In this article
July 9, 2025
July 9, 2025

Why SMS is not a secure Multi-Factor Authentication (MFA) method

SMS-based multi-factor authentication (MFA) is still common, but it's fundamentally insecure. This article explains why developers should avoid SMS MFA and adopt stronger, phishing-resistant alternatives like TOTP and WebAuthn.

Maria Paktiti
July 9, 2025

Multi-factor authentication (MFA) is one of the most effective defenses against account compromise. However, not all MFA methods are created equal.

SMS-based MFA, while widely adopted, is fundamentally flawed in ways that make it an inadequate choice for securing sensitive systems and data.

Here’s why you should avoid SMS MFA in modern applications, and what better alternatives look like.

1. Vulnerable to SIM swap attacks

One of the most dangerous threats to SMS-based MFA is SIM swapping (also known as SIM hijacking). This attack exploits mobile carriers' customer service practices by convincing them—through social engineering or identity theft—to transfer a victim’s phone number to a new SIM card under the attacker’s control.

Once the attacker controls the victim’s number, they can receive all SMS messages, including one-time passcodes (OTPs) for MFA. At that point, compromising an account becomes trivial, especially if the attacker already has the victim’s username and password (often obtained via phishing or credential stuffing).

If your MFA strategy can be defeated by someone calling T-Mobile support, it’s not a strong strategy.

2. Lack of end-to-end encryption

SMS messages are not end-to-end encrypted. From the moment an OTP is generated and sent, it can be intercepted at various points:

  • In transit over the cellular network.
  • By malware on the user’s device.
  • Or through APIs that SMS aggregators expose to third parties.

This lack of confidentiality makes SMS OTPs vulnerable by design.

If you wouldn’t transmit passwords via SMS, don’t transmit MFA codes that way either.

3. Susceptibe to phishing and Man-in-the-Middle attacks

Attackers often use real-time phishing kits to intercept SMS-based OTPs.

Here’s how it works:

  1. The victim enters credentials on a fake login page.
  2. The attacker immediately triggers a real MFA prompt.
  3. The user receives the real SMS code and enters it on the fake page.
  4. The attacker completes login with the code, often within seconds.

Some advanced phishing tools can automate this process, making SMS OTP interception efficient and scalable.

SMS MFA is not phishing-resistant. And phishing is the #1 cause of breaches.

4. Phone numbers are not stable identifiers

Phone numbers are not permanent identifiers. Users frequently change numbers or lose access to them, and carriers recycle old numbers. If a recycled number is reassigned to a new customer, that person could potentially receive OTPs for services not meant for them, particularly if account recovery processes are weak.

SMS MFA can break recovery flows and introduce edge-case bugs for little security gain.

5. Reliance on mobile carrier infrastructure

SMS MFA depends on the reliability and security of the mobile carrier ecosystem, an environment notorious for its inconsistent security practices, including:

  • Weak identity verification during SIM changes.
  • Lack of audit trails for number reassignments.
  • Exposure to insider threats within telecom organizations.

For organizations that handle sensitive data, trusting such an ecosystem introduces unnecessary risk.

6. Compliance and industry recommendations

Security authorities like NIST (National Institute of Standards and Technology) have deprecated SMS as a secure MFA method since their 2017 revision of Special Publication 800-63. They cite the risks described above and explicitly recommend against using SMS for sensitive or high-assurance scenarios.

Most security-conscious organizations today discourage or disable SMS as a second factor, and many enterprise buyers will question vendors who default to it.

Avoid red flags for security reviewers. Implement stronger options by default.

Better alternatives

Major platforms and security-conscious enterprises are also migrating away from SMS MFA in favor of stronger methods such as:

  • Authenticator apps (e.g., TOTP-based methods like Google Authenticator or Authy). See how you can do this with WorkOS.
  • Push notifications (e.g., via Duo or Okta Verify). These are often used in enterprise settings. They offer better UX and are more secure than SMS or email codes. They are options you can use if you integrate with IdPs via WorkOS SSO.
  • Hardware security keys (e.g., YubiKey, FIDO2/WebAuthn standards). A phishing-resistant option that uses public-key crypto.

At-a-glance: Comparing MFA methods for security and UX

Method Security Phishing-Resistant Requires Mobile Number
SMS MFA Low No Yes
TOTP Good Partial No
Push MFA Good Partial Yes
WebAuthn Excellent Yes No

Build security into your app without reinventing the wheel

While SMS-based MFA may still be better than no MFA at all, it should not be relied on for protecting high-value accounts or applications. Given the rise in SIM swapping, phishing, and other telecom-level threats, organizations should adopt phishing-resistant authentication methods that don’t rely on the mobile network for security.

B2B users and enterprise IT teams are raising the bar on security. If your app relies on SMS MFA, it might not just be insecure—it might be a dealbreaker.

By using WorkOS MFA, you can offer modern, phishing-resistant methods like TOTP with just a few API calls. No need to build the plumbing or handle the edge cases yourself.

We’re hiring

Our global team is growing and we’re hiring all types of roles.

View open roles
About us

WorkOS builds developer tools for quickly adding enterprise features to applications.

Learn more

This site uses cookies to improve your experience. Please accept the use of cookies on this site. You can review our cookie policy here and our privacy policy here. If you choose to refuse, functionality of this site will be limited.