What is 2FA?

Two-factor authentication (2FA) offers a second layer of security to help protect an account from brute force, phishing, and social engineering attacks.

2FA requires an extra step for a user to prove their identity, which reduces the chance of a bad actor gaining access to their account or data. And since notifications are sent to verify the initial authentication via username and passwords, it also gives users and business the ability to monitor for potential indicators of a compromise.

One of the most common methods of 2FA is SMS text messages. The problem is that SMS is not a secure medium. Hackers have several tools in their arsenal that can intercept, phish, and spoof SMS. Despite this security flaw and better options for authentication, SMS-based 2FA is still used by several institutions.

What’s changed in the SMS 2FA threat landscape?

The case against SMS 2FA has gotten dramatically stronger. A few of the most important developments:

• Salt Typhoon (2024–2025): U.S. agencies disclosed that a People’s Republic of China–affiliated group had compromised at least eight U.S. telecommunications providers, including AT&T, Verizon, and Lumen, accessing call records and, for targeted individuals, the contents of calls and texts. In December 2024, CISA and the FBI publicly urged Americans to stop using unencrypted SMS and to move away from SMS-based MFA in favor of phishing-resistant options.
• NIST SP 800-63-4 (July 2025): NIST’s updated Digital Identity Guidelines formally classify SMS and PSTN one-time passcodes as a restricted authenticator. Any AAL2 implementation must now offer a phishing-resistant option, and synced passkeys are recognized as AAL2 authenticators.
• Regulators are phasing SMS OTP out: The UAE Central Bank required licensed financial institutions to eliminate SMS and email OTPs by March 31, 2026, with an immediate liability shift to banks for fraud involving SMS OTPs. India’s Reserve Bank rules effective April 1, 2026 prohibit SMS as the sole authentication method for digital payments. The Philippines’ central bank set a June 2026 deadline for similar changes. In the U.S., the USPTO discontinued SMS authentication on May 1, 2025, and FINRA followed in July 2025.
• SIM swapping is still profitable: The FBI’s 2024 Internet Crime Report logged 982 SIM-swap complaints and roughly $26 million in direct losses, and the UK’s Cifas reported a 1,055% year-over-year surge in unauthorized SIM swaps.

In other words, the vulnerabilities described below are no longer theoretical, and the regulatory and legal costs of relying on SMS are rising.

How do hackers intercept SMS?

It is a great idea to add 2FA to any application to increase security. Password attacks are becoming more sophisticated, and even complex passwords can be cracked. Requiring further authentication for any login ensures better protection.

But after taking that extra security step, why use an insecure form of communication for that extra verification? After all, SMS messages are based on telephone networks. The first hackers were a bunch of folks who were finding cool ways to get around phone networks. Intercepting SMS is old hat to many hackers.

It’s not just the phone networks, but phone companies that are bad at security.

Weak voicemail protection

• Voicemail systems often rely on just a 4-digit PIN, and many carriers allow remote access, making them vulnerable to phishing attempts.
• With a bit of personal information, it can be relatively easy for someone to reset or take over a voicemail PIN.
• SMS messages can be easily spoofed, and since they lack encryption or sender verification, it’s difficult to confirm their true origin.

Spoofing combined with phishing

Spoofing may actually be combined with phishing to gain access. This process allows hackers to falsify a message to appear like it’s coming from a legitimate source. The message will alert the victim that they need to reply with the security code. At the same time, the hacker will trigger a login 2FA request. If the victim replies with that code, the hacker can use it to gain access.

But following the best practices to prevent phishing isn’t enough to make SMS authentication secure. A hacker with basic information about the victim can get a PIN changed. And unfortunately, you can’t control phishing at the phone company.

SIM swapping via social engineering

The same method of social engineering can also be used to swap SIM information for a phone number. A hacker can pretend to be the victim and activate a new phone on the number. Before the victim notices, the hacker will already have breached the 2FA.

While this process may seem convoluted, it is surprisingly effective. For example, back in 2012, CloudFlare was breached using a similar method. Their phone provider, AT&T, was tricked into redirecting their voicemail and access to their email was gained through a 2FA account recovery process. If it can happen to an industry leader in cybersecurity, it can happen to anymore.

SIM swapping through remote access to carriers

Hackers can also swap SIM information through a Remote Desktop Protocol (RDP). These attacks still need social engineering to get the RDP program installed. As Joseph Cox reported in Vice in January 2019, hackers had no problem gaining remote access to phone company systems.

There’s also the nation-state tier of the threat. The Salt Typhoon intrusions gave adversaries the ability to read SMS traffic directly off carrier infrastructure for selected targets. You don’t need to be phished, and you don’t need to fall for a SIM-swap call; your text-message “second factor” simply traverses a network that a foreign intelligence service has already compromised. That is exactly the scenario SMS OTP was never designed to withstand.

So, which 2FA method should I use?

To prevent brute force and other attacks targeting password-only authentication, some form of 2FA is needed. The good news is that there are multiple secure alternatives to SMS-based 2FA. Implementing one of these options will help keep your accounts safe from bad actors.

1. Passkeys

Passkeys are the option regulators, platform vendors, and standards bodies are all converging on, and they’re the strongest recommendation in 2026.

A passkey is a cryptographic key pair generated on your device. The private key never leaves the device, and you unlock it with a biometric (Face ID, Touch ID, Windows Hello) or a device PIN. Because the credential is bound to the specific website’s origin, it cannot be phished, replayed on a lookalike domain, or intercepted by a compromised telecom.

Passkeys are also now broadly available, with roughly 15 billion online accounts supporting them, and the FIDO Alliance reports that about 87% of surveyed enterprises have deployed or are actively deploying them. Apple, Google, and Microsoft all ship passkey support natively, and password managers like 1Password and Bitwarden sync passkeys across devices. NIST SP 800-63-4 explicitly recognizes synced passkeys as AAL2 authenticators and device-bound passkeys as suitable for higher-assurance scenarios.

For most users and most services, “turn on passkeys wherever they’re offered” is now the single highest-impact authentication change you can make.

2. Hardware authentication

Hardware authentication relies on a dedicated physical device to grant access. Modern hardware keys such as YubiKey, Google Titan, and Feitian devices speak the FIDO2 / WebAuthn protocol, meaning they sign a challenge scoped to the legitimate site and cannot be tricked into releasing a credential to a phishing page. Along with their password, users will also have to input a random token code generated by the device, or more commonly today, tap the key to complete a cryptographic challenge. Logins will fail without the key. Providers of hardware authentication include Yubico, Google, Feitian, RSA SecurID and Thales SafeNet.

The physical nature of this method does have the potential for devices to be lost and stolen. Most organizations mitigate this by enrolling a backup key and storing it securely. But it essentially addresses all the security issues inherent to SMS-based 2FA.

3. Software authentication

Software authentication is essentially the same principle as hardware authentication. But instead of requiring a physical device, token codes are generated with a mobile application. Popular authenticator apps include Google Authenticator, Microsoft Authenticator, Authy, Duo Mobile, and 1Password. Many of them also support push-based approvals and number-matching prompts, which are stronger than a plain six-digit code.

It may seem counterintuitive to recommend authentication based on a mobile device. But the software is not relying on SMS or the phone network for authentication, eliminating the inherent flaws in SMS-based 2FA. Time-based one-time passwords (TOTP) are generated locally on the device using a shared secret, so an attacker who controls the phone number still cannot produce them.

It’s worth noting that authenticator-app codes are still vulnerable to phishing tactics. A convincing fake login page can harvest a six-digit code in real time. For accounts that matter most, pair or replace TOTP with passkeys or a FIDO2 security key whenever possible.

4. IP-based authentication

This method checks the user’s IP address when logging in. You can block access to specific IP addresses suspected to be malicious, or simply only allow logins from known IP addresses and ranges. IP-based authentication can be used in conjunction with other forms to add an extra layer of protection. In enterprise environments this now usually shows up as a broader “risk-based” or “conditional access” policy that combines IP reputation with device posture, geolocation, and behavioral signals.

Where this leaves SMS 2FA

SMS 2FA is better than no second factor at all, but it is no longer considered secure by NIST, CISA, the FBI, or the FIDO Alliance, and it is actively being removed as an acceptable method for regulated financial services in multiple countries. Phones and text messages simply weren’t designed with security in mind. Relying on SMS for authentication actually causes a larger problem than what it’s meant to solve. But still, SMS remains a commonly offered 2FA method despite these issues.

In short: If a more secure option for 2FA is available, take it.

While stronger 2FA options are recommended, they are not a replacement for a good password strategy (or, better, a move away from passwords entirely using passkeys). Think about it like you would your home: A strong deadbolt on the front is great, but it won’t matter if you leave the key under the mat.

FAQ

Is SMS 2FA better than no 2FA at all?

Marginally, yes. Any second factor beats a password alone. But the gap between SMS and phishing-resistent methods like passkeys is much larger than the gap between no 2FA and SMS.

What is a SIM swap attack?

A criminal convinces your mobile carrier to transfer your phone number to a SIM they control, usually through social engineering. Every SMS code and password-reset link then goes to them instead of you.

Did NIST ban SMS 2FA?

No, but NIST SP 800-63-4 now classifies SMS one-time passcodes as a restricted authenticator. Still allowed, but subject to extra requirements and no longer sufficient on its own for phishing-resistent AAL2.

What is a passkey?

A cryptographic key pair stored on your device that you unlock with a biometric or PIN. There’s no shared secret to phish, and the credential only works on the site it was registered to.

Need a second set of eyes on your website’s security? We help organizations find and fix the gaps before attackers do. From quick audits to full remediation, get in touch to talk through what your site needs.