Cybersecurity Threats & Defense

Why Are SMS Authentication Codes No Longer Secure?

SMS multi-factor authentication is now vulnerable to SIM swapping and phishing. Learn why phishing-resistant MFA like FIDO2 and passkeys is the new standard.

By COMNEXIA
#MFA#multi-factor authentication#phishing-resistant MFA#FIDO2#passwordless#passkeys

Multi-factor authentication (MFA) was supposed to be the security control that finally made stolen passwords harmless. For years, the advice was simple: turn on MFA, get a text message with a six-digit code, and you’re protected. That advice is now dangerously out of date. Attackers have learned to defeat SMS-based codes through SIM swapping, phishing, and MFA fatigue attacks — and in 2025 and 2026, these techniques are no longer rare or sophisticated. They are routine.

For more than 35 years, COMNEXIA has helped Atlanta-area businesses keep pace with a shifting threat landscape. This guide explains why text-message authentication has become a weak link, what “phishing-resistant” MFA actually means, and how to move your organization toward authentication methods that attackers genuinely cannot bypass.

What Is Multi-Factor Authentication and Why Does It Matter?

Multi-factor authentication is a security method that requires two or more pieces of evidence to verify your identity before granting access to an account. Those factors fall into three categories: something you know (a password or PIN), something you have (a phone, security key, or token), and something you are (a fingerprint or face scan). The principle is that even if an attacker steals one factor, they still can’t get in without the others.

MFA matters because passwords alone fail constantly. Billions of stolen credentials circulate on the dark web, and people reuse the same passwords across dozens of sites. When a password leaks, MFA is supposed to be the backstop that stops an attacker cold. The Cybersecurity and Infrastructure Security Agency (CISA) has stated that MFA makes you significantly less likely to be hacked — but only when the MFA method itself can’t be easily intercepted. That’s exactly where SMS codes fall apart.

Why Are SMS Authentication Codes No Longer Secure?

SMS authentication codes are no longer secure because the phone network they rely on was never designed for security, and attackers have developed reliable ways to intercept or redirect those codes. A text-message code is only as safe as the phone number it’s sent to — and phone numbers are surprisingly easy to hijack. The National Institute of Standards and Technology (NIST) first warned about the weakness of SMS-based authentication back in 2016, and the threats have only multiplied since.

There are three primary ways attackers defeat SMS-based MFA today:

  • SIM swapping: An attacker convinces (or bribes) a mobile carrier to transfer your phone number to a SIM card they control. Once the swap happens, every text message — including your authentication codes — goes to the attacker’s device. The FBI’s Internet Crime Complaint Center has reported tens of millions of dollars in losses from SIM-swapping attacks, with cryptocurrency accounts and corporate email being frequent targets.
  • Real-time phishing: Modern phishing kits don’t just steal your password — they relay your SMS code to the attacker in real time. You enter the code on a fake login page, the attacker immediately uses it on the real site, and they’re in before the code expires.
  • SS7 network interception: The Signaling System 7 (SS7) protocol that routes text messages between carriers has known vulnerabilities that allow sophisticated attackers to intercept messages without ever touching your phone.

The common thread is that SMS codes are “phishable” — they can be captured, redirected, or relayed by someone who never had physical access to your device. That’s the core problem phishing-resistant MFA is designed to solve.

What Is an MFA Fatigue Attack?

An MFA fatigue attack — also called MFA bombing or push bombing — is when an attacker who already has your password floods your phone with repeated authentication push notifications until you approve one out of confusion or annoyance. This technique gained notoriety in several high-profile corporate breaches in 2022 and remains effective today.

The attack works because push-notification MFA asks you to simply tap “Approve” or “Deny.” If you’re getting bombarded with approval requests at 2 a.m., it’s easy to assume an app is glitching and tap “Approve” just to make it stop. That single tap hands the attacker full access. Some employees have also been socially engineered — an attacker posing as IT support calls and says, “I’m sending you a verification request, please approve it.” Number matching, where you must type a code shown on the login screen into your phone, helps reduce this risk, but it doesn’t eliminate the underlying weakness of approval-based methods.

What Is Phishing-Resistant MFA?

Phishing-resistant MFA is a category of authentication that cannot be intercepted, relayed, or tricked by a fake website, because the authentication is cryptographically bound to the legitimate site you’re actually logging into. The two leading standards are FIDO2/WebAuthn and PKI-based smart cards. CISA and NIST both now explicitly recommend phishing-resistant MFA as the gold standard, especially for privileged accounts and high-value systems.

The magic of phishing-resistant MFA is in how it works behind the scenes. When you register a FIDO2 security key or passkey with a website, your device generates a unique cryptographic key pair. The private key never leaves your device, and the authentication is tied to the exact web domain. If you land on a look-alike phishing site, the authentication simply fails — there’s no code to type, nothing to relay, and nothing for an attacker to steal. This domain binding is what makes the method fundamentally immune to phishing.

What Are FIDO2 and Passkeys?

FIDO2 is an open authentication standard developed by the FIDO Alliance and the World Wide Web Consortium (W3C) that enables passwordless, phishing-resistant login using public-key cryptography. Passkeys are the consumer-friendly implementation of FIDO2 — a way to sign in using your device’s built-in biometrics (Face ID, Touch ID, Windows Hello) or a hardware security key, with no password required at all.

Here’s how the pieces fit together:

  • FIDO2 security keys are physical devices — like a YubiKey — that you insert into a USB port or tap via NFC to authenticate. They’re ideal for high-security environments and shared workstations.
  • Passkeys store the cryptographic credential on your phone, laptop, or in a synced credential manager. You unlock them with your fingerprint or face, and they sync securely across your devices.
  • Both are passwordless and phishing-resistant by design, because the private key never leaves your hardware and the credential only works on the legitimate domain.

Major platforms including Apple, Google, and Microsoft have all adopted passkeys, and adoption is accelerating across banking, healthcare, and enterprise software. For most businesses, this means the infrastructure to go passwordless already exists in the tools you use every day.

How Should Businesses Upgrade Their MFA?

Businesses should upgrade their MFA by prioritizing their most sensitive accounts first, moving away from SMS, and adopting phishing-resistant methods like FIDO2 keys or passkeys wherever they’re supported. The goal isn’t to rip everything out overnight — it’s to systematically eliminate the weakest links while keeping employees productive.

A practical migration path looks like this:

  1. Inventory your accounts and current MFA methods. Identify which systems still rely on SMS and which support stronger options. Privileged and administrator accounts should be at the top of the list.
  2. Eliminate SMS for high-value targets. Email, financial systems, cloud admin consoles, and remote-access tools should move to app-based authenticators with number matching at a minimum, and phishing-resistant keys ideally.
  3. Deploy FIDO2 keys for administrators and executives. These users are the highest-value targets and warrant the strongest protection.
  4. Roll out passkeys for the broader workforce. As your business applications add passkey support, enable it — the user experience is often faster and easier than passwords.
  5. Train your team on MFA fatigue and social engineering. Technology alone isn’t enough; employees need to know never to approve a request they didn’t initiate.

This kind of phased rollout is exactly the type of project our cybersecurity team handles for Atlanta-area businesses every day, integrating modern authentication into your existing cloud and identity systems without disrupting daily operations.

Frequently Asked Questions

Q: Is SMS MFA better than no MFA at all? A: Yes. SMS-based MFA still stops the vast majority of automated, opportunistic attacks that rely on stolen passwords alone. The problem is that it’s weak against targeted attacks like SIM swapping and real-time phishing. If SMS is all a system supports, keep it on — but prioritize moving critical accounts to stronger methods.

Q: What’s the difference between an authenticator app and a passkey? A: An authenticator app generates time-based codes (or push notifications) that you still type or approve, which means they can be phished or relayed. A passkey uses cryptographic keys bound to the legitimate website’s domain, so there’s nothing to type and nothing an attacker can intercept. Passkeys are phishing-resistant; standard authenticator codes are not.

Q: Can passkeys be stolen if someone steals my phone? A: No, not in any practical sense. Passkeys are protected by your device’s biometrics or PIN, and the private key is stored in secure hardware. Without your fingerprint, face, or device passcode, a thief can’t use the passkey — and the credential itself never leaves the secure enclave.

Q: Do we need to buy hardware security keys for everyone? A: Not necessarily. Hardware keys like YubiKeys are excellent for administrators, executives, and high-risk roles. For the general workforce, passkeys using built-in device biometrics provide phishing-resistant security without any extra hardware to purchase or manage.

Q: How do we know which of our systems support phishing-resistant MFA? A: A security assessment is the best starting point. COMNEXIA can audit your environment, identify which applications support FIDO2 and passkeys, flag the systems still relying on SMS, and build a prioritized migration plan tailored to your business.

Strengthen Your Authentication Before Attackers Test It

SMS codes had a good run, but the threat landscape has moved on — and so should your authentication strategy. The good news is that phishing-resistant MFA is more accessible and easier to use than ever, and the move away from passwords often makes life simpler for your team, not harder.

For more than 35 years, COMNEXIA has helped businesses across the Atlanta metro area stay ahead of evolving cyber threats. If you’re not sure where your organization stands, our team can assess your current MFA, identify the weak links, and guide you toward authentication that attackers genuinely can’t beat. Contact COMNEXIA to start the conversation.

Need Expert Technology Guidance?

Don't navigate complex technology decisions alone. Our consulting team provides the strategic guidance you need to make informed technology investments.