Welcome to ITS! Learn more about our strategic partnership with Afineol!

Read the Story
Schedule a Meeting
Services
Services
Cybersecurity
Compliance
Managed IT
Co-Managed IT
AI Consulting
Others
Others
Cloud Computing
VoIP Phone
Data Analytics
Pricing
Pricing
Plans
IT Cost Calculator
Resources
Resources
Learning Center
Tools
Tools
IT Needs Analyzer
IT Cost Calculator
Downtime Calculator
Noise Calculator
Case Studies
Company
Company
About Us
Events
ITS Process
Careers
Trust Center
Industries We Serve
Industries We Serve
Healthcare
Financial Services
Automotive
Manufacturing
Non Profit
Architecture and Design
All Industries
Sales: (855) 204-8823
Client Support: (888) 969-3636
Schedule a Meeting

«  View All Posts

Why You Should Stop Using SMS Two-Factor Authentication [Updated 2023]

July 11th, 2023 | 4 min. read

By Jessa Mikka Convocar

A person checking phone for a text message

Editor's note: This post was originally published on December 7, 2017 and has been revised for clarity and comprehensiveness.

Using two-factor authentication (2FA) to log in to your system is better than using a traditional password alone. But if your 2FA code is sent as a text, it could lead to a costly data breach. 

If you’re currently using SMS for your 2FA, you better reconsider.  

Intelligent Technical Solutions (ITS) has 20+ years of experience helping hundreds of businesses strengthen their cybersecurity. To further understand why SMS isn’t advisable when choosing a 2FA method, we’ll answer the following questions: 

  • What is two-factor authentication? 
  • What are the risks of using SMS two-factor autentication? 
  • What are better alternative methods to two-factor authentication? 

After reading, you’ll know why you shouldn’t use SMS 2FA and find better alternatives to implement in your organization. 

What is Two-Factor Authentication (2FA)? 

two factor authentication text with padlock

There are three recognized types of authentication factors: something you know, something you have, and something you are.  

  • Type 1 or something you know includes passwords, personal identification numbers (PINs), code words, or secret handshakes. It is anything that you alone know and can remember. 
  • Type 2 or something you have is physical objects, such as keys, smartphones, smart cards, USB drives, and other token devices.  
  • Type 3 or something you are includes any part of the human body that can be used for verification. These include fingerprints, palm scanning, facial recognition, retina scans, and voice verification. 

Two-factor authentication combines something you know (a password) with something you have (a phone or token).  

In many 2FA setups, a user enters a password along with a single-use numeric code produced by an authentication app. But in some setups, the second factor consists of a temporary authentication code sent to your phone via SMS text message. And that text message, more often than not, presents a weakness that criminals can exploit. 

Photo + Short Text

What are the risks of using SMS two-factor authentication? 

SMS 2FA may be an easy and convenient authentication method, but the problem is that text messages are usually vulnerable to several attack strategies, such as:  

1. Spoofing/Phishing

Phishing

Without a good mobile defense, hackers can easily intercept and read your messages through spoofing or phishing. This is because SMS messages are not encrypted and rely only on the security of phone networks and companies–which are notoriously easy to access. 

Another way they can get into your messages is by tricking you into installing malware on your device. Once the bad actor has successfully infiltrated your device, it will start looking for your saved credentials and send the information back to the attacker.  

Related: 6 Most Dangerous Types of Phishing Scams to Watch Out for 

2. SIM Swapping

sim-swapping

SIM swapping is a more sophisticated method of attack that gives hackers full control of your phone number.  

This is how it’s usually done: a criminal calls or emails your mobile phone service provider and uses your stolen personal data to impersonate you. The criminal then asks the company to send your text messages to a different device, which gives them access to your one-time login codes. They then use those codes to gain immediate access to your system. 

3. Social Engineering

social-engineering

Hackers also use a couple of social engineering tricks to get into your network. The most common is pretending to be you to your mobile service provider. They obtain your personal information from other online sources to bypass security questions and request a secondary SIM, claiming the old one was lost or stolen. 

When you lose service on your SIM, the hackers will have a free ticket to use your number and request new SMS 2FA at will. 

What are alternatives for two-factor authentication? 

a person using their cellphone

If you don’t want to risk your network getting compromised, then you should start exploring other methods of 2FA. Some of the more advanced and secure 2FA methods are: 

1. Typing biometrics

Typing biometrics is an emerging tool in technology that leverages computational power. The initial enrollment captures your typing pattern and attributes it to you as part of the authentication process. Every time a new authentication is made, the stored hashed pattern is verified against the initial typing pattern, and if the match is successful, you can log in without hassle. 

2. Authenticator Apps

Typically, authenticator apps are installed on a smartphone. They will generate a passcode that you can use for logging in, transaction confirmation, or act as a master key.  

Authenticator applications provide you with two options:  

  • You can either receive a notification that someone is trying to access your account, and you can approve or decline verification, or 
  • You can open the app and see the verification code that updates every thirty seconds and input it into the account you’re accessing.   

3. Physical Keys

While some of the most familiar forms of 2FA are a one-time-use code sent through any virtual means, the most secure version is still a physical security key. Users can simply insert the physical key into the device or computer to access critical business information.  

Typically a physical key is the best option to protect sensitive accounts and data like banking, insurance, and investment information. However, since it’s tangible, it is prone to misplacement. When using this 2FA method, you should be extra mindful of where to keep it to ensure that no unauthorized access can be made.   

Need help implementing two-factor authentication in your network? 

There is no doubt that having two-factor authentication is more secure than relying only on passwords. But you should also acknowledge the risks of using certain types of 2FA to ensure that what you have does not put your network on the line. Instead of using SMS 2FA, there are better alternatives: 

  • Typing biometrics 
  • Authenticator apps 
  • Physical keys 

ITS is your local expert on computer network security. As a managed cybersecurity provider for twenty years, we’ve been helping small and mid-size businesses set up, maintain, and secure their network. Contact us today to get a FREE network assessment 

You can also refer to these articles to learn more about 2FA and multi-factor authentication (MFA): 

Photo + Short Text

Jessa Mikka Convocar

Jess is a Content Writer who commits herself to creating helpful, relevant, and easy-to-digest technical articles. When she isn't writing, she devotes her energy (and money) to collecting K-Pop photo cards, which she likes to call an 'investment.'

Topics:

Cybersecurity

Related Articles

Do You Need SIEM for Your Small Business?

April 29th, 2025|5 min. read

If My Business Gets Hacked, Who's Liable – My Company or the MSP?

April 23rd, 2025|4 min. read

How to Protect Your Business from Fileless Malware

April 1st, 2025|4 min. read

How to Become a Cybersecurity Champion for Your Organization

March 11th, 2025|5 min. read

7 Steps to Build a Safe Online Culture for Your Business

January 30th, 2025|4 min. read

7 Hidden Dangers in Your Firewall and How to Address Them

January 28th, 2025|4 min. read

How Much Does Cybersecurity Cost in Chicago? (2025)

January 7th, 2025|3 min. read

7 Concrete Ways to Avoid Ransomware Attacks [UPDATED]

November 28th, 2024|3 min. read

6 Telltale Signs Your Business Needs a Technology Upgrade

November 14th, 2024|3 min. read

Best Cybersecurity Practices for 2025: Expert Tips

November 12th, 2024|5 min. read

8 Common Bluetooth Risks and How to Mitigate Them

November 7th, 2024|5 min. read

What is Data Inventory? (& 4 Easy Steps to Secure Your Data)

October 31st, 2024|4 min. read

What Happens if ITS Gets Hacked? (A Deep Dive)

October 8th, 2024|3 min. read

5 Problems with Legacy IT Systems in the Public Sector

September 27th, 2024|4 min. read

5 Questions to Ask Your MSP About Incident Response Plans

September 24th, 2024|3 min. read

Why Business Owners Must Lead IT Services & Cybersecurity Decisions

September 19th, 2024|3 min. read

How much does ITS Cybersecurity Cost? [Video]

September 12th, 2024|1 min. read

7 Top Causes of Data Loss (& How You Can Prevent Them)

September 5th, 2024|3 min. read

How to Make Strong Passwords: 12 Tips for 2025 [UPDATED]

August 15th, 2024|4 min. read

Lessons Your Business Can Learn From the CDK Hack

August 13th, 2024|4 min. read

How Often Should You Change Passwords? (& Other Password Guidelines)

August 8th, 2024|4 min. read

Top 10 Data Center Security Best Practices (2024)

July 9th, 2024|3 min. read

Are Biometrics Safer than Passwords for My Business?

July 2nd, 2024|4 min. read

6 Crucial Benefits of Vulnerability Management for Businesses

June 25th, 2024|3 min. read

7 Key Components of a Strong Password Policy

June 18th, 2024|6 min. read