SMS remains vulnerable to SIM swapping, interception, and social engineering, which means the second factor can be redirected to the attacker. That makes it weaker than hardware-backed or device-bound methods. For any access with meaningful business impact, SMS should be treated as a temporary bridge, not a durable control.
Why This Matters for Security Teams
SMS codes still look familiar and low-friction, which is exactly why they remain embedded in login flows long after better options exist. The problem is that SMS authenticates a phone number, not a device-bound cryptographic factor, so the assurance collapses when a number is ported, duplicated, intercepted, or socially engineered. That makes SMS a weak control for accounts that can alter money movement, identity systems, or production access.
Security teams also need to treat SMS in the broader context of identity risk rather than as a standalone convenience feature. NIST Cybersecurity Framework 2.0 emphasizes that identity controls should support real operational risk reduction, not just checkbox authentication, and NHIMG’s Top 10 NHI Issues highlights how weak credential practices become attack paths once they are reused, overexposed, or insufficiently governed. The same lesson applies to human access when a second factor can be redirected by an attacker.
In practice, many security teams encounter SMS compromise only after a takeover has already succeeded, rather than through intentional testing of the authentication path.
How It Works in Practice
SMS-based authentication introduces risk at several layers. Attackers can conduct SIM swapping, exploit carrier support processes, abuse number recycling, or intercept messages through device compromise and message forwarding. Social engineering also remains effective because many help desks still rely on phone-number possession as informal proof of identity. Once the code is received by the attacker, the second factor no longer distinguishes the legitimate user from the impersonator.
Current guidance suggests replacing SMS with hardware-backed or device-bound methods wherever the access has meaningful impact. That usually means authenticator apps with phishing-resistant protections, passkeys, or FIDO2 hardware keys, depending on the environment. For regulated or high-risk systems, the better pattern is a layered design: password plus phishing-resistant second factor, strong recovery controls, and conditional access based on device posture and session risk. The NIST Cybersecurity Framework 2.0 is useful here because it pushes teams to align identity assurance with business risk, not just user convenience.
- Use SMS only as a transition path, not the final authentication standard.
- Prefer phishing-resistant authenticators for administrator and finance workflows.
- Harden account recovery, since recovery paths often become the real bypass.
- Monitor telco-related changes, such as SIM or number port events, as identity risk signals.
NHIMG research shows the scale of the governance problem around weak identity controls, with The State of Non-Human Identity Security reporting that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, a reminder that identity assurance gaps rarely stay confined to one factor or one system. These controls tend to break down when recovery processes, legacy MFA support, and help-desk exceptions are still tied to SMS because the attacker targets the weakest operational path, not the strongest control.
Common Variations and Edge Cases
Tighter authentication often increases friction, so organisations have to balance user support cost against the reduction in account-takeover risk. That tradeoff is real in consumer apps, contact centres, and geographically distributed workforces where device enrollment may be uneven or mobile coverage may be unreliable.
There is no universal standard for this yet, but best practice is evolving toward context-aware authentication: allow lower-risk SMS in limited, temporary cases, then step up to stronger methods for admin access, financial approvals, or sensitive data. SMS can still have a role in account recovery or first-time enrollment in constrained environments, but only when paired with robust identity proofing and a migration plan to stronger factors. The Ultimate Guide to NHIs — Why NHI Security Matters Now and Ultimate Guide to NHIs — Key Challenges and Risks both reinforce a broader lesson: identity controls fail when they are convenient but not resilient.
For teams with hybrid estates, the edge case is legacy systems that cannot support modern authenticators. In those environments, compensating controls such as short session lifetimes, step-up authentication, device binding where possible, and tighter monitoring become essential. The risk is highest when SMS becomes the default exception for privileged users or high-value transactions.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-7 | Identity verification and authenticators must match access risk. |
| NIST SP 800-63 | AAL2 | SMS is generally weaker than phishing-resistant authenticators at assurance level 2+. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Weak credential handling maps to identity compromise and takeover paths. |
Treat SMS recovery and fallback paths as credential risks requiring hardening and review.
Related resources from NHI Mgmt Group
- Why does SMS-based MFA still create account takeover risk?
- Why do token-based authentication systems still create breach risk?
- How do teams evaluate whether wallet-based authentication is actually improving security?
- Why do certificate-based identity paths create escalation risk in Active Directory?
