| Feature | Legacy 2FA (TOTP/SMS) | Modern MFA (WebAuthn/Passkey) | |---------|------------------------|-------------------------------| | Phishing resistance | ❌ None | ✅ Bound to origin (TLS) | | Replay attack protection | ❌ Code can be reused | ✅ Cryptographic challenge-response | | SIM swap risk | ❌ SMS only | ✅ N/A | | User friction | Medium (type digits) | Low (biometric or PIN) | | Device binding | ❌ No | ✅ Yes (private key never leaves device) |
RIP TOTP as anti-phishing (2012–2024) Long live WebAuthn/passkeys. Would you like this report exported as a .pdf , .docx , or adapted for a specific audience (e.g., C-suite, developers, or compliance auditors)? 2fa rip