When it comes to online privacy, there’s more to keeping your accounts secure than a password. In addition to hard-to-guess, unique passwords, many services now offer two-factor authentication (2FA).

The idea behind 2FA is that you need two things in order to access your account: “something you know, and something you have.” That means a password you know and a code delivered to you in another form. And generally when we talk about 2FA, we’re talking about verification via SMS. But that’s not the only way to enable 2FA — and it might not be the best.

2FA via SMS

On its face, 2FA via SMS seems like the perfect solution. After you enter your password, your phone receives a text message with a unique code in it. You enter that code and then you have access to your account. Because most people have their phones with them at all times, it’s a relatively easy, simple way to make sure that the person logging into the account is who they say they are.

However, SMS is built on old technology and has a number of potential security leaks. In fact, a few years ago the National Institute of Standards and Technology (NIST) declared that SMS 2FA wasn’t secure, due to the popularity of VoIP services. Because it’s so easy to register a phone number now, they argued, there’s too much possibility of tampering.

Another way attackers take advantage of SMS 2FA is via SIM swapping. In this scenario, attackers convince a phone carrier that they are the legitimate owner of a phone number and have them assign a new SIM to the number. Once that’s done, all messages and calls go to the hacker’s phone instead of to the actual owner of the phone number.

2FA via authenticator app

Another option for 2FA is an authenticator app. In this case, you have to download an app to your phone, at which point a secure seed key is created via QR code. The app stores the code in a server, while you store the code in your phone. From that point on, the app generates a new code every time you log in — and it’s only valid for 30 to 60 seconds.

The advantage of using an authenticator app is that there’s no way a hacker could get hold of the information and use it before it becomes invalid. Also, because the information is only shared between your phone and the server, there are no other middle men that could create potential security gaps or holes. The fewer people and devices involved, after all, the fewer ways codes can get intercepted.

The disadvantages of an authenticator app are that,

1. They can only be used by people with smartphones;
2. They require you to download an app;
3. They allow syncing across devices, which could put you at risk if one of your devices is lost or stolen, and;
4. Not all accounts accept them as options for 2FA yet. Many of the major tech companies — including Dropbox, Google, Facebook, Amazon, Evernote, and LastPass to name a few— do accept them, however, and you can expect that number to grow.

So what’s best for 2FA?

Despite the potential security risks of SMS 2FA, any 2FA is better than none. So if an account only offers SMS protection, take it! Just be aware of the possible ways it could be intercepted and pay attention when something seems off. And in the meantime, download an authenticator app and start using it on the services that accept it.