The vulnerabilities of SMS-based authentication — and what to use instead
SMS text messages were never designed to be a security mechanism. They were built for human communication in the 1980s, long before the threat landscape of today existed. Despite this, SMS one-time passwords became the most widely deployed form of two-factor authentication because of one advantage: everyone already has a phone number.
That convenience comes with serious security trade-offs. This page explains the main attack vectors against SMS-based 2FA, how they work in practice, and why app-based TOTP authentication is a significantly stronger alternative.
A SIM swap attack (also called SIM hijacking or port-out fraud) exploits the legitimate mobile carrier process for transferring a phone number to a new SIM card — typically used when a customer loses their phone. An attacker who knows enough personal information about a victim (name, address, last 4 digits of a bank account, date of birth — all often available through data breaches or social media) can call the victim's carrier, impersonate them, and convince a customer service agent to transfer the number.
Once the attacker controls the victim's phone number, every SMS sent to that number — including 2FA codes — arrives on the attacker's device instead. The victim's own phone immediately loses signal.
SIM swapping is not a theoretical attack. It has been used to steal millions of dollars in cryptocurrency, compromise high-profile social media accounts, and bypass 2FA on banking platforms. Because it exploits human customer service agents rather than technical vulnerabilities, it remains effective even against carriers that have implemented security measures.
SS7 (Signalling System 7) is the set of protocols used by phone networks worldwide to coordinate routing of calls and SMS messages. It was designed in 1975, when trust between telephone networks was assumed — there was no concept of an untrusted actor having access to the network.
Today, researchers and government agencies have demonstrated that an attacker with access to the SS7 network (achievable through purchasing access from a rogue telecom operator, hacking into a carrier, or through intelligence agency capabilities) can intercept SMS messages in transit without the target's phone showing any indication anything is wrong. The victim's phone continues to show normal signal and function normally.
Banking trojans and mobile malware specifically designed to intercept SMS messages have been documented in the wild for over a decade. This family of attack — sometimes called "mobile overlay" or "SMS stealer" malware — works by requesting SMS read permissions on Android devices. The malware monitors incoming messages and silently forwards any message matching patterns like "your code is" or "verification code" to attacker-controlled servers.
This type of attack is particularly effective because it is fully transparent to the victim. The legitimate SMS arrives and is visible, but a copy has already been exfiltrated. Because the malware operates on the same device that is meant to serve as the "something you have" second factor, the entire premise of two-factor authentication is undermined.
Modern phishing toolkits (such as the open-source Evilginx2 framework) act as a transparent reverse proxy between the victim and the legitimate website. When the victim enters their password and SMS 2FA code into what appears to be the real site, the proxy relays the credentials to the real site in real time, establishes an authenticated session, and captures the session cookies.
This attack completely bypasses SMS 2FA because the attacker relays the code before it expires. The victim successfully completes what appears to be a normal login, unaware that the attacker now holds their authenticated session.
| Attack | SMS 2FA | App-Based TOTP |
|---|---|---|
| SIM Swap | ✘ Fully compromised — attacker receives all SMS | ✓ Not affected — secret is stored in the app, not tied to a phone number |
| SS7 Interception | ✘ Fully compromised — SMS intercepted in transit | ✓ Not affected — no network message to intercept |
| SMS Malware | ✘ Vulnerable — SMS read permission exposes codes | ~ Reduced risk — secret stored in app, not in SMS; malware would need to target the authenticator app specifically |
| Real-Time Phishing Proxy | ✘ Vulnerable | ✘ Also vulnerable — but window is shorter (30s vs minutes) |
| No mobile signal | ✘ SMS not delivered without signal | ✓ TOTP works completely offline |
| International number issues | ✘ International SMS delivery is unreliable | ✓ Works globally, no number required |
German researchers and journalists documented the first widely reported case of SS7 being exploited to bypass mobile banking 2FA, leading to unauthorised bank transfers.
Reddit disclosed that an attacker had bypassed SMS-based 2FA used to protect employee accounts, resulting in access to user data and source code.
The Twitter account of Jack Dorsey, Twitter's own CEO, was hijacked when attackers SIM-swapped his phone number, demonstrating the attack works regardless of the target's level of technical awareness.
Multiple cryptocurrency exchanges reported SIM swap attacks against high-value customers, resulting in total losses estimated in the tens of millions of dollars.
NIST publishes revised Digital Identity Guidelines, formally classifying SMS OTP as a "restricted" authenticator and recommending migration to app-based or hardware authenticators.
For most consumer applications, SMS 2FA is significantly better than no 2FA at all. It defeats the most common attacks — credential stuffing from data breaches, where an attacker tries username/password pairs bought in bulk — because those attackers don't have access to the victim's phone.
However, for any application handling sensitive data, financial transactions, administrative access, or high-value accounts, app-based TOTP should be the recommended or required second factor. The attacks described above, while not trivially easy, are well-documented, tooled, and actively used by criminals targeting high-value accounts.
Use app-based TOTP (Google Authenticator, Authy, Microsoft Authenticator) as your primary 2FA mechanism. If you must offer SMS as a fallback for accessibility or user adoption reasons, make TOTP the default and clearly communicate its security advantages. AuthenticatorAPI.com makes it straightforward to add TOTP to any application in any language — with no SDK required.