Halborn Logo

// Blog


How Safe Is 2FA SMS?


Rob Behnke

September 2nd, 2021

Two Factor Authentication (2FA) for protecting online accounts and sensitive information is fast becoming the norm for increasing one’s overall cybersecurity. Also known as MFA (Multi-Factor Authentication) and two-step verification, 2FA is an extra layer of security to prove that the person accessing an account is the authentic owner. So, in order for a hacker to gain access to your account, they would need to know your username, password, and have your 2FA method – making it less likely that your account could be compromised.

2FA methods come in many forms including authentication emails, specialized authenticator apps, hardware keys, and SMS codes – but not all 2FA methods are created equal in terms of their security. In fact, SMS-based 2FA is known to be a hot target for hackers through a method called SIM swapping (or SIM jacking), where your phone number is migrated to a phone that a hacker controls.

If you’re using text message based codes as a second factor of authentication to access online services, including your bank or crypto accounts, your assets are more likely at risk. So in this article, we’ll discuss the safety of 2FA SMS, explain what SIM swapping is, and what you should do to protect your online accounts.

Why Is SMS-Based 2FA So Unsafe? 

2FA has become such an essential part of online security that even Google will enroll all users automatically into two-step verification. However, of all available multi-factor authentication methods, SMS-based 2FA is the least safe. The National Institute of Standards and Technology once declared that the age of SMS-based 2FA was over, and Kraken, one of the largest cryptocurrency exchanges in the world, has never offered SMS 2FA, citing safety concerns.

But why is SMS 2FA so unsafe? It starts with the fact that it’s a relatively easy process for hackers to socially engineer telecommunication service providers into giving up your confidential information. Here’s an example of how it works:

  1. Obtain Personal Details: First, the hacker obtains information on the targeted victim using leaked information online, social media accounts, and phishing emails among other things.
  1. Port the Number: Once the hacker has targeted the victim’s personal information, they contact their mobile service provider to impersonate them using those details – socially engineering the provider to port the number to a different phone. A common reason given by the hacker (impersonator) is that their phone has been lost.
  1. Access Victim’s Accounts: Once the number is ported over to the hacker’s phone, they now receive all text messages and calls intended for the real user. The hacker can now use SMS 2FA to bypass password protection of any account that uses text-based recovery. From there, it’s just a matter of how much damage the hacker can do before the victim realizes what’s happened.

Some of the more high profile SIM swapping cases include Twitter Founder, and now major Bitcoin supporter, Jack Dorsey being successfully targeted by hackers. There are also a number of documented cases where users have sued mobile carriers over lost crypto assets as a result of the carrier failing to safeguard their accounts. That is why SMS 2FA should be avoided unless absolutely necessary and, even then, you’ll need to do everything you can to safeguard your accounts. Below are suggestions to take your online security a step further.

How to Make 2FA More Safe 

To protect yourself from SIM swapping attacks you can do things like:

  • Set strong passwords
  • Set a passcode for your mobile service
  • Use a unique email address that’s only associated with your mobile service and nothing else
  • Set your online profiles to be more private

However, an even better set of options include avoiding SMS-based 2FA altogether and instead using safer alternatives as outlined below.

Safer Alternatives to 2FA


2FA Mobile Apps

Mobile apps such as Authy, Microsoft Authenticator and Google Authenticator provide you with a code passcode that changes every 30 seconds. What makes authenticator apps much more secure than SMS-based 2FA is that hackers would need actual physical possession of your device in order to breach your account, whereas SIM swapping can happen quite easily from a remote location.

Consider a Hardware Key

If you want an even higher level of security than mobile authenticator apps, consider using a hardware authenticator like a YubiKey, which supports a number of secure protocols. YubiKeys provide a single-use passcode for each login instance, and they also require you to physically touch the key in order to activate it – making it impossible for a hacker to access this 2FA method remotely.

If the fact that you own cryptocurrency is public knowledge, or if you’re part of a project in the crypto space, then having good 2FA security is essential for the safety of your assets.

For more information on how to keep your accounts and sensitive data safe, reach out to our cybersecurity experts at halborn@protonmail.com