Why SMS Authentication Isn't Safe Anymore


2FA using SMS is not secure

If you care about protecting your accounts, the chances are that you are already using two-factor authentication (TFA). Many websites and services support two-factor authentication to provide additional security for their users.  The most common two-factor authentication method is a password and a time-based one-time password (TOTP), which can be sent to your phone via SMS (Short Message Service, aka as a "text message").  The intent is that if your password is compromised, the cybercriminals will need the second factor, a code sent to your phone, to log into your account.

However, using SMS for two-factor authentication is not considered safe anymore.  The National Institute of Standards and Technology (NIST) published a guideline warning about the use of SMS authentication as a strong authentication method.  Also, Google is moving away from SMS authentication.  So why is it not safe anymore?  What should we use then?


Before we jump into why SMS authentication is not safe anymore, let’s go over what two-factor authentication is and why everyone should use it if it’s available.

Two-factor authentication (also known as multi-factor authentication) is a method of access control which uses two or more different factors of authentication.  There are five different authentication factors: something you know, something you are, something you do, something you have, and somewhere you are.  Passwords are a “something you know” factor; fingerprints are a “something you are” factor.

The reason why everyone should use two-factor authentication is that it provides an extra layer of security.  Even if your password is compromised, the cybercriminals will still need to access your phone, which is much more difficult than simply cracking your password. If you follow basic password security measures and not use short, guessable, or common passwords, this extra layer of security will make it more difficult for cybercriminals to compromise your account.  However, two-factor authentication will not make your accounts bulletproof.  You will still need to follow security measures such as not downloading email attachments from an unknown sender or clicking on suspicious links.


In June of 2016, an activist’s Twitter account was compromised.  He posted on Twitter that “By calling Verizon and successfully changing my phone’s SIM, the hacker bypassed two-factor authentication which I have on all my accounts.”  This is called a SIM swap scam.  The SIM swap scam has been around for a while.  According to the U.S. Fair Trade Commission, the reported incidents of SIM swap scams has been increasing since 2013, reaching to 2,658 in 2016.  It was so prevalent that it prompted New York State to issue a warning.

SIM swap scam is all about gathering as much information about the victim as possible. It’s not difficult to find someone’s legal name, date of birth, address, and phone numbers these days since most people provide that information on social media voluntarily.  Once the cybercriminals have enough information, they will call the victim’s carrier and ask the service representative to activate a SIM card in their possession. The service representative will ask the scammer security questions, and the scammer will answer the representative using the information they’ve acquired. Once they have access to a victim’s phone number, they can compromise any accounts that use SMS authentication.   

Also, NIST states in Special Publication 800-63B that “methods that do not prove possession of a specific device, such as voice-over-IP or email, SHALL NOT be used for out-of-band authentication.”  SMS can be sent over a Voice Over IP (VoIP) network and is only as secure as the websites and systems of the VoIP provider.  If these systems can be hacked, then the attacker can intercept the SMS or reroute them. Does this mean that we are stuck with using a username and a password?


Fortunately, there are other types of authentication that you can use:

  • An authenticator app. You can download an authenticator app such as Google Authenticator or Authy that generates TOTPs.

  • Hardware tokens. These are a physical device, usually a keyfob or credit-sized dongles, that displays a numeric code that changes every 30 seconds or at a predetermined rate.

  • Google prompt (for Google accounts). If you use Google’s services such as Gmail or Google Drive and you don’t want to use an authenticator app, you can use something called Google Prompt. When a user logs in from an unfamiliar device, a screen will appear on your phone asking the user if they are in fact trying to log in from a different device. To use this feature on iPhone, the user needs to download Google app from App Store.


Just because SMS authentication is not safe anymore, it doesn’t mean that you shouldn’t use SMS two-factor authentication at all if that is your only alternative.  There’s no reason not to use two-factor authentication, and while SMS authentication may be risky, it’s still better than just using only usernames/passwords.