The headline sounds like trolling. It isn’t. The argument is narrow and serious: in 2026, an SMS-protected account often fails worse than a strong-password-only account, because the second factor reshapes user behavior, recovery flows, and threat-model assumptions in ways that expand the attack surface rather than shrink it. The FBI, CISA, NSA, and a growing list of central banks now agree on the destination — getting off SMS — even if they disagree on how loudly to say it. The data backs them up.
This piece walks through the specific failure modes that make SMS 2FA actively dangerous, not just weak. Then it covers what to switch to and why the switch matters more this year than last.
The premise: a second factor that lowers your security
A second factor is supposed to be additive — an attacker who has your password still needs something else. That model breaks when the “something else” is a phone number, because phone numbers are not authenticators. They’re routing addresses controlled by a third party (your carrier) who is paid to be helpful, not paranoid.
When SMS becomes the second factor, three things happen at once. Users feel safer and reuse passwords more. Account recovery flows quietly start trusting the phone number as proof of identity. And the entire authentication chain inherits the security posture of the global telecom network — a network designed in the 1970s with no encryption and no authentication. The result is an account where the password is weaker, the recovery path is shorter, and the second factor is a plaintext message traversing infrastructure that nation-states have already compromised.
A password-only account at least forces the attacker to phish credentials and fight the user’s password manager. An SMS-protected account often gives the attacker a faster path: take the phone number, trigger “forgot password,” receive the reset link by text, done. The “second factor” became the primary factor.
SIM swapping is industrial, not exotic
The FBI’s Internet Crime Complaint Center logged 982 SIM swapping complaints in 2024 with reported losses exceeding $26 million. The UK’s fraud body Cifas reported a 1,055% year-over-year surge in unauthorized SIM swaps. The mechanics are unchanged from a decade ago: an attacker socially engineers a carrier rep, ports the victim’s number to a new SIM, and starts intercepting codes within minutes. The attack is often undetectable until the victim’s device loses service.
What’s changed is the supply chain. People-search sites publish enough personal data — full name, date of birth, address, relatives — to defeat carrier knowledge-based authentication for free. Carrier employees have been bribed and coerced. The 2023 hijack of the SEC’s X account via SIM swap, which posted a fake Bitcoin ETF approval and briefly moved markets, illustrates the ceiling: if a federal regulator’s account can be taken this way, no consumer account is too obscure.
Salt Typhoon and the nation-state tier
The previous era of SMS 2FA criticism centered on individual SIM swaps. The 2026 picture includes something far worse. Salt Typhoon, a People’s Republic of China state-sponsored group attributed to the Ministry of State Security, breached at least eight domestic U.S. telecom and internet providers and dozens more globally, with intrusions dating to 2022 and ongoing. The U.S. Treasury sanctioned Sichuan Juxinhe Network Technology Co. in January 2025 for direct involvement; the FBI announced a $10 million bounty in April 2025.
The relevant detail for SMS 2FA: Salt Typhoon accessed carriers’ “lawful intercept” systems — the back doors built into U.S. networks under the 1994 Communications Assistance for Law Enforcement Act. According to the FBI, the group obtained records showing where, when, and with whom specific individuals communicated, and in some cases gained access to the contents of phone calls and text messages. The Cybersecurity and Infrastructure Security Agency, NSA, and FBI jointly recommended encrypted alternatives. Senator Mark Warner called it the worst telecom hack in U.S. history.
For an SMS 2FA user, that means your one-time code may transit infrastructure that a foreign intelligence service has read access to. You don’t need to be phished. You don’t need a SIM swap. The “factor” is just floating across a compromised plaintext channel.
Phishing kits already defeat SMS in real time
Even without telecom-layer attacks, the modern phishing kit eats SMS 2FA for breakfast. A user lands on a lookalike login page. They enter their password. The kit relays it to the real site, which sends the SMS code to the user’s phone. The user types the code into the fake page. The kit relays the code. The session is the attacker’s. The whole exchange takes seconds and is fully automated by commodity adversary-in-the-middle toolkits.
This is the failure that passkeys and FIDO2/WebAuthn hardware keys exist to eliminate. A phishing-resistant authenticator binds the cryptographic challenge to the actual domain. If someone lands on a phishing page that mimics a real service, the key refuses to authenticate because the domain does not match. SMS has no such binding. The code is the code, and it’s valid wherever it’s typed.
The recovery-path problem
The deepest issue isn’t the SMS code itself. It’s that adding a phone number to an account often causes the account’s recovery policy to silently start trusting the phone number. “Forgot password? We texted a reset link to ********42.” Now the password has been demoted from required factor to optional inconvenience, and the SIM is the only thing standing between an attacker and the account.
This is why “we already have a strong password and don’t need 2FA” can, in some configurations, beat “we have a password plus SMS.” The first model forces the attacker to phish or crack a credential. The second often offers a one-step bypass: own the number, click “forgot password,” done. Even strong authentication can be undermined if account recovery relies on weak security questions, email-only resets, or fallback SMS delivery — attackers often look for the weakest recovery path instead of attacking the main login flow.
Regulators are catching up
The “best practice” critique has hardened into compliance pressure. NIST Special Publication 800-63B has flagged SMS as a restricted authenticator for years. In December 2024, CISA issued mobile communications guidance recommending against SMS-based MFA for high-value targets. The U.S. Patent and Trademark Office discontinued SMS authentication on May 1, 2025, and FINRA followed in July 2025. The UAE Central Bank required licensed financial institutions to eliminate SMS and email OTPs by March 31, 2026, with an immediate liability shift to banks for fraud involving SMS OTPs. India’s Reserve Bank rules effective April 1, 2026 prohibit SMS as the sole authentication method for digital payments. The Philippines’ central bank set a June 2026 deadline for similar changes.
The direction of travel is unambiguous. SMS 2FA is being deprecated by regulators, not just security professionals.
What to use instead
The replacements are mature and free. TOTP authenticator apps — Google Authenticator, 1Password, Microsoft Authenticator, Aegis — generate codes locally on the device with no carrier in the loop, defeating SIM swaps and SS7 attacks. They still fall to real-time phishing.
Hardware security keys implementing FIDO2/WebAuthn — YubiKey, Google Titan, Feitian — defeat phishing by binding the cryptographic exchange to the legitimate domain. They’re the recommended posture for high-risk roles.
Passkeys, the consumer-friendly evolution of FIDO2, replace passwords entirely with device-bound or synced cryptographic credentials. Apple, Google, Microsoft, and the major password managers all support them. Sucuri and other security publications now identify passkeys as the option regulators, platform vendors, and standards bodies are converging on, and the strongest recommendation in 2026.
If switching to one of those is impossible, the harm-reduction move is to remove your phone number from every account that allows it and use the authenticator app or hardware key as the only second factor — including for recovery.
The bottom line
“SMS 2FA is worse than no 2FA” is a sharper claim than “SMS 2FA is weak,” and the sharper version is usually right in the specific case where the SMS configuration also rewires account recovery to trust the number. In those configurations, the second factor isn’t additive — it’s a parallel access path that’s easier to attack than the password. In threat models where the password was already strong and unique, removing SMS can raise the floor, not lower it.
The sane move in 2026 isn’t to rely on SMS more carefully. It’s to remove the phone number from the security perimeter entirely and let the cryptographic factor — a passkey, a hardware key, or at minimum a TOTP app — carry the load. Carriers can’t social-engineer what they don’t authenticate.
