When we started to talk about cyber security to SMEs, we used a simple analogy: think of their security as a house. If they leave the door wide open, burglars are going to try their luck.
So what happens after you close the front door? You lock it.
Using SMS for MFA – closing the front door – but leaving it unlocked.
Most businesses know by now that Multi-Factor Authentication (MFA) is an essential step towards better login security, requiring users to provide not just a password but also a second method of verification of their identity.
A password is something that you know, so the additional verification will usually be based on:
- Something you have (like a phone)
- Something you are (like a biometric / fingerprint / facial scan).
One of the most common second verifications in use today are SMS messages, but if you’re using this to protect high-value systems or data, there’s a chance you’re relying on a method that’s already been outsmarted.
Why? Because not all MFA is created equal…
Why is SMS not a secure choice for MFA?
The problem with SMS is that the code you receive is sent over telecom networks that weren’t built for secure communication. They’re unencrypted, exposed, and vulnerable in transit. Like riding a motorbike without a helmet.
If someone takes control of your phone number (usually through a SIM swap or number porting scam) they can intercept those codes easily. And if an attacker is monitoring network traffic using a micro cell tower (which is a bit like a router, but for 4g), they can harvest messages without much resistance.
MFA only works if that second factor is actually yours, and with SMS, it’s surprisingly easy for attackers to make it theirs.
Not long ago, intercepting an SMS message meant specialised equipment and serious effort. But now? Criminals use AI tools to impersonate users, automate social engineering, and run SIM swap attacks at scale.
Yes, it all sounds like something from a spy film – but it’s not fiction. These threats are real, and happening now.
What about using email for MFA?
Email-based MFA presents different challenges compared to SMS, so look out for a future blog post that delves into this particular subject.
The core issues with email as your MFA are:
- It’s only as strong as your email security! Email accounts can be hacked through weak password security, and most emails aren’t encrypted end-to-end, leaving them vulnerable to interception.
- Emails can be prone to phishing attacks, where attackers fake login pages to trick people into handing over login credentials.
- If you’re using SMS as the multi-factor authentication to log in to your email account, you’re facing exactly the same issues as above
Authenticator apps: stronger, smarter, and should be your new default
Apps like Microsoft Authenticator or Google Authenticator don’t rely on telecom networks. They generate secure codes directly on the device.
Think of them like the old card readers your bank used to send out, those small machines that generated login codes offline. Same principle, just in app form.
Because they’re fully offline and rely on secure algorithms rather than a network signal, they’re immune to interception. Setup is simple: scan a QR code, link via an API key, and you’re good to go. The authenticator app is bound to the physical ID of your mobile device and almost always requires authentication itself to open, so it cannot be easily hijacked or extracted even if your device is stolen.
Why does this matter?
- No risk of interception in transit
- No SIM swap vulnerabilities
- No easy phishing routes
- Better compliance with modern security standards
Switching to app-based MFA isn’t just a technical upgrade; it’s a massive leap in resilience against the next wave of AI-driven attacks.
But what about accessibility?
We need to be realistic. We might be techies ourselves, but not every user has a smartphone.
Some sectors (think government services, large retail banking) will need to keep SMS as a fallback – partly due to accessibility legislation, which ensures access to critical services for everyone without a financial or technical entry barrier, like owning a smartphone.
An SMS can even be sent to a landline for people without mobiles. So, while SMS isn’t ideal, it’s still better than nothing, and for some users, it’s the only viable option.
Our advice?
Make authenticator apps the standard where you can, and keep SMS only as a last resort – something to manage as a risk, not rely on as a safeguard.
Because continuing to rely on SMS MFA is like closing your front door… but not locking it.
Attackers will take the easiest path and right now, this is SMS.
