In December 2024, the FBI and CISA advised Americans against using SMS codes for multi-factor/two-factor (MFA/2FA) authentication. CISA’s Mobile Communications Best Practice Guidance bluntly recommended: “Do not use SMS as a second factor for authentication. SMS messages are not encrypted–a threat actor with access to a telecommunication provider’s network who intercepts these messages can read them.”

There are many reasons why SMS one-time passwords (OTPs) are a weak authentication factor. They can be used in many types of hacks, not all of which require a higher level of technical sophistication.

Some scenarios in which SMS can be compromised include:

• SIM swapping attacks, in which attackers convince a phone provider to give them control over their victim’s number, including access to SMS.
• Smishing, or SMS-phishing attacks, trick users into handing over their information, including OTPs, on fraudulent websites.
• Man-in-the-middle (MitM) attacks let hackers exploit the lack of encryption inherent in SMS and read the content of messages in transit or on a malware-infected device.

It is recommended to replace the SMS with more resilient modes of authentication. Some of these are:

• Hardware Tokens: Devices like YubiKey generate one-time codes and require physical possession to authenticate.
• Mobile App Push Notifications: Applications like Microsoft Authenticator or Duo send push notifications that can require inputting a displayed number from your computer screen.
• Biometric Authentication: Uses fingerprint, facial, or iris recognition for secure access.
• Software Tokens: Applications generate time-based or counter-based codes that sync with the server.
• Smart Cards: Physical cards with embedded chips that provide secure authentication.
• Certificate-Based Authentication: Uses digital certificates installed on devices to verify identity.

Some methods of authentication may be easier, such as mobile app push notifications, than carrying a hardware token or smart card. The University of Tennessee uses Duo as its multifactor authentication application, which allows push notifications and other more secure options.