Why SMS 2FA Isn't Enough Anymore

You enabled two-factor authentication. Great! But if you’re using SMS codes, you’re not as secure as you may think.

SMS Codes: The Problem

Because when you log in somewhere and you get a code via text message, that code travels through your phone carrier’s network. And that network can be tricked.

SIM swapping: basically, this is when an attacker has convinced your phone company to move your number onto of their phone. They call customer support, impersonating you, and claim that they lost their phone. Once your number is on their SIM card, they receive all your text messages-including those security codes.

This is not some far-from-reality hacker movie stuff. SIM swap fraud has grown massively and keeps on rising. Using new eSIM technology, attackers are now able to steal your number in under five minutes.

How It Happens

1. They research you — Your name, birthday, address from social media or data breaches
2. They call your carrier — Pretending to be you, claiming a lost phone
3. Your phone goes dead — Your number moves to their device
4. They reset your passwords — Using SMS codes that now go to them

Some attackers don’t even need to call anyone: They exploit old telecom protocols called SS7 to redirect your messages directly.

Does Any 2FA Help?

Yes! Microsoft found that accounts of any form of MFA are 99.9% less likely to get hacked. The problem is, SMS is the weakest form of MFA. It’s better than nothing, but there are much stronger options.

Better Options

Authenticator Apps (Good)

Instead of receiving codes via text, an app generates codes directly on your phone. The codes never travel over any network-they’re generated right on your device.

Why a separate app? Most of the password managers also provide 2FA codes. Convenient. Yet, if someone gets into your password manager, they get both the passwords and the 2FA codes. Game over. Keeping them in separates means an attacker needs to compromise two apps to get in. Don’t put all your eggs in one basket.

Applications recommended:

• Aegis — Free, open source, Android only. High level of customization, encrypted backups.
• Ente Auth — Free, open-source, works everywhere including desktop and web.

Hardware Security Keys (Better)

A small USB device you plug in when you log in. No codes to type-just tap the key.

The popular options include YubiKey and Google Titan Key. They work with most of the major services: Google, Microsoft, GitHub, and many more.

The key uses cryptography that checks if you are on the real website. If you clicked a phishing link, it won’t work on the fake sites.

Passkeys (Best)

Newest option. Your phone or computer generates a unique cryptographic key for each site. Nothing to remember, nothing to type.

Passkeys are implemented in iOS, Android, Windows, and macOS. More websites support them — Google, Apple, Microsoft, PayPal, and others.

Like hardware keys, it automatically checks whether a website is real. It makes phishing almost impossible.

How to Lock Down Your Accounts

• Call your carrier and request a port freeze or SIM lock
• Setup an authenticator app (Aegis or Ente Auth)
• Move all your accounts depending on SMS onto the app, starting with email and banking
• Store your backup codes somewhere safe, but not your phone
• Get a hardware security key for your most important accounts
• Enable passkeys everywhere they are offered

Backup?

There’s one fear associated with authenticator apps: what if your phone gets lost?

• Aegis allows you to export encrypted backups
• Ente Auth syncs across devices
• Most services provide backup codes at the time of setup of 2FA — keep these in a safe place

Hardware keys? Buy two, keep one as backup.

Bottom Line

One decade ago, SMS codes were fine. Nowadays, they’re a weak point attackers know to take advantage of.

Switching to an authenticator app takes maybe 30 minutes and makes you dramatically safer. Hardware keys and passkeys go even further.