When a service offers two-factor authentication via SMS, your instinct might be to enable it and move on. And compared to no 2FA at all, SMS codes are a meaningful improvement. But understanding their weaknesses helps you make better decisions about where SMS is good enough and where it is not.
How SMS 2FA works
When you log in, the service sends a one-time code to your phone number via text message. You enter the code to complete authentication. The assumption is that only you have access to your phone and its SIM card.
The vulnerabilities
SIM swap attacks
An attacker contacts your mobile carrier, impersonates you (often using information from data breaches), and convinces them to transfer your phone number to a new SIM card. Once they control your number, they receive all your SMS codes. This attack is well-documented and has been used to steal cryptocurrency, break into email accounts, and hijack social media profiles.
SIM swaps have become a significant enough problem that the FCC issued new rules in 2023 requiring carriers to implement better verification before processing SIM changes. But enforcement and compliance vary.
SS7 vulnerabilities
The Signaling System 7 (SS7) protocol, which routes SMS messages globally, has known security flaws that allow interception. While exploiting SS7 requires access to telecom infrastructure, state-level actors and sophisticated criminal groups have demonstrated this capability. Researchers have shown it is possible to intercept SMS messages without any interaction with the victim's phone.
Malware and message forwarding
Mobile malware can read incoming SMS messages. Some Android malware specifically targets banking and authentication codes. Additionally, carrier features like call/text forwarding can sometimes be reconfigured through social engineering.
When SMS 2FA is acceptable
- Low-value accounts where the risk of compromise is annoying but not catastrophic (a forum, a shopping site, a streaming service).
- When it is the only option. Some services only offer SMS-based 2FA. In that case, using it is still better than going without.
- For users who will not adopt anything more complex. If the choice is between SMS 2FA and no 2FA, always choose SMS.
When you should upgrade
- Email accounts (especially your primary). Your email is the recovery mechanism for almost everything else.
- Financial accounts and cryptocurrency. SIM swap attacks specifically target these.
- Password managers. If your vault is compromised, everything inside it is exposed.
- Cloud storage with sensitive documents.
- Any account where you are a high-value target (public figure, executive, journalist, activist).
Better alternatives
- Authenticator apps (Google Authenticator, Authy, Bitwarden Authenticator): Generate codes locally on your device. Not vulnerable to SIM swaps or SS7 attacks.
- Hardware security keys (YubiKey, Google Titan): Phishing-resistant by design. The strongest consumer-grade 2FA available.
- Passkeys: The newest standard, combining convenience with strong security. Supported by Google, Apple, Microsoft, and an increasing number of services.
Practical advice
Do not remove SMS 2FA from an account unless you are replacing it with something stronger. The biggest risk is not having any second factor at all. But for your most important accounts, take the time to set up an authenticator app or hardware key. The effort is minimal and the security improvement is substantial.
If you must use SMS for important accounts, contact your carrier and add a PIN or passphrase requirement to your account. This makes SIM swap attacks harder (though not impossible).