Two-factor authentication, or 2FA, adds an extra layer of security beyond just a password. One popular form of 2FA has been the SMS one-time password (OTP): after entering your password, a website texts a short code to your phone that you must enter to complete login. This approach became extremely widespread over the past decade. It was easy to deploy and easy for users. Virtually everyone has a mobile phone that can receive texts, so companies from banks to social media eagerly adopted SMS codes as a convenient second factor. In fact, a major cryptocurrency exchange revealed that about 95% of users who enabled 2FA chose SMS codes, yet those users also comprised 95% of the accounts that got hacked, underscoring that SMS is the weakest 2FA method on their platform.
Unfortunately, despite its popularity, SMS-based OTP has serious security limitations. Security experts have warned for years that SMS is an insecure channel for authentication. Let’s break down how SMS OTP 2FA works, why it caught on, and the multiple dangers that have emerged, and then explore safer alternatives and best practices moving forward.
SMS OTP 2FA authentication is a type of out-of-band verification. After a user enters their username and password (the first factor, something they know), the system sends a one-time code via text message to the user’s phone (a second factor, something they have, their mobile number and mobile phone). The user then types in that code to prove they possess the phone. Each code is usually numeric and expires after a short time or single use. Hence “one-time password”. This simple mechanism significantly raises the bar beyond password-only logins, because an attacker would need to both steal your password and have your phone (or the code sent to it) to break in.
Why did SMS OTP become so widely adopted? In short: convenience and ubiquity. Implementing SMS 2FA doesn’t require customers to install any new app or buy any device. The text messaging infrastructure is already there. Companies found it inexpensive and straightforward to send texts via SMS gateways, and users were already familiar with receiving verification codes via text (many banks and web services started using SMS for things like transaction alerts or password resets).
Compared to more complex options like hardware tokens, SMS-based 2FA was an easy add-on that massively improved security versus passwords alone. It quickly became a de facto standard for consumer-facing 2FA. Many organizations made SMS the default 2FA option because it lowers user friction: if you have a phone signal, you can receive a login code. The result was rapid adoption across millions of users and services. By 2022, for example, the vast majority of accounts with 2FA on Coinbase were secured via SMS codes.
However, convenient doesn’t always mean secure. SMS was embraced as a pragmatic trade-off: better than nothing, but far from bulletproof. Over time, attackers have discovered and exploited numerous weaknesses in SMS-based authentication.
While SMS 2FA is certainly better than no 2FA, it has well-known vulnerabilities that undermine its effectiveness as a security measure. Let’s explore some of the major weaknesses.
SIM swapping
In this increasingly common attack, a hacker takes over your phone number by duping the mobile carrier. The attacker contacts your wireless provider pretending to be you (often using social engineering or stolen personal info) and convinces them to transfer (“port out”) your phone number to a new SIM card that the attacker controls. This is known as a SIM swap. Why is this bad? Once your number is ported, your phone loses service and all your calls and texts (including 2FA codes) go to the attacker’s device. In other words, the attacker effectively steals your phone’s identity. At that point, they can receive the SMS OTP for any account tied to your number and use it to log in.
Message interception
Even if an attacker doesn’t steal your SIM, SMS messages themselves can be intercepted or diverted due to weaknesses in the telecom network. SMS was not designed with heavy encryption or authentication protections: it travels over the aging SS7 signaling system between carriers. Security researchers (and hackers) have demonstrated that if they gain access to the SS7 network (which isn’t as hard as it sounds) they can redirect text messages fairly easily. In fact, experts point out that the global SS7 phone network is riddled with flaws that allow determined attackers to snoop on or reroute SMS messages.
There have been real incidents of criminals exploiting these weaknesses to intercept 2FA codes: for example, attackers have hacked the SS7 protocol to steal banking OTPs and empty online bank accounts. Unlike end-to-end encrypted channels, SMS texts are essentially plaintext messages that travel through various telecom nodes: if one of those nodes is malicious or compromised, your code can be copied.
Social engineering and phishing attacks
Some attackers bypass technical barriers altogether by tricking people into volunteering their OTP codes. Because SMS codes are typically just digits that users receive and then input, a scammer can phish this information just like a password. One common scam is a fake “security alert” call: the victim gets a phone call (often spoofed to look like it’s from a legitimate company’s number) claiming to be from the bank or a service they use. The caller (sometimes an automated voice) says, “To verify your identity, we’ve sent a code to your phone. Please read it back to us now. Of course, the caller is actually an attacker who already initiated a login and triggered the real service to send the 2FA SMS. When the victim innocently reads the code, the attacker uses it to immediately finish the fraudulent login.
This is not hypothetical; it’s happening in large-scale operations. In 2024, TechCrunch reported on a criminal service called “Estate” that made thousands of automated calls to trick victims into divulging one-time passcodes, which the attackers then used to hijack bank, crypto, and online accounts.
Reliability
Beyond security attacks, SMS OTP can suffer from practical issues: messages may be delayed or fail to arrive due to carrier problems or if the user is out of coverage. It’s also not very user-friendly in some scenarios (for example, if you’re traveling overseas and can’t receive texts on your number). These aren’t attacks per se, but they underscore that SMS is not an ideal 2FA method in terms of robustness.
These vulnerabilities aren’t just theoretical. Plenty of breaches and hacks “in the wild” have been attributed to the weaknesses of SMS OTP 2FA. Here are a few notable examples that illustrate the risks:
Reddit (2018)
The online platform Reddit suffered a data breach after attackers broke into some employees’ accounts despite those accounts being protected by SMS-based 2FA. How? The intruders were able to intercept the SMS second-factor codes. Reddit later acknowledged the weakness, stating that “SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept”. The company urged users to move to token-based authenticators going forward.
Twitter CEO Hack (2019)
Even high-profile individuals have been victims. In August 2019, Jack Dorsey (Twitter’s CEO at the time) had his personal Twitter account hijacked via a SIM swap scam. Attackers convinced his mobile carrier to port out his number, then used that control to post tweets via SMS from Dorsey’s account. This incident showed that not even the CEO of Twitter was immune to the dangers of SMS-based account controls. In response, Twitter soon after disabled the ability to tweet via text message for most regions.
Michael Terpin (2018)
A prominent crypto investor, Michael Terpin, was robbed of $23.8 million in cryptocurrency after a teenager and his co-conspirators pulled off a SIM swap against him. They managed to take over Terpin’s phone number, intercept SMS verification codes for his accounts (likely including crypto wallets or exchanges), and drained his funds. Terpin’s case was one of the early multi-million dollar SIM swap heists and led to lawsuits against the carrier. It highlighted how SMS 2FA can be a single point of failure for protecting valuable assets.
Bank attacks via SS7 (2017–2019)
In Europe, attackers have even gone directly after the SMS messages through network exploits. In Germany, 2017, criminals abused SS7 network flaws to intercept OTP texts from banks and successfully drained bank accounts. A similar technique was used in the UK in 2019, when Metro Bank admitted hackers had intercepted customers’ banking SMS codes by exploiting a telecom vulnerability, likely in SS7. These cases were some of the first public confirmations that determined hackers could remotely snoop on 2FA texts in transit.
“Estate” phishing-as-a-service (2023)
As mentioned earlier, social engineering of OTPs has become organized. In 2023, a service called Estate was discovered to be a platform where cybercriminals could automate the process of stealing one-time passcodes. It enabled members to script voice calls and phishing attempts at scale. In less than a year, the operation logged over 93,000 attempted attacks, targeting customers of Amazon, banks like Bank of America and Chase, PayPal, cryptocurrency exchanges, and more. This service would help attackers who already stole passwords to massively scale up phishing of the second factor, tricking victims into handing over SMS or app codes.
Each of these examples drives home the same point: if your “something you have” factor is a text message, attackers have many ways of making that message go to them or of fooling you into revealing it. SMS-based 2FA has been bypassed in the real world, causing harm to individuals and organizations. Recognizing this reality, the industry has started shifting to more secure forms of two-factor/multi-factor authentication.
Given the shortcomings of SMS OTP, what should developers, IT managers, and security-conscious users be looking at instead? Fortunately, there are stronger 2FA methods available that do not rely on SMS and are far more resistant to the above attacks.
Mobile authenticator apps
One step up from SMS is the use of authenticator apps like Google Authenticator, Microsoft Authenticator, Authy, or similar. Instead of receiving a code via text, the user sets up an app that continually generates time-based one-time passwords (TOTP) that rotate every 30 seconds. When logging in, the user opens the app and reads the current code. The key security advantage is that the code is generated locally on your device, not sent over any network. This also removes the mobile carrier from the equation entirely.
To compromise a TOTP, an attacker would likely need to either steal the user’s device or infect it with malware that can extract the authenticator secret, a higher hurdle than simply snooping an SMS. That said, authenticator apps are still based on the user reading a code and typing it in. If a user is tricked by a phishing site, they could still unknowingly divulge the code to an attacker (just as they could with SMS). So TOTP apps greatly improve over SMS in terms of intercept resistance, but they do not fully solve phishing risks (the code can still be phished in real-time). Despite that, app-based OTP is widely considered far more secure than SMS OTP and is recommended as a minimum upgrade if SMS is the only 2FA option currently in use.
Hardware security keys
These are physical devices (often USB dongles, NFC or Bluetooth fobs) that provide a second factor in a cryptographic way. Examples include YubiKey devices, Google’s Titan key, Feitian keys, and others compliant with FIDO U2F/FIDO2 standards. How they work: when you need to authenticate, you plug in or tap the key and usually press a button on it. There’s no code for you to type; the key handles an encrypted challenge-response with the service.
This is considered the strongest widely available 2FA method. Hardware keys are extremely phishing-resistant and interception-proof. Since the user never sees any one-time code, there’s nothing to relay to an attacker. Unlike SMS or TOTP, you can’t accidentally divulge a secret code because the challenge response is done behind the scenes. A hardware token is truly “something you have,” and it won’t work if an attacker simply copies some number or even if they steal your password. The login will only succeed if the physical key is present and unlocks the cryptographic exchange with the correct website. This means even trojan or man-in-the-middle attacks are prevented: the key typically verifies the domain of the site requesting authentication, so a fake phishing site won’t trigger a valid response.
The downsides of security keys have historically been usability and deployment – users need to obtain a key and keep it safe, and services need to support the standard (FIDO2/WebAuthn). But support is growing, and prices for keys are relatively low (often $20–$50). Given the security benefits, hardware keys are strongly recommended for high-value accounts or admin users. Even if not every end-user adopts a key, organizations should consider them for employees with privileged access or for users at high risk of targeted attacks.
Passkeys
The newest trend in authentication is passkeys, which are essentially an evolution of the security key concept, but built into your devices and often tied to biometrics. A passkey is a FIDO2/WebAuthn credential (a cryptographic key pair) that gets stored on your phone or computer and is protected by your device lock (fingerprint, face scan, PIN, etc.).
When you log in to a site that supports passkeys, you don’t type a password or an OTP; instead, you verify yourself with your device biometrics, and the device uses the stored private key to sign in. Passkeys are phishing-resistant and secure by design. There is no SMS, no “secret number” that can be intercepted or phished, the authentication is based on a cryptographic exchange between your device and the service, and it’s bound to the legitimate website/app (it won’t work if a phisher tries to use it on a fake domain).
Tech companies are pushing this as a user-friendly replacement for both passwords and OTPs. Apple, Google, and Microsoft are all implementing passkey support in their platforms, allowing passkeys to sync across your devices (e.g. via iCloud Keychain or Google Cloud) for backup and convenience. From a security standpoint, passkeys eliminate the threat of SMS interception and SIM swaps entirely, and they drastically reduce phishing risk (you can’t be tricked into “entering” a passkey code, there is none to enter).
The main consideration is that services and users need to adopt this new approach. As of 2025, passkeys are just starting to roll out on major websites and apps. But it’s wise for developers to design for the passkey future now. By leveraging standards like WebAuthn, you can enable users to authenticate with a fingerprint or face ID on their phone as a second factor (or even as a password-less first factor), which is both more secure and often more convenient than dealing with one-time SMS codes.
If you are responsible for your application’s or organization’s authentication security, you should start planning to migrate away from SMS-based 2FA and toward more secure alternatives. Here are some key practices and recommendations for selecting and deploying safer 2FA methods:
Prefer phishing-resistant MFA methods
Whenever possible, choose authentication options that are resistant to man-in-the-middle and social engineering attacks. Physical security keys and FIDO2/WebAuthn passkeys are top of the line in this regard, as are certain smartphone authentication apps that use push confirmations tied to device biometrics.
High-value accounts (administrators, users with access to sensitive data or funds, etc.) should be required to use these stronger methods. Even for general users, it’s wise to make options like authenticator apps or passkeys the default if you can, rather than SMS.
Offer TOTP apps and encourage their use
If hardware keys or passkeys are too heavy a lift for all users, at least make sure you support authenticator apps (TOTP) as an alternative to SMS. Implement industry-standard TOTP (RFC 6238) for 2FA codes, and provide a clear path for users to switch to an app like Google Authenticator or Authy. Many users will opt for convenience, so you may need to nudge them: for example, educate users that SMS 2FA is now considered weak and encourage (or even incentivize) them to move to an app-based OTP.
Implement WebAuthn for security Keys and passkeys
Modern web and mobile platforms make it easier than ever to support hardware keys and passkeys via the WebAuthn API and related frameworks. Developers should integrate these capabilities into their authentication flow. For instance, allow users to register a security key (USB/NFC/Bluetooth) to their account and use it for 2FA or passwordless login. Similarly, enable passkey login so users on iOS, Android, or Chrome can utilize device-bound biometrics securely. There are libraries and services that abstract a lot of the WebAuthn complexity. By adopting them, you future-proof your application’s auth and offer state-of-the-art security to your users. Moving in this direction aligns you with industry best practices and emerging standards.
Harden the recovery and fallback processes
One reason SMS 2FA stuck around is as a backup or recovery method (e.g., if a user loses their primary 2FA device, they might fall back to SMS or voice call). If you must retain SMS for such scenarios, lock it down: don’t allow an attacker to seamlessly switch a user’s 2FA to SMS without verification. For example, if a user tries to change their registered phone number or disable a stronger 2FA, treat that action with high suspicion, and require re-authentication or an email confirmation, or a cooldown period.
Monitor for unusual patterns like multiple failed 2FA attempts or changes, which could indicate someone attempting to exploit SMS. And ensure your user support channels have strict protocols for “account reset” requests: call centers have been tricked by attackers into removing 2FA or changing numbers (a type of social engineering related to SIM swap).
User education and policy
Finally, educate your user base and your IT staff about the risks of SMS 2FA. Many non-technical users still assume that a code texted to their phone is highly secure. They may not realize how common SIM swapping or SMS phishing has become. Provide clear guidance: for example, advise users to contact your support immediately if their phone suddenly loses service (as this could indicate a SIM swap in progress), and train them never to share 2FA codes with anyone, not even “tech support” callers.
Internally, if you manage an organization, consider instituting policies that require stronger MFA for VPNs, email, etc., and phase out SMS. Making users part of the solution through awareness will reduce the chance that they fall for tricks like reading off an SMS code to someone on the phone.
SMS-based one-time passwords were an important stepping stone in the evolution of account security. They added much-needed verification beyond passwords at a time when better tools were not yet widespread. But times have changed. Today, SMS 2FA is widely recognized as insufficient for high-security applications. Its weaknesses, from SIM swaps to intercepts and phishing, are being actively exploited by attackers, as evidenced by numerous real-world heists and breaches. Recognizing this, standards bodies have adjusted their recommendations and forward-looking companies are dropping SMS in favor of authentication methods that cannot be easily undermined.
For developers and IT managers, the writing is on the wall: it’s time to upgrade your authentication systems. This means offering and encouraging stronger 2FA options like authenticator apps, security keys, and passkeys. Ultimately moving toward a passwordless, phishing-resistant future. The good news is that these options not only boost security drastically, but often improve user experience (no more waiting for texts or typing codes).
By investing in these modern 2FA methods and discouraging SMS, you’re protecting your users and your organization from the growing threats targeting authentication. In an era of rampant credential theft and account takeover fraud, robust 2FA is a must, and getting rid of the old, vulnerable SMS code is one of the best moves you can make to harden your defenses.
