SMS two-factor authentication (2FA) is the most common method of 2FA. A 2023 survey discovered that nearly 56% of respondents use it. Despite its popularity, SMS 2FA doesn’t offer a high level of security. In fact, it’s one of the least secure 2FA methods, which can expose your device to numerous risks and potentially compromise your mobile identity and sensitive information.
So, why is SMS 2FA not secure? In this guide, we’ll answer the question and discuss the specific reasons why this method of authentication falls short in protecting you. We’ll also discuss ways to enhance your device’s security and minimize the risk of cyberattacks and other threats.
Why Is SMS 2FA Risky? Key Reasons To Consider
In December 2024, the Cybersecurity and Infrastructure Security Agency (CISA) published a guide to best practices for mobile communication. One recommendation was to move away from SMS-based multi-factor authentication (MFA) because of the associated security risks.
Here are a few reasons why SMS 2FA isn’t secure enough:
- Lack of encryption
- Risk of smishing
- Risk of SIM swapping
1. Lack of Encryption
Standard SMS messages aren’t end-to-end encrypted. Once you send an SMS, it travels through your carrier’s system to your recipient’s carrier network and then to the recipient’s device.
As the messages aren’t encrypted, there’s a high risk of interception, and third parties (e.g., hackers, carriers, or authorities) could read their content. In the SMS 2FA context, a third party could see the one-time password (OTP) you get via SMS when trying to log into an app or complete a purchase and use it themselves.
Depending on your settings, hackers could access your mobile banking apps and authorize transactions with the SMS OTP even if they don’t know your passwords.
2. Risk of Smishing
Smishing (or SMS phishing) involves cybercriminals sending fraudulent text messages to individuals to trick them into revealing their personal information and passwords. While smishing isn’t directly connected to SMS 2FA, hackers often use it as a tactic to get users to share their SMS OTPs, which they later leverage to access accounts and apps.
To make the messages believable, hackers use sophisticated tactics, such as:
Tactic | Explanation |
Creating a sense of urgency | Hackers will try to get you to act immediately (often without too much thinking) by claiming your account will be locked or a transaction won’t be authorized if you don’t send your SMS OTP right away. |
Posing as your bank or another trusted organization | Hackers often impersonate banks, the IRS, or other reputable institutions to build trust and trick you into divulging sensitive information without a second thought. |
Including official-looking links | Hackers may include a link and instruct you to enter your SMS OTP there. These fraudulent links resemble official websites, making them difficult to recognize, but they often contain typos or numbers. |
Using your personal details | Hackers will include your personal information (such as your name) in the message to establish trust. They may also mention your bank, recent online activity, or transactions to make themselves believable. |
3. Risk of SIM Swapping
SIM swapping is a type of fraud that involves hackers taking over your phone number. Here’s how it works:
- Gathering information: Hackers collect information on you through online research, social engineering, or phishing.
- Reaching out to your mobile provider: Leveraging the information they’ve gathered, hackers contact your mobile provider to impersonate you. They try to convince the carrier to transfer your phone number to their SIM card. For example, hackers will often say that “you” have been robbed, lost your phone, or are traveling abroad and need the number to work.
- Taking over your account: Once the carrier ports your number to a new SIM card, hackers have access to all your texts and calls, including SMS 2FA security codes. Depending on your settings, hackers could potentially access all accounts, apps, and cryptocurrency wallets that rely on SMS 2FA, severely jeopardizing your security and privacy.
The key issue with SIM swapping is that the attack is often undetectable until your device loses service and you can’t make or receive calls or messages. By the time that happens, the attack has already been completed, meaning hackers have hijacked your phone number and can use it to:
- Intercept SMS 2FA
- Authorize transactions
- Reset passwords
- Create new accounts
- Trick your family or friends into revealing their personal information for future attacks
Tip: To minimize the risk of SIM swapping, rely on a carrier like Cape. The carrier uses modern cryptography instead of traditional usernames and passwords to authenticate your account, ensuring nobody can impersonate you.
Other Drawbacks of SMS 2FA You Should Be Aware Of
Besides the SMS two-factor authentication security risks, you should be aware that this type of authentication has other downsides, including:
- Device dependency: SMS 2FA is directly connected to your phone number. If your phone battery is empty or you lose your device or leave it at home, you won’t be able to access any account or app you’ve protected with SMS 2FA. Account recovery is frustrating and complex, as it typically involves thorough identity verification. As a result, you may have to wait for days to regain access to your accounts.
- Delays in delivery: If your carrier experiences issues or the network is congested at your location, the SMS 2FA code you need may not come through. Despite knowing your password and having your device with you, you won’t be able to log into your accounts or authorize transactions if such delays occur.
- Network dependency: If you’re in an area with poor or no service, or if cell towers experience technical issues, you won’t be able to use SMS 2FA. This could result in temporary account lockouts, preventing you from accessing important apps or services when you need them.
How To Improve Your Security: 3 SMS 2FA Alternatives
Two-factor authentication isn’t inherently insecure or flawed. In fact, it’s highly recommended to use it, as it adds another security layer to your accounts and minimizes the risk of unauthorized access. The key is to use forms of 2FA that offer higher security, such as:
- Authenticator apps
- Biometric authentication
- Physical security keys
Authenticator Apps
Authenticator apps generate time-based one-time passwords (TOTP) for two-factor or multi-factor authentication. Depending on the app, TOTPs are generated every 30 to 60 seconds and are based on:
- Current time
- Secret key shared between the authenticator app and the app, website, or service you want to access
When you’re trying to log in, you enter the TOTP, and the app verifies its accuracy by generating the same code, granting you access. This process occurs offline, so it doesn’t depend on network connectivity.
There are dozens of authenticator apps, but the most popular options are:
- Google Authenticator
- Microsoft Authenticator
- Ente Auth
Biometric Authentication
Biometric authentication involves verifying your identity using your unique physical characteristics, such as:
- Fingerprints
- Facial recognition
- Iris patterns
The key benefit of biometric authentication lies in its mechanism; unique traits are nearly impossible to forge or steal, so hackers can’t gain unauthorized access to them. As a result, your device and data are more protected.
Another perk is convenience; you carry your traits with you, so you can verify your identity even if you don’t have your device with you.
While biometric authentication offers high security, it shouldn’t be used as your only authentication method. Skilled hackers can carry out sophisticated spoofing attacks or use specialized devices to bypass biometric systems and compromise your biometric security.
The best way to leverage biometric authentication is to combine it with “something you know” (such as a password) or “something you have” (such as a physical security key).
Physical Security Keys
Physical security keys are small hardware devices you can use for two-factor or multi-factor authentication. After entering your username and password, you connect the physical security key via Bluetooth, NFC, or USB to verify your identity and gain access to the account or app in question.
Below are several key benefits of physical security keys:
- They aren’t at risk of phishing or network-level threats
- They work regardless of your network connection
- They don’t require remembering passwords
A potential drawback is that you have to carry them with you. Physical security keys can get lost or stolen, which could lead to problems, security risks, and account lockouts.
Strengthen Your Security With a Privacy-First Mobile Carrier
Whether you’re still using SMS 2FA or have switched to more secure alternatives, it’s crucial not to overlook other security and network-level risks your device could be exposed to. Even with strong authentication methods, you shouldn’t disregard the role of your mobile carrier in securing your device.
Your carrier manages your phone number, and without a proper infrastructure, strict data policies, and robust security options, your personal data could be exposed and exploited by malicious actors.
Most big telcos rely on outdated infrastructure and require a lot of personal information to provide their services, making them a desirable target for malicious actors. These practices have resulted in frequent data breaches and SIM swapping attacks that have jeopardized millions of users.Cape, a privacy-first mobile carrier, has a different approach to security; it:
- Uses digital signatures instead of usernames and passwords to authenticate user accounts
- Has minimal data collection policies so that your information is never at risk
- Offers robust protection against SIM swapping, as Cape agents can’t port your number to a new SIM on your behalf
- Uses a unique architecture that relies on encryption, accountability, and granular access controls
Powerful authentication combined with Cape offers a high level of defense against network threats and protects your privacy and security.
How Cape Is Reinventing Mobile Security
Cape is a privacy-first mobile carrier that keeps your connection and data safe from network attacks. Our security approach is based on a simple idea: Don’t trust us. Instead of asking you to place blind faith in our systems, we’ve engineered them to protect your data—even from us. We collect the minimum amount of information necessary to provide our service; any data we do collect is deleted. Cape’s SIM swap protection relies on minimal data collection and advanced encryption. We only collect the basic data necessary for providing services, which means you can sign up anonymously to ensure information like your name, address, and SSN never leaves your device. When you do, Cape will use its advanced cryptography to protect your account. Here’s how:
- When you sign up, your device creates a private encryption key
- The key is a unique digital signature (a 24-word phrase) that only you can access
- Your account is locked with the private key, which stays on your device at all times
The digital signature is necessary to make significant account changes, such as number port-outs. There’s no human involvement, and nobody can initiate such changes but you, which minimizes the risk of SIM swapping.
Cape offers other robust security features, including:
Feature | Explanation |
By owning and running our own mobile core and SIMs, we can control exactly how your data is managed and safeguarded. While other carriers are stuck on outdated legacy systems, our cloud-native core lets us deliver the latest security measures from the ground up. | |
When you pay for your Cape subscription, we don’t ask for your name or billing address. Any card details you provide are never stored on our systems. They’re tokenized and securely managed by Stripe, ensuring your Cape account cannot be tied back to your payment information. | |
Cape’s proprietary signaling proxy detects and blocks suspicious signaling attach requests before they can connect. We also never see or track your precise location. | |
We encrypt both the contents and metadata of your voicemail with your private key so that no one, not even Cape, can access or forward them. |
Stay Connected and Secure With Cape
When you sign up with Cape, you get an eSIM with:
- Unlimited text and calls
- Unlimited 4G/5G
- Free international roaming for eligible devices and locations
Cape is $99/month. All federal, state, and local taxes are covered in the monthly plan, with no hidden charges or contracts.
You can get started immediately by visiting cape.co/get-cape.
Cape has also partnered with Proton for a unique deal that shields your online activity. Cape subscribers can now get Proton Unlimited or Proton VPN Plus for only $1 for six months.
