lost, stolen, or destroyed. If the backup codes are on the same device, they become inaccessible in the exact situation where you need them. Storing them separately (in a password manager, a printed copy in a secure drawer, or an encrypted note on a different device) ensures you can access them when your phone is gone. The whole point of backup codes is to be the recovery path that exists independently of your primary 2FA device.
This question targets the most common 2FA setup mistake. The backup codes are not a convenience feature — they are the emergency exit. Just as a fire escape must be accessible when the main door is blocked, backup codes must be accessible when your phone is unavailable. Physical separation from the phone is the key insight: a screenshot in your phone's photo gallery fails completely if the phone is lost.