Why is 2FA via SMS not considered secure? What does an attack look like or require?


I’ve been reviewing some of my security choices after the latest LastPass breaches. I see some password managers discouraging SMS-based 2FA in favor of Authenticator-based 2FA. I’m curious to understand how SMS 2FA gets compromised: what does attackers need to do? How easy is it to compromise?

In: 9

Because SMS messages can be intercepted or redirected by attackers. This is known as a “man-in-the-middle” attack. There are more secure methods of 2FA that do not rely on SMS, such as authentication apps that generate one-time codes or hardware tokens that produce unique codes when pressed. These methods are more resistant to man-in-the-middle attacks and provide a higher level of security.

The most common method is called SIM card hijacking. Someone can call your phone company and tell them you want to move your phone number to another device. All calls and texts will then be forwarded do a new phone. Another method is SIM cloning which requires the actual SIM card; I’m not sure how this is done with new E SIMs now.

Social attack vector. “Yes hello servicedesk? I am John Smith and my phone died. I could not be without so I bought a new one, but can’t log in with it.”

Given the pressure on most service desks, verification of these things tends to be minimal.


Technical attack vector would be the cloning of a SIM.

SMS messages are not encrypted, meaning other people near you can actually just read your SMS too. And that is just the most obvious security flaw.

Someone else can pretty easily get your texts, either by intercepting them over the air or getting the phone company to redirect them. Since nearly any device that can receive text messages can run an authenticator app instead, you should use the app. (SMS 2FA is still better than only having a password, though, so you should still enable it if it’s the only 2FA option.)