An attacker obtains your password through a data breach and then uses social engineering to convince your phone carrier to transfer your number to a SIM card they control. Which 2FA method would still protect your account from this attack?
ASMS-based 2FA — your number is registered to your account
BAn authenticator app that generates time-based codes on your phone
CA hardware security key
DBoth authenticator apps and hardware keys would protect you equally
This describes a SIM-swapping attack — the attacker has effectively stolen your phone number. SMS-based 2FA is defeated entirely, because codes are sent to a number now controlled by the attacker. An authenticator app is also compromised if the attacker controls your phone number, since they may be able to trigger an account recovery that bypasses the app. A hardware security key — a physical device you hold — is immune to SIM swapping because it requires physical possession. The attacker must have the key in hand.
Question 2 Multiple Choice
Which 2FA method is the only one that provides protection if you accidentally enter your credentials on a convincing phishing site?
ASMS-based 2FA, because the attacker would also need your phone
BAn authenticator app, because the TOTP code expires within 30 seconds
CA hardware security key, because it authenticates against the website's cryptographic identity and will not work on a fake site
DAny 2FA method protects against phishing, since the attacker would need both your password and second factor
Hardware security keys communicate directly with the legitimate website's cryptographic identity (via the FIDO/WebAuthn protocol). The key will simply refuse to authenticate if the domain doesn't match — even if you type your credentials into a pixel-perfect phishing copy of your bank. SMS and TOTP codes, by contrast, are just numbers you type in — a real-time phishing attack can relay your code to the real site within the 30-second window. The Explainer explicitly states hardware keys are 'the only method resistant to phishing.'
Question 3 True / False
SMS-based two-factor authentication can be defeated by a SIM-swapping attack, even though it requires something you 'have' (your phone number).
TTrue
FFalse
Answer: True
SIM swapping exploits the fact that what you 'have' is actually a phone number assigned by your carrier, not an irreplaceable physical object. An attacker who convinces your carrier to transfer your number to their SIM now receives all SMS messages sent to that number — including 2FA codes. This is why the topic distinguishes SMS as the weakest 2FA form: the 'something you have' is phone-number assignment, which is socially engineered rather than physically possessed. Authenticator apps and hardware keys are tied to the physical device, making them harder to steal without being physically present.
Question 4 True / False
Two-factor authentication protects your account even if you enter both your password and your 2FA code on a phishing site, because the attacker still doesn't have your physical second factor.
TTrue
FFalse
Answer: False
This is true ONLY for hardware security keys — the one exception. For SMS and authenticator-app codes, an attacker running a real-time phishing attack can relay your credentials and 2FA code to the real site within the code's validity window. You've handed over both factors on the fake site, and the attacker uses them immediately on the real one before the TOTP code expires. The Explainer explicitly warns: '2FA does not protect against phishing if you enter both your password and your 2FA code on a fake site.' Only hardware keys are architecturally resistant.
Question 5 Short Answer
Recovery codes are sometimes described as 'equally powerful' to your 2FA device itself. Explain why this is true and what it means for how you should store them.
Think about your answer, then reveal below.
Model answer: Recovery codes bypass the second factor entirely — they are designed to get you into your account when you've lost your 2FA device. This means anyone who obtains a recovery code can access your account with just your password, exactly as if they had your physical second factor. They should therefore be stored with the same security level as your most important password: in a password manager or a physically secure location separate from your phone, not in your email inbox or a note on your phone's lock screen.
The practical implication: recovery codes are not backup trivia — they are a complete credential. Storing them insecurely (e.g., in an email you're already logged into on a compromised device) negates the entire benefit of 2FA. The Explainer notes that losing your 2FA device WITHOUT recovery codes can mean permanent lockout, because services treat the 2FA boundary seriously. The tradeoff is that recovery codes must exist somewhere accessible-to-you but inaccessible-to-attackers — a password manager satisfies both conditions.