SMS Verification Is Broken (But It Is Not Going Away)

Every serious security researcher agrees that SMS-based two-factor authentication is the weakest form of 2FA in widespread use today. The protocol was never designed for authentication, the delivery infrastructure leaks codes through multiple channels, and the attacks against it are well-documented and accessible. Yet billions of accounts still depend on it.

Understanding why SMS verification persists despite its flaws, and what you can do about it personally, requires looking at both the technical problems and the economic reasons that keep the industry locked into this approach.

How SMS authentication actually works

When you enable SMS two-factor authentication on an account, you are telling that service to send a numeric code to your phone number whenever you log in from an unrecognized device. The theory is that only someone holding your physical phone can receive and enter the code, providing a second factor beyond your password.

The problem begins with the fact that SMS was never an authentication protocol. It is a messaging layer from the 1980s, designed for low-priority text communication between mobile subscribers. Adding authentication on top of it means depending on infrastructure that was never built to be a security-critical system.

The four main attack categories

Security researchers generally group SMS 2FA attacks into four categories, each of which has been demonstrated in real-world incidents costing millions of dollars.

1. SIM swap attacks

An attacker contacts your mobile carrier, often using social engineering or bribed employees, and convinces them to transfer your phone number to a SIM card the attacker controls. From that moment, every SMS code sent to your number goes to the attacker instead. Password resets, login attempts, financial transfers, all redirect through the attacker device.

SIM swap attacks have compromised cryptocurrency wallets worth tens of millions of dollars, hijacked high-profile social media accounts, and bypassed 2FA on corporate email systems. The attack is detailed further in our dedicated guide on SIM swapping.

2. SS7 protocol exploitation

Signaling System 7 is the international protocol that mobile networks use to route calls and text messages between carriers. Published research since 2014 has demonstrated that attackers with access to SS7 can intercept SMS messages in transit without touching the victim phone or account.

This is not theoretical. German researchers demonstrated live SMS interception attacks on German banks in 2017, and similar attacks have been used against cryptocurrency holders, activists, and journalists.

3. Phishing and social engineering

The simplest attack requires no technical skill. An attacker sends a message pretending to be from your bank or service provider, asking you to verify a suspicious login by reading back the code you just received. The victim reads the code aloud, and the attacker enters it on the real login page.

This attack works because SMS codes look identical whether they are delivered through a legitimate login or an attacker-initiated one. Users have no way to tell from the code itself what action it authorizes.

4. Mobile malware

Mobile malware designed to intercept SMS has been documented on both Android and iOS, though it is more common on Android due to the platform looser app installation rules. Once installed, the malware forwards incoming SMS to attackers in real time, rendering 2FA useless on the infected device.

Why companies still use it

If SMS 2FA is this broken, why has it not been replaced? The reasons are mostly economic rather than technical.

Every mobile phone already receives SMS. Implementing SMS verification requires no app, no user training, and no hardware. The support burden is low because users already understand text messages. For a company signing up tens of millions of users, better than nothing plus almost universal reach outweighs the security concerns.

The costs of the attacks are also externalized. When a victim loses money to a SIM swap attack, the carrier rarely pays, the service provider rarely pays, and the security researchers who warned about the issue for years have already moved on to new problems. The affected user absorbs the loss.

What to use instead

For accounts that matter, stronger 2FA options exist and should be used instead of SMS whenever possible.

• Authenticator apps like Google Authenticator, Authy, or 1Password generate time-based codes that never leave your device. No SIM swap, SS7 attack, or SMS interception can reach them.
• Hardware security keys like YubiKey use public-key cryptography and require physical possession of the key to authenticate. These are the gold standard for high-value accounts.
• Passkeys (the newer WebAuthn standard) combine hardware-backed security with the convenience of built-in operating system support. They are rapidly replacing traditional passwords for new services.

For accounts where you are forced to use SMS 2FA, minimize the damage: use a separate phone number for security-critical accounts, never use the same number publicly that protects your financial accounts, and enable carrier-level SIM swap protection if your provider offers it.

The role of temporary numbers

For low-stakes signups that require SMS verification, using a temporary phone number is actually a useful security measure. If the service is ever breached or sold to a marketing database, the number is already disposable. You cannot be SIM-swapped on a number you do not own.

This does not replace real 2FA on accounts you care about. But it does reduce the attack surface by keeping your personal number away from services that will inevitably leak or misuse it.