The End of SMS Codes: Better Security with New MFA Standards

Image generated by ChatGPT

The cybersecurity landscape is constantly shifting, with both threats and protections evolving at a rapid pace. One area seeing significant advancement is multi-factor authentication (MFA)—a crucial defense layer that’s moving well beyond the traditional SMS codes many of us have grown accustomed to.

Why SMS-Based MFA Is Obsolete

As I was researching for my upcoming book chapter on authentication methods, I discovered something concerning: SMS-based authentication—once considered a major security upgrade—is increasingly viewed as inadequate by cybersecurity experts.

SMS messages can be intercepted through SIM swapping attacks. A SIM swapping attack (also known as SIM hijacking or SIM swap fraud) is a form of identity theft where an attacker tricks or bribes a mobile carrier into transferring a victim’s phone number to a SIM card controlled by the attacker. Once successful, the attacker gains access to texts and calls intended for the victim: including two-factor authentication (2FA) codes.

According to recent data from the Federal Trade Commission, SIM swap complaints have increased by over 150% in the past two years. These attacks aren’t just theoretical—they’re happening regularly, with victims often losing access to critical accounts and digital assets.

The New Generation of MFA

Fortunately, more secure alternatives are not only available but becoming increasingly user-friendly. Here are the MFA methods worth considering:

  • Authenticator Apps: Software like Google Authenticator, Microsoft Authenticator, and Authy generate time-based one-time passwords (TOTPs) that change every 30 seconds. Unlike SMS, these codes are generated on your device and don’t transmit over networks, eliminating interception risks.

Even better: Some password vaults (1Password is one example) now offer built-in authenticator algorithms.

  • Security Keys: Physical devices like YubiKeys or Google Titan Security Keys provide cryptographic proof of your identity. They’re virtually phishing-proof because they verify both you AND the service you’re connecting to.
  • Biometric Authentication: Fingerprints, facial recognition, and even behavioral biometrics are becoming standard on mobile devices and increasingly supported by major services.
  • Push Notifications: Services like Duo Security send authentication requests directly to your trusted device through encrypted channels, requiring a simple tap to approve.

What I’ve Learned While Researching Authentication

While working on my book’s authentication chapter, I’ve been testing various MFA methods personally. The learning curve varies—security keys took me about 20 minutes to fully understand and set up, while authenticator apps were intuitive within minutes.

What surprised me most was the stark security difference between these methods. When I examined recent account takeover data, I found that accounts protected by security keys had near-zero successful compromise rates, while SMS-protected accounts remained vulnerable to targeted attacks.

Practical Steps You Can Take Today

Ready to upgrade your authentication methods? Here are two actions you can implement immediately:

  1. Audit your critical accounts: Identify your most important accounts (email, financial, cloud storage) and check what MFA options they support. Prioritize moving any SMS-based MFA to authenticator apps at minimum.
  2. Consider investing in a security key: For accounts containing sensitive information or financial data, a physical security key (starting around $25) provides exceptional protection with minimal inconvenience.

The Future of Authentication

Looking ahead, passwordless authentication is gaining momentum. Standards like FIDO2 and WebAuthn are making it possible to eliminate passwords entirely in favor of stronger authentication methods. Major platforms including Google, Microsoft, and Apple have announced plans to expand passwordless options, potentially changing how we all authenticate within the next few years.

As I continue writing my book, I’m fascinated by how quickly this landscape is evolving. Authentication represents the perfect example of cybersecurity’s central challenge: balancing security with convenience. The good news is that newer MFA methods are managing to improve both simultaneously.

What’s Your Experience?

Have you moved beyond SMS-based authentication? Which methods have you found most user-friendly? Share your experiences in the comments below—I’d love to incorporate diverse perspectives as I finalize this chapter of my cybersecurity book.

If you’re interested in learning more about building sustainable security habits, subscribe to this blog for updates on my book progress and practical cybersecurity advice tailored to real-world challenges.

The Sage’s Invitation

The path to digital security is a shared endeavor. Join me—share your thoughts on the cyber challenges you foresee in 2025 below. Together, we can navigate this landscape with wisdom and care to block the bad actors.  Sign up for email alerts using the form below.

PS—If you don’t see the signup form below, your browser is blocking the form with its security settings, or with a plugin. Here’s an alternate form to get you subscribed.