Two-factor authentication explained: what works, what does not, and how to set it up safely

Your phone number has become a master key to your digital life. Bank accounts, email, social media, cryptocurrency wallets: all increasingly rely on a six-digit code sent via text message to prove you are who you claim to be. Yet this system, SMS-based two-factor authentication, is fundamentally broken.

The evidence is stark. In 2024, the FBI recorded nearly $26 million in losses from SIM swap attacks in the United States alone, where criminals hijack phone numbers to intercept authentication codes. In the UK, Cifas reported a staggering 1,055 per cent surge in unauthorised SIM swaps, from 289 incidents in 2023 to almost 3,000 in 2024. These are not sophisticated hacks requiring advanced technical skills. They are social engineering attacks that exploit the weakest link: customer service representatives at mobile carriers.

The question is not whether to use two-factor authentication—you absolutely should—but which method to choose. Get it wrong and you may be creating a false sense of security whilst leaving the door wide open.

The hierarchy of protection

Not all two-factor authentication is created equal. Security experts now rank methods on a spectrum from dangerously weak to virtually unbreakable.

At the bottom sits SMS-based authentication. Despite being the most widely deployed method, it suffers from multiple critical vulnerabilities. The National Institute of Standards and Technology has discouraged SMS-based authentication for years, considering it insecure and easily exploitable. Even NIST's own guidelines, whilst acknowledging that "any MFA is better than no MFA," make clear that SMS should be a last resort.

The core problem is simple: your phone number is not secure. It can be hijacked through SIM swapping, where attackers convince mobile carriers to transfer your number to a device they control. It can be intercepted through vulnerabilities in the global telephone network. And the codes themselves can be phished—tricked out of users through fake login pages or social engineering.

Moving up the security ladder, authenticator apps represent a substantial improvement. Applications like Google Authenticator, Microsoft Authenticator, or Authy generate time-based codes locally on your device. These codes are not transmitted over networks, cannot be intercepted by hijacking your phone number, and are significantly more resistant to phishing. For most people, this is the sweet spot between security and convenience.

Hardware security keys occupy the next tier. Physical devices like YubiKeys or Google Titan Keys provide what security professionals call "phishing-resistant" authentication. They use cryptographic protocols that verify not just your identity but also the legitimacy of the website you are logging into. An attacker with a fake login page cannot steal your credentials because the key will refuse to authenticate to the wrong domain. The Cybersecurity and Infrastructure Security Agency notes that "FIDO authentication uses the strongest form of MFA and is effective against MFA bypass techniques."

At the top of the hierarchy sit passkeys, the newest and potentially most transformative technology. Built on the same FIDO2 standard as hardware keys but integrated directly into your devices, passkeys eliminate passwords entirely. They are phishing-resistant, cannot be intercepted, and offer a user experience that is often simpler than traditional passwords. Major platforms, including Apple, Google, and Microsoft, have begun rolling out passkey support, though adoption remains in early stages.

How attacks defeat weak authentication

Understanding why SMS fails requires examining how attacks actually work. The most common method is the SIM swap. Attackers gather personal information about their target (date of birth, address, last four digits of a national insurance number) from data breaches, social media, or phishing. Armed with this information, they contact the victim's mobile carrier, impersonate the victim, and convince a customer service representative to transfer the phone number to a new SIM card.

A 2020 Princeton University study found an 80 per cent success rate for fraudulent SIM swap attempts on the first try when testing major US carriers. Once the swap is complete, the victim's phone displays "No Service" and every SMS authentication code flows to the attacker's device. From there, account takeover is trivial.

The financial consequences can be catastrophic. In March 2025, T-Mobile was ordered to pay $33 million in arbitration after a single SIM swap allowed thieves to drain a customer's cryptocurrency wallet. The victim had "extra security" enabled on the account, but attackers bypassed it by persuading a call centre agent to issue a remote eSIM activation code.

Even when SIM swapping is not involved, SMS codes remain vulnerable. Phishing toolkits now exist that can capture SMS codes in real time. A user visits a fake login page, enters their password and the SMS code they just received, and the attacker immediately relays both to the legitimate site before the code expires. The authentication succeeds, and the attacker is in.

More sophisticated attacks exploit vulnerabilities in the global telephone network itself. The SS7 protocol, which routes calls and messages between carriers, contains flaws that allow skilled adversaries to intercept SMS messages remotely. In February 2024, the FBI and CISA issued a joint warning about Chinese state-sponsored hackers targeting commercial telecommunications networks and exploiting these vulnerabilities to intercept authentication messages.

The ranking: security versus convenience

If we were to construct a table ranking authentication methods, it would look something like this:

SMS codes sit at the bottom: high convenience, very low security. They work on any phone, require no additional apps or hardware, and are familiar to users. But they are vulnerable to SIM swapping, network interception, phishing, and malware that reads text messages.

Email-based codes fare only slightly better. They avoid the SIM swap problem but remain highly phishable and depend on the security of your email account, which is often itself protected by SMS.

Authenticator apps occupy the middle ground: high convenience, high security. They require downloading an application but are widely supported, generate codes offline, and are immune to SIM swapping. The codes can still be phished if a user is tricked into entering them on a fake site, but this requires more sophisticated attacks.

Hardware security keys represent the highest security available to consumers—medium convenience, very high security. They require purchasing a physical device (typically £20-50) and carrying it with you, but they are virtually immune to both phishing and remote attacks. The key must be physically present and will only authenticate to the correct website domain.

Passkeys promise to combine high security with high convenience, but their effectiveness depends on implementation. When properly configured, they offer hardware-key-level security with the convenience of biometric authentication on your existing devices. The critical caveat: if SMS fallback recovery is enabled, the security collapses to the weakest link.

The account recovery trap

Even accounts that do not use SMS for primary authentication often remain vulnerable through account recovery mechanisms. Many platforms use phone numbers as a fallback when users forget passwords or lose access to their authenticator apps.

This creates a dangerous backdoor. An attacker who successfully executes a SIM swap may not be able to log in directly, but they can trigger a password reset, receive the recovery code via SMS, and gain full control. From there, they can disable stronger authentication methods and lock out the legitimate owner.

The solution is to remove phone numbers from account recovery wherever possible. Use backup codes (long strings of characters provided when you first enable two-factor authentication), store them securely offline, and designate a recovery email address that is itself protected by strong authentication. Some services allow you to designate trusted contacts who can help you regain access. Never rely solely on SMS for recovery.

Practical setup guidance

For most people, the path forward is clear: enable authenticator app-based two-factor authentication on every account that supports it, starting with the most critical.

Begin with your primary email account. This is the linchpin of your digital identity, as it controls password resets for nearly everything else. Download an authenticator app (Google Authenticator, Microsoft Authenticator, and Authy are all reputable options). Navigate to your email provider's security settings, find the two-factor authentication section, and select "authenticator app" rather than SMS. The service will display a QR code; scan it with your authenticator app, and codes will begin generating.

Critically, save the backup codes the service provides. These are your lifeline if you lose your phone. Print them, write them down, or store them in a password manager—but do not leave them in a file on the same device.

Repeat this process for banking, cryptocurrency exchanges if you use them, social media, and any service containing sensitive personal information. For accounts holding significant financial assets, consider upgrading to a hardware security key.

Setting up a hardware key is straightforward. Purchase a key from a reputable manufacturer (YubiKey and Google Titan are the most established). Navigate to your account's security settings, select "security key" as an authentication method, and follow the prompts to register the key. Most services will ask you to insert the key and tap a button or touch a sensor. Register at least two keys—one for daily use and one stored securely as a backup.

For mobile carriers, enable every available protection. All major UK and US carriers now offer number locks or port-out protection, though these are not enabled by default. Log in to your account, navigate to security settings, and activate SIM protection, number lock, and any similar features. Set a strong account PIN that is not based on easily guessable information.

The recovery plan

Despite best efforts, things go wrong. Phones are lost, hardware keys are misplaced, and accounts are sometimes compromised. Having a recovery plan is as important as the authentication itself.

First, maintain backup codes for every account with two-factor authentication enabled. Store these in multiple secure locations: a password manager, a physical safe, or with a trusted family member. Never store them in the same place as your primary authentication method.

Second, register multiple authentication methods where possible. If you use an authenticator app, also register a hardware key. If you use a hardware key, register two. This redundancy ensures that losing one method does not lock you out entirely.

Third, monitor for warning signs of compromise. If your phone suddenly displays "No Service" when coverage should be fine, contact your carrier immediately. If you receive password reset emails you did not request, assume your account is under attack and secure it immediately. If you see login alerts from unfamiliar locations, change your password and review active sessions.

Fourth, know how to contact support through secure channels. If you are locked out, attackers may try to impersonate you to customer service. Establish in advance how you will prove your identity: through government-issued ID, in-person verification, or pre-established security questions that are not based on publicly available information.

What regulators are doing (and not doing)

The regulatory response to SMS authentication vulnerabilities has been glacial. In late 2023, the US Federal Communications Commission adopted new rules requiring wireless providers to use secure authentication methods, provide immediate notifications of SIM changes, and offer account locks to customers.

The compliance deadline was July 2024. Then carriers requested more time. The FCC waived the deadline for all rules, with no new enforcement date announced. This regulatory delay is not merely procedural—it is an active security vulnerability. Criminals are aware that mandatory protections are coming and are racing to exploit current weaknesses before carriers are forced to fix them.

In the UK, regulation has focused more on fraud reporting and victim compensation than on preventing attacks at the source. Cifas's dramatic statistics have prompted calls for action, but concrete requirements for carriers remain limited.

The result is that consumer protection depends largely on voluntary measures by carriers and individual vigilance by users. This is an inadequate response to a systemic problem.

The path forward

The technology to secure authentication properly already exists. Authenticator apps have been mature and widely available for over a decade. Hardware security keys have proven their effectiveness in enterprise environments. Passkeys are now supported by major platforms and offer a glimpse of a future without passwords.

What is lacking is not capability but adoption. Too many services still default to SMS authentication because it is familiar and requires no user education. Too many users stick with SMS because they do not understand the risks or find alternatives intimidating. And too many carriers have failed to implement basic protections against SIM swapping because there has been insufficient regulatory pressure to do so.

Related reading

• The economics of AI: why inference costs matter more than flashy demos
• AI translation and speech tools: accuracy, bias, and when to trust them
• AMD lifts lid on Helios rack-scale platform and new AI chips at CES 2026 in Las Vegas

The solution requires action at multiple levels. Regulators must enforce meaningful security requirements on carriers and set minimum standards for authentication on services handling sensitive data. Platforms must make stronger authentication methods the default and phase out SMS except as a last resort. And individuals must take responsibility for their own security by migrating to authenticator apps or hardware keys.

The stakes are too high to continue relying on a system we know to be broken. Your phone number is not a secure credential. Treat it accordingly.