SMS MFA is a weak control for high-assurance identity

At a glance

What this is: This article argues that SMS-based MFA is fundamentally insecure and should be replaced with stronger, phishing-resistant authentication methods such as TOTP and WebAuthn.

Why it matters: It matters because IAM teams need to separate “has MFA” from “has resilient MFA” when protecting human accounts, delegated access, and sensitive enterprise workflows.

👉 Read WorkOS's analysis of why SMS is not a secure MFA method

Context

SMS MFA creates a false sense of assurance because it relies on a phone number and a carrier channel that the organisation does not control end to end. In practice, that means account recovery, step-up access, and privileged sign-in can all be undermined by social engineering or telecom-side weaknesses.

For IAM programmes, the real question is not whether a second factor exists but whether it is resistant to phishing, interception, and recovery abuse. That same standard now matters across human identity, delegated admin access, and any workflow where access to sensitive systems depends on a single one-time code.

Key questions

Q: What is the difference between SMS MFA and phishing-resistant MFA?

A: SMS MFA sends a one-time code over a channel that can be intercepted, relayed, or reassigned through SIM swap. Phishing-resistant MFA, such as WebAuthn, binds the login to a cryptographic proof on a trusted device, which is far harder to replay. For sensitive systems, the difference is assurance, not convenience.

Q: When should organisations stop using SMS for authentication?

A: Organisations should stop using SMS as soon as an account can affect customer data, internal systems, privileged operations, or regulated workflows. SMS may still be acceptable as a temporary fallback for low-risk access, but it should not be the default second factor where phishing, recovery abuse, or SIM swap would matter.

Q: How do security teams reduce SIM swap risk in MFA flows?

A: They reduce SIM swap risk by removing phone numbers from the trust path, tightening help-desk recovery, and moving high-risk users to phishing-resistant authenticators. The key is to ensure that no single carrier event can grant access to an account or reset stronger factors.

Q: Who is accountable when SMS MFA fails and an account is taken over?

A: Accountability sits with the organisation that chose the assurance model, not with the attacker or the carrier alone. If the business relies on SMS for sensitive access, security, IAM, and application owners all share responsibility for the risk acceptance and the recovery design.

Technical breakdown

Why SMS one-time codes are easy to intercept

SMS OTPs travel through an ecosystem that was never designed to provide strong cryptographic assurance. The code can be intercepted in transit, exposed through malicious device software, or captured through third-party SMS aggregation APIs. Unlike a public-key factor, the trust boundary sits outside the application and outside the enterprise identity stack. That makes the factor vulnerable even when usernames and passwords are otherwise well protected. The weakness is structural, not merely operational, because the security model depends on an uncontrolled transport channel rather than proof of possession tied to a device or key.

Practical implication: Do not treat SMS as a high-assurance factor for access to sensitive applications or administrative workflows.

How SIM swap attacks defeat MFA assurance

SIM swapping works by transferring a victim’s phone number to an attacker-controlled SIM card through carrier support processes or social engineering. Once the number is reassigned, the attacker receives the OTPs and can complete account takeover if they already hold valid credentials. This is not a failure of code length or delivery speed. It is a failure of identity binding, because the factor is anchored to a mutable phone number rather than a durable cryptographic credential. The control therefore collapses when the telecom provider’s recovery process is easier to manipulate than the application’s own access policy.

Practical implication: Treat phone-number-based recovery and step-up access as an attack surface, not as a secure verification method.

Why phishing kits pair so well with SMS MFA

Real-time phishing kits can relay login credentials and capture the SMS code as the user enters it, often within seconds. The attacker uses a fake login page to harvest the password, triggers a real MFA prompt, and reuses the code before it expires. Because SMS is not phishing-resistant, the factor validates the session without proving that the user is interacting with the legitimate service. In identity terms, the attacker is not breaking the MFA flow so much as replaying it through a more convincing interface. That makes SMS especially weak in credential-stuffing and adversary-in-the-middle scenarios.

Practical implication: Prioritise phishing-resistant factors for any workflow where credential theft or adversary-in-the-middle attacks are plausible.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Schneider Electric credentials breach — exposed credentials gave attackers access to Schneider Electric Jira, exfiltrating 40GB.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

SMS MFA is a legacy assurance pattern, not a modern identity control. The article shows that the factor is bound to a telephone network, a customer-support process, and a short-lived code rather than to a cryptographic proof of possession. That makes it suitable only as a low-friction fallback, not as a control for accounts where compromise has operational or regulatory impact. Practitioners should classify SMS as a convenience factor with limited assurance value, not as a durable authentication control.

Phone-number-based authentication creates recovery risk that IAM teams still under-model. Mobile number reassignment, carrier support escalation, and recycled numbers turn account recovery into an identity trust problem outside the application boundary. This is not just an MFA weakness, it is a lifecycle and recovery design flaw that crosses human identity governance and access assurance. Teams that rely on SMS for recovery are inheriting carrier-side identity proofing decisions they cannot audit directly. Practitioners should revisit recovery paths before they revisit login pages.

Phishing resistance, not factor count, is the more useful security standard. A second factor only matters if it cannot be replayed, intercepted, or socially engineered through an adjacent channel. That is why WebAuthn and hardware-backed authenticators change the identity assurance model more than another app prompt or another text message ever will. The implication for IAM programmes is clear: measure whether the factor binds the session to a trusted device, not whether it merely adds a second prompt.

High-assurance access should be designed around resistant authenticators, not around channel familiarity. SMS persists because it is operationally familiar, not because it is trustworthy. That creates a governance gap where the control looks mature on paper but remains fragile under real attack paths. Practitioners should treat this as an assurance migration problem, not a feature preference.

SMS MFA exposes the broader problem of outsourced identity trust. The control depends on a telecom ecosystem, not just an enterprise policy engine. Once identity assurance extends into external support desks and number portability, the organisation loses visibility into the exact point where trust can be subverted. Security teams should re-evaluate any authentication pattern that cannot be validated inside their own control plane.

From our research:

• The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
• 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases.
• That same remediation gap argues for broader assurance hardening, which is explored in Analysis of Claude Code Security.

What this signals

Phishing resistance is becoming the real baseline for access assurance. As organisations move beyond simple password protection, any factor that can be replayed through a browser, a carrier, or a help desk should be treated as transitional rather than dependable. That means MFA programmes need to be measured by channel resilience, not by enrollment rate.

SMS MFA also exposes a governance blind spot in recovery design. When number portability or carrier support can override the identity proofing model, account recovery becomes the weakest part of the stack. The practical signal for teams is to inspect every path that can bypass stronger authenticators, including reset workflows and support escalation.

With 27 days to remediate a leaked secret on average, organisations cannot afford equally slow authentication decisions. A modern identity programme should treat SMS as a temporary compatibility layer while it moves high-risk access toward device-bound authenticators and tighter lifecycle controls.

For practitioners

• Replace SMS with phishing-resistant MFA for sensitive access Use WebAuthn or hardware-backed authenticators for privileged users, administrators, and any application that protects high-value data. Reserve SMS only for low-risk fallback scenarios where the blast radius is limited and recovery paths are tightly controlled.
• Remove phone-number recovery as a primary assurance path Review account recovery, device reset, and help-desk verification workflows so they do not rely on text-message delivery or recycled numbers as proof of identity. The recovery path should require stronger proof than the login path it can override.
• Measure authentication by replay resistance Audit whether each factor can survive phishing, adversary-in-the-middle relays, SIM swap, and code interception. If the factor can be replayed in real time, it does not meet a high-assurance standard for protected systems.

Key takeaways

• SMS MFA fails because it depends on an insecure delivery and recovery ecosystem, not because it lacks a code length or a timer.
• The article’s core evidence is that SMS can be defeated by SIM swap, phishing, interception, and recycled numbers, which breaks the assurance model for sensitive access.
• Practitioners should replace SMS with phishing-resistant authenticators and redesign recovery so a carrier event cannot become an account takeover event.

Key terms

• Phishing-resistant authentication: An authentication method that cannot be easily captured and replayed by an attacker through a fake login page or real-time relay. In practice, this usually means cryptographic, device-bound proof such as WebAuthn rather than codes that can be typed or forwarded.
• SIM swap: A takeover technique in which an attacker convinces a mobile carrier to move a victim’s phone number to a SIM card the attacker controls. Once successful, the attacker can receive SMS messages and intercept one-time codes, turning the phone number into a compromise path rather than a factor.
• Identity assurance: The level of confidence that the person or system presenting credentials is the rightful subject. Strong assurance depends on the factor, the recovery path, and the binding between the authenticator and the account, not just the presence of a second prompt.

Deepen your knowledge

SMS MFA risk and phishing-resistant authentication are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If your programme still depends on phone-number trust, this is a practical place to start.

This post draws on content published by WorkOS: Why SMS is not a secure Multi-Factor Authentication (MFA) method. Read the original.