https://www.kaspersky.com/blog/types-of-two-factor-authentication/48446/

Two-factor authentication requires users to present two of the following types of authentication factors:

• Something they know (traditionally a password)

• Something they have (such as a phone or hardware token)

• Something they are (referring to biometrics, such as a fingerprint)

SMS

• Mobile networks do not encrypt messages while in transit, allowing attackers to conduct man-in-the-middle attacks.

• the server must securely store the one-time code. A determined attacker could easily conduct a brute force attack on a stolen hashed code given the relatively small number of codes.

• Attackers may also steal SMS codes through targeted phishing attacks. Some ways to mitigate these threats are to invalidate a code after a short time window and limit the number of failed attempts to log in with a code.

TOTP

Pre-generated Codes

The service provider generates a list of verification codes and has the user print or write the codes down.

• Even applying the hashing mechanism discussed for SMS codes, the non-expiring nature of the codes would make them vulnerable to an offline brute-force attack
• On the user’s side, the printed codes must be stored securely using traditional physical security measures

Push

The user receives a push notification on their smartphone that allows the user to either “Approve” or “Deny” a login attempt. Push authentication requires Internet access. Google supports this technique (through their “Google prompt”), and it is also available through commercial applications such as Authy OneTouch and DUO Mobile.

U2F Security Keys