SMS creates risk because the factor travels through a channel that can be redirected through SIM swapping, message interception, or social engineering. It may block low-effort attacks, but it does not provide strong assurance against an attacker who can compromise the phone number or trick the user into sharing the code. That makes it unsuitable for sensitive or privileged access.
Why This Matters for Security Teams
SMS-based MFA still matters because many environments treat it as a “good enough” step-up control, especially for consumer-facing portals and lower-risk internal tools. The problem is that it protects the login flow, not the identity itself. Once an attacker can redirect a phone number, intercept a text, or coerce a user into reading back a code, the control collapses. That is why SMS remains weaker than phishing-resistant methods in the current guidance from NIST Cybersecurity Framework 2.0 and why NHI programs increasingly treat it as a legacy fallback rather than a primary assurance factor.
The same pattern shows up across identity compromise research. NHI-related incidents often succeed not because attackers break cryptography, but because they exploit lifecycle gaps, weak recovery processes, and over-trusted channels. The Ultimate Guide to NHIs — Why NHI Security Matters Now shows how frequently identity controls fail when recovery and revocation are too easy to subvert, and the Top 10 NHI Issues highlights how weak credential handling turns a single compromise into broad access. In practice, many security teams discover SMS weakness only after account recovery or helpdesk abuse has already been used to bypass stronger controls.
How It Works in Practice
SMS MFA creates a second step, but it does not create a second factor that is hard to redirect. The code is usually short-lived, yet the delivery path is vulnerable to phone-number takeover, SIM swap fraud, SS7 interception, malicious call forwarding, and social engineering against carriers or support desks. Attackers often do not need to defeat the user’s password if they can instead hijack the channel used to deliver the one-time code. That is why SMS is better viewed as an inconvenience control than a strong anti-takeover control.
For sensitive access, stronger practice is to move toward phishing-resistant authenticators and to pair them with risk-based identity workflows. That usually means FIDO2 or passkeys for human users, plus tighter recovery rules, device binding, and alerting for phone-number changes. It also means reducing the blast radius of any one account by tightening RBAC, using PAM for privileged access, and enforcing JIT access where possible. Where identity assurance depends on runtime context, security teams should align decisions with the NIST Cybersecurity Framework 2.0 and assess whether the login channel is actually resilient to takeover.
The same lesson appears in NHI governance: channels, secrets, and recovery paths are often more fragile than the primary credential itself. The Ultimate Guide to NHIs — Key Challenges and Risks and the Microsoft Midnight Blizzard breach illustrate how identity compromise expands when attackers can exploit weak validation paths rather than the credential itself. These controls tend to break down when helpdesk procedures, recovery phone numbers, and legacy SMS fallback remain enabled for high-value accounts because those paths become the easiest route around stronger MFA.
Common Variations and Edge Cases
Tighter MFA often increases user friction and recovery overhead, requiring organisations to balance stronger assurance against support load and access-loss risk. That tradeoff is real, especially in customer service, remote work, and regulated workflows where not every user can immediately adopt a hardware key or passkey.
Best practice is evolving, but current guidance suggests treating SMS as acceptable only in constrained scenarios, such as low-risk consumer enrollment or temporary fallback during migration. It should not be the default for administrators, finance, developers, or anyone with access to sensitive data. Some organisations keep SMS as an emergency recovery method, but that choice needs compensating controls: rate limits, out-of-band verification, device re-binding, helpdesk hardening, and aggressive monitoring for number-change events. Where high assurance is required, the strongest approach is to remove SMS from privileged flows entirely and reserve it only for narrowly governed exception handling.
There are also edge cases where SMS feels “good enough” because the target user population is small or the app has limited impact. Even then, that judgment should be explicit and time-bound. The GitLocker GitHub extortion campaign shows how attackers exploit weak identity protections to pivot into higher-value systems, while OWASP NHI Top 10 reinforces that identity controls must be assessed by their failure mode, not their convenience. The practical rule is simple: if account takeover would matter, SMS should not be the control you trust.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-7 | Authentication strength and MFA resilience are central to account takeover prevention. |
| NIST SP 800-63 | AAL2 | SMS is weaker than phishing-resistant authenticators under digital identity assurance guidance. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Weak credential and recovery handling drives takeover risk across identity systems. |
Replace SMS for sensitive access with phishing-resistant authentication and hardened recovery paths.
