Notifications
Clear all
Topic starter
08/06/2026 4:46 pm
TL;DR: SMS-based MFA remains widely used, but it is exposed to SIM swapping, phishing, weak carrier identity checks, and code interception across the cellular path, according to WorkOS. For identity teams, the issue is not whether MFA exists but whether the factor is phishing-resistant enough for high-value access.
NHIMG editorial — based on content published by WorkOS: Why SMS is not a secure Multi-Factor Authentication (MFA) method
Questions worth separating out
Q: What is the difference between SMS MFA and phishing-resistant MFA?
A: SMS MFA sends a one-time code over a channel that can be intercepted, relayed, or reassigned through SIM swap.
Q: When should organisations stop using SMS for authentication?
A: Organisations should stop using SMS as soon as an account can affect customer data, internal systems, privileged operations, or regulated workflows.
Q: How do security teams reduce SIM swap risk in MFA flows?
A: They reduce SIM swap risk by removing phone numbers from the trust path, tightening help-desk recovery, and moving high-risk users to phishing-resistant authenticators.
Practitioner guidance
- Replace SMS with phishing-resistant MFA for sensitive access Use WebAuthn or hardware-backed authenticators for privileged users, administrators, and any application that protects high-value data.
- Remove phone-number recovery as a primary assurance path Review account recovery, device reset, and help-desk verification workflows so they do not rely on text-message delivery or recycled numbers as proof of identity.
- Measure authentication by replay resistance Audit whether each factor can survive phishing, adversary-in-the-middle relays, SIM swap, and code interception.
What's in the full article
WorkOS's full article covers the implementation detail this post intentionally leaves for the source:
- A side-by-side comparison of SMS, TOTP, push, and WebAuthn from a developer implementation perspective
- Practical guidance for adding modern MFA methods through WorkOS SSO and MFA integrations
- A concise breakdown of why carrier-level trust and phishing replay make SMS a poor fit for sensitive applications
- Specific examples of how teams can phase out SMS without rebuilding the authentication stack from scratch
👉 Read WorkOS's analysis of why SMS is not a secure MFA method →
SMS MFA and phishing resistance: are your controls keeping up?
Explore further
08/06/2026 6:35 pm
SMS MFA is a legacy assurance pattern, not a modern identity control. The article shows that the factor is bound to a telephone network, a customer-support process, and a short-lived code rather than to a cryptographic proof of possession. That makes it suitable only as a low-friction fallback, not as a control for accounts where compromise has operational or regulatory impact. Practitioners should classify SMS as a convenience factor with limited assurance value, not as a durable authentication control.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases.
A question worth separating out:
Q: Who is accountable when SMS MFA fails and an account is taken over?
A: Accountability sits with the organisation that chose the assurance model, not with the attacker or the carrier alone. If the business relies on SMS for sensitive access, security, IAM, and application owners all share responsibility for the risk acceptance and the recovery design.
👉 Read our full editorial: SMS MFA is a weak control for high-assurance identity
