Many researchers have advised to prevent the use of Short Message Service (SMS) for Multi-factor Authentication (MFA) due to its various security vulnerabilities. But, many organizations still use it to encourage their users to enhance their security because SMS MFA is better than no MFA at all. Most users avoid using MFA due to its complex registration procedure which becomes difficult without IT experience. However, users can easily adopt SMS-based MFA as they are already aware of text messaging and it doesn't require any additional app installation. But, SMS MFA is still prone to some security issues which we will discuss in detail in this article. So, let's start:

Issues with SMS Authentication

There are various security issues with SMS MFA due to which its adoption becomes risky for users. These issues are discussed as follows:

  • SIM SWAP: SIM (aka Subscriber Identity Module) swapping is a very easy and popular attack that has compromised the confidential data of many users. In SIM swapping, the attackers contact the phone company as legitimate users and convince them to switch their services from a previous SIM card to a new one using social engineering such as either losing or damaging their phone. Once the phone company is convinced, they shift all the phone call and text messaging services including SMS MFA codes to a new SIM, which is owned by the attacker.

  • Impersonation: In this attack, the attacker acts like or impersonates the legitimate customer and request the transfer of service to another carrier on which he sets up the service and receives all the phone call and text codes of the actual user. This is similar to the SIM swap.

Sometimes, the attackers also target the cell towers and entire SS7 (signaling System 7) to extract the stored private information of a particular user from them and misuse it to access a user's valuable accounts.

Why is SMS MFA still better?

One of the top reasons for using SMS MFA is its user-friendly approach. There are many users who have zero technical knowledge but they are well aware of text messaging. That is why they prefer to use an SMS-based authentication method rather than registering for a technical app or token-based MFA. Moreover, if you have normal customers who possess less-sensitive data, you can encourage them to adopt SMS MFA than no MFA at all. However, for your high administrators who own access to sensitive data, you should enforce them to use a stronger authentication factor such as a hardware-based MFA device.


According to Kevin Beaumont, a well-known cybersecurity expert and practitioner, SMA MFA is a significant security technique for protecting your accounts rather than securing them from username and passwords alone. SMS MFA has many downsides but it is a valuable approach for many organizations that want to provide their users a quick and easy authentication method to preserve the security of their confidential data. However, for high-value users, you should encourage them to adopt a more secure strategy such as hardware-based MFA.