"I have two-factor authentication set up with SMS, so I'm good" — if that's what you think, keep reading.
In December 2024, the FBI and CISA jointly declared SMS authentication "not recommended" and urged users to switch to encrypted authentication methods. With 3.4 billion phishing emails sent daily (APWG, 2024) and SIM swapping attacks surging, SMS-based 2FA has become the weakest link in your security chain.
This article explains why SMS 2FA is dangerous, what to switch to, and exactly how to make the switch on major services.
Why SMS Authentication Is No Longer Safe
SMS authentication — entering a 6-digit code sent via text message — was long considered "better than nothing" for two-factor authentication. But since 2025, several factors have pushed its risk to unacceptable levels.
Fundamental problems with SMS:
- Not encrypted — SMS messages are sent in plaintext. They can be intercepted in transit
- SIM swapping — Attackers convince your carrier to transfer your phone number to their SIM. Once successful, all SMS codes go to them
- SS7 protocol vulnerabilities — The inter-carrier network protocol has known vulnerabilities that make SMS interception technically feasible
What authorities are saying:
| Authority | Action |
|---|---|
| FBI / CISA (US) | Explicitly labeled SMS 2FA "not recommended." Advised encrypted alternatives |
| NIST SP 800-63B (US) | Classified SMS as a "restricted authenticator" requiring risk assessment |
| Digital Agency (Japan) | Announced plans to phase out SMS authentication for government business IDs |
Having 2FA enabled is no longer enough. Which method you use is what matters.
How SIM Swapping Attacks Actually Work
SIM swapping is the biggest reason SMS 2FA is dangerous. The attack is simple but devastating.
How it works:
- The attacker gathers your personal information (name, date of birth, address) — from dark web purchases, social media, or data breaches
- They contact your mobile carrier pretending to be you, claiming a "lost SIM" or "new phone"
- If the carrier's identity verification is bypassed, your phone number moves to the attacker's SIM
- All SMS verification codes now go to the attacker
- They log into your bank accounts, email, and social media
Real-world damage:
- T-Mobile (US, March 2025) — $33 million arbitration award for SIM swap damages. Largest ever
- UK (2024) — SIM swap fraud reports increased 1,055% year-over-year (289 → ~3,000 cases)
- Marks & Spencer (UK, April 2025) — SIM swapping attack forced the company to suspend online ordering
If you're concerned your personal information may already be on the dark web, check now with "How to Check If Your Data Is on the Dark Web." A leaked phone number is the first step toward a SIM swap.
What to Switch To: Your Authentication Options
Three alternatives are safer than SMS authentication.
| Method | Security | Convenience | Cost | Best for |
|---|---|---|---|---|
| Authenticator app (TOTP) | High | High | Free | Best balance for most people |
| Hardware key (FIDO2) | Highest | Medium | $25–50 | Maximum security needs |
| Passkeys | Highest | Highest | Free | Services that support it |
Authenticator apps (TOTP) are the best choice for most people because they are:
- Free
- Work offline (no network required)
- Immune to SIM swapping
- Supported by virtually every service
Hardware keys (like YubiKey) offer complete phishing resistance but cost $25–50 per key. They're ideal for IT administrators or anyone with especially high security needs.
Passkeys are covered in detail later in this article.
Best Authenticator Apps in 2026
Here are the authenticator apps worth trusting in 2026, organized by use case.
| App | Platform | Key feature | Best for |
|---|---|---|---|
| Ente Auth | iOS / Android / Web / Desktop | Open-source, E2E encrypted cloud sync, Cure53 audited | Privacy + cross-device sync |
| Aegis | Android only | Open-source, fully offline, local encrypted backups | Android privacy maximalists |
| 2FAS | iOS / Android | Open-source, clean UI, Apple Watch support | iPhone users wanting simplicity |
| Google Authenticator | iOS / Android | Cloud sync added in 2023. Most widely recognized | Google ecosystem / beginners |
| Microsoft Authenticator | iOS / Android | Tight Microsoft 365 integration | Corporate Microsoft environments |
How to choose:
- Need cloud sync? — If you lose your phone, you'll want recovery. Ente Auth offers E2E encrypted sync
- Care about open source? — Ente Auth, Aegis, and 2FAS are all open-source and auditable
- What about Authy? — In July 2024, Twilio (Authy's parent company) disclosed a breach exposing 33 million phone numbers. The app still works, but the security community increasingly recommends switching to alternatives
How to Switch Away from SMS 2FA on Major Services
The basic process is the same across services. Here's the universal workflow followed by service-specific settings locations.
Universal steps:
- Install an authenticator app on your phone
- Open the service's security settings
- Change 2FA method from "SMS" to "Authenticator app"
- Scan the QR code with your authenticator app
- Enter the 6-digit code to confirm
- Save backup codes (essential for recovery if you lose your device)
Where to find the settings:
| Service | Settings path |
|---|---|
| Google Account → Security → 2-Step Verification → Authenticator app | |
| Apple ID | Settings → [Your Name] → Sign-In & Security → Two-Factor Authentication |
| Amazon | Account → Login & Security → Two-Step Verification Settings |
| X (Twitter) | Settings → Security and account access → Security → Two-factor authentication |
| Settings → Accounts Center → Password and security → Two-factor authentication | |
| Discord | User Settings → My Account → Enable Two-Factor Auth |
If you need to rethink your password management overall, see "Can't Remember Your Passwords? You Don't Have To."
Will Passkeys Replace 2FA?
Passkeys are a new authentication method that eliminates both passwords and two-factor authentication. They're based on the FIDO2/WebAuthn standard.
How passkeys work:
- They use public-key cryptography. The private key stays on your device; only the public key goes to the server
- You authenticate with biometrics (fingerprint, face) or a PIN
- They don't work on phishing sites (they're bound to the legitimate domain)
Adoption in 2026:
- Google has rolled out passkeys to over 800 million accounts
- Apple, Microsoft, Amazon, and other major services support them
- 63% of organizations rank passkeys as their top authentication investment for 2026
However, passkeys won't fully replace 2FA yet. The reasons:
- Many services don't support them yet (banks, government services lag behind)
- Older devices can't use them
- Service-side implementation is still catching up
The bottom line: use passkeys where available, authenticator apps everywhere else. That's the 2026 best practice.
If you're worried your accounts may already be compromised, check with "How to Verify If Your Password Has Been Breached."
NordVPN Plus and higher plans include Dark Web Monitoring, which alerts you when your email addresses or phone numbers appear on the dark web. This lets you detect the early warning signs of a SIM swap attack.
The world's leading VPN — fast, secure, and easy to use
- 6,400+ servers across 111 countries
- NordLynx protocol (WireGuard-based)
- Threat Protection Pro (ads & malware blocking)
Wrapping Up
SMS 2FA has gone from "better than nothing" to "actively avoid."
- SMS is unencrypted and defeated by SIM swapping — FBI/CISA officially recommend against it
- Switch to an authenticator app now — Ente Auth is the top pick (cloud sync + open-source + audited)
- Always save backup codes — your lifeline when devices fail
- Use passkeys where supported — the end goal that makes even 2FA unnecessary
The most impactful thing you can do right now is open your security settings and switch from SMS to an authenticator app. It takes less than 10 minutes per service.
Phishing emails are a common entry point for account compromises. For step-by-step response guidance, see "Opened a Phishing Email? What to Do Next." To understand how password reuse enables credential stuffing attacks, see "Why Password Reuse Is Dangerous: How Credential Stuffing Works." If you suspect your phone may be compromised, check "Is Your Phone Hacked? How to Check and What to Do Now."