Why SMS Login Codes Are No Longer Enough
Text-message login codes are still better than passwords alone, but phishing, SIM swaps, and account takeovers are pushing banks, platforms, and public services toward stronger authentication.
For years, the standard advice for protecting an online account was simple: turn on two-factor authentication and receive a code by text message. That advice still has value. A text code is usually stronger than a password by itself, especially for people who reuse passwords or have had credentials exposed in a data breach.
But SMS codes are no longer the strongest everyday protection available. Attackers have learned to phish one-time codes in real time, pressure people into approving logins, and hijack phone numbers through SIM-swap fraud. As more financial, work, government, and health services move online, the weak points in text-message authentication matter more.
CISA, the U.S. Cybersecurity and Infrastructure Security Agency, now encourages phishing-resistant multi-factor authentication where possible. The practical message is not that every person must abandon SMS immediately. It is that anyone protecting important accounts should understand the difference between “some extra protection” and protection designed to survive modern phishing.
The Problem With Text Codes
SMS authentication depends on a phone number. That makes it familiar, but it also creates risk. A phone number can be ported, reassigned, socially engineered from a mobile provider, or intercepted in attacks against telecom systems. The person signing in may believe they control the second factor, while the real control point is the mobile account behind the number.
The FTC has warned consumers about SIM-swap scams, where criminals trick or bribe their way into moving a victim’s number to a device they control. Once that happens, account recovery messages and login codes can go to the attacker instead of the real customer.
There is also a simpler attack: phishing. A fake login page can ask for a username, password, and text code, then immediately pass those details to the real service. Because the code is valid for a short period, speed is enough. The attacker does not need to break encryption or steal the phone; they just need the victim to type the code into the wrong page.
That is why the NIST Digital Identity Guidelines treat phone-network delivery of out-of-band authentication secrets as a restricted method and tell verifiers to consider risk signals such as SIM changes, device swaps, number porting, and abnormal behavior before relying on it.
Better Options Are Becoming Normal
The next step up from SMS is usually an authenticator app. These apps generate short-lived codes on the device instead of receiving them through the phone network. They are not perfect, because a person can still be tricked into typing a valid code into a fake website, but they remove some phone-number risk.
Push-based authentication can be more convenient, but it has its own problem: fatigue. If an attacker has a password, they may repeatedly trigger approval prompts until a tired user taps accept. CISA recommends number matching when phishing-resistant MFA is not available, because it makes blind approvals harder.
The strongest consumer-friendly shift is toward passkeys and hardware security keys. The FIDO Alliance describes passkeys as phishing-resistant because they use public-key cryptography and are tied to the legitimate website or app. In plain language, there is no reusable password or text code for a fake page to steal.
With a passkey, the device proves possession of a private key after the user unlocks it with a screen lock, PIN, fingerprint, or face recognition. The service keeps the matching public key. If a criminal sends a convincing fake link, the passkey should not authenticate to that fake domain because the cryptographic exchange is bound to the real one.
Hardware security keys work on the same broad principle, often with a separate physical key that must be plugged in or tapped. They are especially useful for administrators, journalists, activists, finance staff, developers, and anyone whose accounts could unlock sensitive systems or public-facing platforms.
What This Means for Ordinary Users
The best authentication method is the strongest one a person can actually use consistently. For many people, that means moving important accounts in stages rather than trying to change everything in one weekend.
Start with email. Email is the recovery path for many other accounts, so losing it can lead to a cascade of takeovers. After email, protect banking, mobile money, cloud storage, social media, government portals, password managers, and work accounts. If a service offers passkeys or security keys, use them. If it does not, use an authenticator app. If SMS is the only option, keep it turned on, but treat it as a backup-level control rather than a gold standard.
Account recovery deserves the same attention. A strong passkey does not help much if a criminal can reset the account through an old email address, a weak mobile account, or security questions with answers available from public records. Review recovery emails, backup phone numbers, saved devices, and emergency codes.
People should also harden the mobile account itself. Many carriers allow customers to set an account PIN or port-out lock. That will not stop every SIM-swap attempt, but it can make social engineering harder. The FTC’s SIM-swap guidance also recommends contacting companies through known, legitimate channels when a message asks for account or personal information.
Organizations Should Stop Treating SMS as the Finish Line
For companies, public agencies, schools, and nonprofits, the lesson is sharper. Offering SMS may help users who have no better option, but treating it as the main defense for staff, administrators, payroll systems, cloud dashboards, and citizen data is increasingly difficult to justify.
High-risk roles should move first to phishing-resistant MFA. Administrators, finance teams, communications staff, executive assistants, developers, and anyone who can approve payments or publish official information deserve stronger defaults. Organizations should also remove login fallbacks that quietly weaken the system, such as allowing a security key user to reset access through SMS alone.
Good rollout matters. People need clear prompts, backup options, accessible support, and a recovery process that does not create a new shortcut for attackers. A rushed security rollout can lock out legitimate users or push them toward unsafe workarounds.
The Direction Is Clear
SMS codes are not useless. They remain better than password-only sign-ins, especially on accounts where no stronger option exists. But the direction of travel is clear: authentication is moving away from codes that people can read, copy, forward, or type into the wrong page.
The safer future is one where important accounts ask the right device, the right user, and the right website to prove themselves at the same time. Passkeys and security keys are not magic, but they reduce the easiest path for many common account-takeover attacks.
For users, the practical move is to upgrade the accounts that would hurt most to lose. For organizations, the practical move is to stop calling SMS-based MFA the end of the security project. It is a step, not the destination.