To be honest, the two options you mentioned are the ones I try to avoid. SMS and email are the least secure method of 2fa. Both email and SMS are the easiest 2FA methods to intercept or access in one way or another. A lot of hackers have found ways to get codes through those methods.
The core idea is to combine two distinct types of authentication factors:
- Something you know (like a password or PIN)
- Something you have (like a device or token)
- Something you are (biometrics like fingerprints or facial recognition)
In some cases they will require multiple of the above. So the term 2FA or two-factor authentication is generally being replaced by the term MFA or multi-factor authentication, Because in some ways it may generally require more than one. Also, there are some things that actually combine two of the above into one, such as a pass key which includes both something you have (phone, laptop, etc), as well as something you are or know (fingerprint, face ID, pin) all into one. They are technically passwordless because they are using public-private key cryptography. They also donât fall for common phishing attacks Because they are domain bound And wonât work with a fake site.
Other than pass keys, I prefer authenticator apps. I like the kind of systems where it will send a push to my authenticator app that then lets me approve from my phone, but most use Time-Based codes. These are much better than SMS or email because both of those have issues with things like not being encrypted as well as Sim swap issues among other more complex interception tactics.
In addition to pass keys and authenticator apps and SMS and email which we already discussed, there are also the following:
- Hardware tokens
- Push notifications
- Biometrics (countless options for this)
- Smart cards or magnetic stripe cards
- Behavioral biometrics (How you type swipe or move your mouse)
You can sort of count backup passports.
Very soon you will start seeing huge popularity of cryptographic credentials in what is called Decentralized Identity (DID) being used.
I know youâre fairly anti-ai but the truth is Al-Powered Fraud Detection is becoming extremely standard even if you donât know itâs already implemented. With deepfakes and synthetic identities on the rise, Al is being trained to spot subtle inconsistencies in facial movements, voice patterns, and document forgeries. Expect this to become standard in high-security environments.
The next phase in the evolution of security is going to be what is called continuous authentication. Rather than a one-time login, systems will verify you throughout your sessionâbased on device signals, location, behavior, and more. Itâs like your computer constantly asking, âAre you still you?â without interrupting you.
There are some crazy cool security options coming out quantum resistance. There are some really interesting ideas about how to implement quantum entanglement in such a way that it will be impossible to hack into our eavesdrop on something without getting caught or being known that itâs happening and steps being taken to immediately do something about it.
Be on the lookout for what theyâre calling multimodal biometric security, including things that are very difficult to spoof such as your gait.
Identity proofing platforms are gaining a lot of traction lately. There are actually some really cool options that actually preserve a lot more anonymity and privacy than traditional methods.
I think itâs actually going to become a lot less annoying believe it or not. Even though weâre going to be switching from prove who you are once to something along the lines of prove who You are continually and invisibly. Itâs going to be less about passwords and more about patterns. Theyâre moving toward a point where you donât necessarily have to log in to a system at all like weâre used to doing right now, and instead It will recognize who you are before you even ask. Soon there will be a generation that will laugh and think itâs ridiculous that we used to rely on passwords and memory and other crazy stuff that was so insecure and easy to steal and hack and all of this kind of stuff. Everything we currently accept as normal will fairly soon be seen as totally archaic and crazy. Things are evolving in this industry faster than you think. 
In fact, a lot of the above stuff is already possible and proven and tested. Adoption is just always relatively slow. The average person wonât really even know about them. Until things slowly start getting phased out and in by specific key entities. But I can almost guarantee that it will happen for various reasons.
)