Why I Don’t Use SMS for 2FA (and What I Use Instead)

Two-factor authentication (2FA) adds a vital layer of security to your online accounts, but unfortunately, not all methods are created equal. Many people rely on SMS-based 2FA, assuming it’s a safe choice. Unfortunately, SMS is far from foolproof. Here’s why I’ve stopped using SMS for 2FA and what I use instead…

SIM Swaps Allow Hackers to Steal Your Phone Number

One of the most alarming risks of using SMS for 2FA is SIM swapping, a technique where attackers trick your mobile provider into transferring your phone number to a new SIM card. Once they control your number, they can intercept any SMS messages sent to it.

Here’s how it works: attackers contact your mobile carrier, pretending to be you. Using stolen personal details—such as your address or the last four digits of your Social Security number—they convince the provider to transfer your phone number to their SIM card. Once this transfer is complete, the attacker intercepts text messages sent to your number, including the 2FA codes meant to protect your accounts.

The damage doesn’t stop there. Many of us link our phone numbers to multiple accounts, from email to social media to banking apps. A successful SIM swap can grant an attacker access to multiple accounts linked to your phone number, from email to banking apps. Our earlier guide on what SIM card swapping is and how to protect yourself can help you avoid this increasingly common scam.

SMS Messages Can Be Intercepted

tete_escape/Shutterstock

Even if you avoid SIM swapping, SMS messages themselves are not secure. They travel through networks that can be vulnerable to interception. Hackers can exploit weaknesses in Signaling System No. 7 (SS7), the global telecommunications protocol that allows carriers to route calls and messages. By exploiting SS7, attackers can intercept your SMS messages without needing access to your physical phone.

This isn’t just theoretical; SIM hacking is a well-documented issue. Cybercriminals and even some state-sponsored groups have used SS7 vulnerabilities to spy on communications and steal sensitive information. Because SMS lacks encryption, the message content, including one-time passcodes, is exposed during transmission.

Another way messages can be compromised is through malicious apps or spyware installed on your device. These programs can monitor your incoming SMS messages and forward 2FA codes to attackers without your knowledge.

SMS Is Tied to Your Phone Number

A man trying to enter a phone number on an iPhone
DenPhotos / Shutterstock

Another significant drawback of SMS-based 2FA is its dependence on your phone number. Your ability to receive codes is tied directly to your mobile service. If you’re in an area with poor reception, SMS-based 2FA becomes completely useless, even if you have Wi-Fi. Unlike other authentication methods that can work over an internet connection, SMS requires a stable cellular signal.

This dependency can leave you stranded in situations where you need access to your accounts but can’t receive the codes. Whether traveling in a remote location or simply in a building with poor reception, this limitation makes SMS less reliable than alternatives.

What I Use Instead: Authenticator Apps

Man entering two factor authentication code on smartphone with Google Authenticator logo in front
tete_escape/Shutterstock

Rather than relying on SMS for 2FA, I’ve switched to 2FA authenticator apps. Apps like Google Authenticator, Microsoft Authenticator, and Authy generate time-based one-time passwords (TOTP) directly on your device, offering a much safer and more reliable alternative to SMS.

The first major advantage of authenticator apps is security. Unlike SMS, these apps generate codes locally on your phone, meaning they’re not transmitted over networks that could be intercepted or exploited. They’re also protected by additional layers of security—many apps require a passcode, fingerprint, or face scan to access the codes.

Another reason I prefer authenticator apps is their offline functionality. Since the codes are generated directly on the device, you don’t need a cellular connection to use them. Whether you’re in a remote area with no service or simply indoors with poor reception, you can still access your codes as long as you have your device.

I prefer Authy over other authenticator apps because it offers cloud backups, making it easy to recover my accounts if I lose my phone. At the same time, it secures these backups with encryption, ensuring that only I can access them. Google Authenticator is another popular choice. Both options are free, widely supported, and easy to set up.

Using an authenticator app is straightforward. Once you’ve set it up, usually by scanning a QR code provided by the website during the 2FA setup process, you simply open the app to access a code whenever you log in. The codes refresh every 30 seconds, so even if someone manages to steal one, it becomes useless almost immediately.

Two-factor authentication is essential for keeping your accounts secure, but the method you use matters. While SMS-based 2FA might seem convenient, it’s riddled with vulnerabilities—from SIM swaps to interception methods and even practical issues like poor cellular reception. These risks make SMS an unreliable safeguard for your online security.

Leave a Reply

Your email address will not be published. Required fields are marked *