2FA: why SMS is the worst of the good options

Published on by David Carrero

Turning on a second factor over SMS is one of the best decisions you can make today. It’s also the first one you’ll have to revisit.

Both things are true at once, and that’s where all the trouble starts. The debate usually collapses into two camps that are equally wrong: the people who treat SMS as real security and the people who treat it as theatre. SMS is enormously better than nothing and, at the same time, the weakest of the second factors in common use. There’s no contradiction. There’s a ladder, and SMS is the first rung — a long way above the floor.

What SMS gets right

With no second factor, your account rests on a secret that may have been doing the rounds in somebody else’s dump for years without you knowing. Someone takes that list, tries it on one service after another and, if you reused the password, walks in. Nobody picked you: your row simply came up in a spreadsheet.

SMS breaks that at the root. The moment there’s a second factor, attacking you stops being an automated errand and becomes a job aimed at you. Someone has to know who you are, what number you use and who provides it. For plenty of them it’s not worth the bother: there are easier accounts. So if a service only offers SMS, the answer is yes, no caveats. The caveats come later.

The failure isn’t in your phone

You picture breaking SMS as intercepting signals, cloning a chip or infecting the handset. None of that is necessary. The attack that actually takes accounts down, the one that turns up again and again in public cases, is SIM swapping, and it works in a far more boring way: somebody calls your carrier, says they’ve lost their SIM, answers a few verification questions and asks for a replacement. From that moment on, your texts arrive at their phone.

Notice what didn’t happen there. No encryption was broken. Nobody touched your phone. You did nothing wrong — and you didn’t notice a thing, except that your line suddenly goes quiet, and if you’re asleep that can take a while to register. SIM swapping isn’t a technical attack on you: it’s social engineering against your carrier. The link that gives way is a support agent who is paid to close tickets quickly and who has just been told a perfectly believable story, because losing a SIM is something that happens to people every single day. The cases are extensively documented and the pattern repeats with a monotony that stopped being surprising a long time ago.

The awkward part is that you have no say in it: your security depends on the verification process of a company you didn’t choose for that. And there’s a second flaw, a quieter one: your phone number isn’t a secret. You’ve handed it to your dentist, to the electricity company and to half the contact lists in the country. An identifier you give away on request is being used here as a credential.

The second rung: an app

The next step up is TOTP — the six-digit codes that roll over every thirty seconds in an app like Google’s, Aegis, 1Password or Bitwarden.

The mechanism is elegant: the service and your app share a secret exactly once, when you set it up, and from then on both compute the same code from that secret and the time. Nothing is sent. And that’s the whole difference: if nothing travels, there’s nothing to reroute. No carrier, no number, nobody to call and ask for a replacement. SIM swapping has no way in.

It’s a big jump and it costs five minutes. But it isn’t the end of the road either, because TOTP keeps one very human blind spot: you’re the one who types the code to whoever asks for it. If you’re typing it into a page that looks like your bank but isn’t, the attacker collects it and replays it to the real site in the seconds it has left to live. Your app generates a number; it has no idea where you paste it.

The rung that can’t be talked into it

A hardware key — the FIDO/U2F standard, a USB or NFC key, or your own phone acting as the authenticator — solves exactly that. When you register, it creates a key pair bound to the origin: to that service’s specific domain. When you sign in, the browser tells it which domain the signature is being requested for, and the key signs a challenge with that domain inside it. If the page is a copy hosted somewhere else, the domain doesn’t match and no signature comes out that the real service will accept.

Put another way: the key isn’t smarter than you; it just doesn’t trust your judgement. It doesn’t check the padlock, doesn’t read the URL, doesn’t weigh up whether the email looked legitimate. It compares one string of text against another. It’s the only link in the chain that can’t be won over with a good story — and by now you’ll have noticed that good stories are precisely the problem.

“Restricted” doesn’t mean “banned”

NIST, in SP 800-63B, classifies out-of-band verification over the telephone network — that is, SMS — as restricted. The word is worth pausing on, because the distinction is the entire post. Restricted isn’t banned: it’s a middle category, and a deliberate one. You can carry on using it, but whoever does takes on obligations: assess the risk, tell users that the channel has a known weakness and have a plan to migrate to something better.

It’s a smarter position than an outright ban, and it explains why SMS is still standing. A mediocre mechanism people actually use protects more than an excellent one nobody turns on. If it were banned everywhere tomorrow, a good share of those accounts wouldn’t climb a rung: they’d be left with the password alone, which is the floor.

What to do, in order

  • If a service only offers SMS, turn it on. Today. The first rung is the one that gains you the most height.
  • If it offers TOTP, switch to TOTP and drop SMS as a fallback if it lets you. Your security is that of the weakest method you accept, because the attacker picks the way in.
  • On the things that really matter — email, bank, password manager — use a hardware key. Your entire life’s worth of “I forgot my password” hangs off your inbox.
  • If your carrier offers a PIN or a port-out lock, set it. It doesn’t fix the underlying problem, but it makes the replacement SIM harder for whoever calls.
  • And don’t forget the first factor. 2FA is a second lock, not an amnesty for the first one: a long, unique password straight out of the generator, and if you have doubts about any of the ones you’re already using, run it through the checker.

The conclusion is boring, which is why almost nobody says it: SMS is bad, and you should use it if you have nothing else. Real security is almost never about picking the perfect option. It’s about knowing which is the worst of the good ones, using it for as long as you have to, and never mistaking it for being done.


Sources: NIST SP 800-63B, which classifies out-of-band verification over the public telephone network (SMS or voice) as a restricted method, with the risk assessment, user notification and migration plan obligations that category entails · FIDO/U2F and WebAuthn specifications, and their verification of the origin (domain) at signing time · RFC 6238 (TOTP) · public SIM swapping cases extensively documented in the press and in court proceedings.

← Back to the blog