// security
Security

2FA is not all equal. Why SMS is your weakest link

Not all second factors protect you equally. SMS codes can be intercepted through SIM swaps and telecom attacks. Here's a ranked breakdown of every 2FA method and which ones actually stop attackers.

April 5, 20266 min readBy Baris Ayarkan
X / Twitter LinkedIn Facebook
⚠️
SMS is better than nothing but it's your weakest option

If the only 2FA an account offers is SMS, use it. But wherever you have a choice, something else is always better. Here's why, and what to use instead.

Why SMS fails as a second factor

SMS 2FA puts your security in the hands of your phone carrier's internal processes and those processes can be manipulated by an attacker who never touches your device.

📱

SIM swap attacks

An attacker calls your carrier, claims to be you, and convinces support staff to transfer your number to their SIM card. They then receive all your SMS codes and can reset any account linked to that number.

📡

SS7 network interception

The SS7 protocol that routes SMS globally has known vulnerabilities. Nation-state actors and sophisticated attackers can intercept SMS in transit without touching your phone or your carrier.

🎣

Real-time phishing

Phishing kits can proxy your credentials in real time. The attacker relays your SMS code to the real site before it expires. SMS codes offer no protection against this attack.

📋
What official guidance says

NIST SP 800-63B has restricted PSTN-based authentication for years. CISA's 2024 Mobile Communications Best Practice Guidance went further with a direct recommendation against SMS as a second factor for authentication.

All 2FA methods, ranked

From strongest to weakest with honest notes on where each falls short.

#1
Passkeys (FIDO2 / WebAuthn)
Cryptographic credential stored on your device or security key. No code to intercept, no password to steal. Phishing-resistant by design — the credential only works on the exact domain it was registered to. Major platforms (Apple, Google, Microsoft) all support passkeys.
Phishing-resistantNo codes to interceptBest choice
#2
Hardware security keys (YubiKey, etc.)
Physical device you plug in or tap. Cryptographic authentication, phishing-resistant, immune to SIM swaps and SS7 attacks. The gold standard for high-value accounts. Downside: you need the physical key, and losing it requires recovery codes.
Phishing-resistantPhysical possession required
#3
TOTP authenticator apps (Authy, Google Authenticator, etc.)
Time-based one-time codes generated offline on your device. No carrier involvement, no SMS. Significantly better than SMS. Not fully phishing-resistant (a proxy can relay codes in real time), but stops automated stuffing attacks and SIM swaps.
No carrier riskOffline generationNot fully phishing-proof
#4
Email-based codes
A code sent to your email inbox. Better than SMS only if your email itself is well-secured. If your email account is compromised, email 2FA provides no meaningful protection. Use only where better options don't exist.
Depends on email securityFallback option only
#5
SMS codes
Still better than no 2FA. Stops most automated attacks. But vulnerable to SIM swaps, SS7 interception, and real-time phishing proxies. Use as a last resort when no other option is available — then upgrade when you can.
SIM-swap vulnerablePhishing-compatibleBetter than nothing
See how your current 2FA methods stack up

DataLeakz's 2FA Strength Checker rates your methods and shows you where to upgrade.

Check my 2FA →

Where to start upgrading

You don't need to migrate everything at once. Start where the stakes are highest.

  1. Your email account this is the master key. Everything else resets through here. Upgrade to passkey or authenticator app immediately.
  2. Your Apple, Google, or Microsoft account controls your phone, backups, and payment info.
  3. Banking and investment accounts some only offer SMS, but use whatever is strongest available.
  4. Password manager if your manager gets compromised, every other account follows.
  5. Work SSO / employer accounts follow your employer's policy but advocate for passkeys or hardware keys.
💡
Store backup codes somewhere safe

When you set up any strong 2FA, you'll receive one-time backup codes. Print them or store them in a password manager. Losing your authenticator app without backup codes can lock you out permanently.

Common questions

Is SMS 2FA better than no 2FA at all?

Yes, meaningfully so. SMS 2FA stops the vast majority of automated credential stuffing attacks. The risks SIM swaps, SS7 interception — require targeted effort. For most people, SMS is still a significant upgrade over passwords alone. But for high-value accounts, upgrade to something better.

What is a SIM swap attack and how does it work?

The attacker calls your carrier and impersonates you, often using personal information from data breaches to convince a support rep to port your number to a new SIM they control. Once they have your number, all SMS codes go to them. They can then reset passwords on any account tied to that number.

Can I use the same authenticator app for all my accounts?

Yes. Authy, Google Authenticator, and similar apps can hold codes for hundreds of accounts. Authy adds cloud backup (convenient but requires trusting Authy's servers). Google Authenticator now supports backup too. Use whichever you'll actually maintain with good recovery options.

Sources

  1. CISA Mobile Communications Best Practice Guidance (December 2024)
  2. NIST SP 800-63B — authentication using the public switched telephone network
  3. CISA MFA guidance page
// read next
Guide Password reuse is the real threat — here's how to fix it Apr 3, 2026 · 7 min read Guide The 10-minute security audit every person should do Apr 5, 2026 · 6 min read Breach Analysis How dark web credential markets actually work Apr 4, 2026 · 8 min read