SMS is not a second factor

A second factor must come from a different category. SMS codes only prove reachability of a phone number, not possession of a device.

Why not SMS?

It’s okay if you use SMS today. Let’s make it safer—and accurate in terms of factors.

Two factors ≠ two channels

Different factor means different category (knowledge, possession, inherence), not just a different delivery medium.

What possession requires

A device‑bound secret and live challenge–response. SMS has neither.

Reachability ≠ possession

Numbers can be ported, mirrored, or forwarded. Delivery doesn’t prove which device you have.

What 2FA is—and isn’t

2FA means two different categories: something you know, something you have, or something you are. Any two distinct categories qualify. The problem we’re addressing is the false claim that SMS is a possession factor.

Hold a device‑bound secret (private key or TOTP seed).
Prove live possession with a cryptographic challenge–response.
Resist rerouting—possession can’t be forwarded.

Why SMS fails as possession

Phone numbers are addresses, not authenticators.
No device‑bound secret; codes are created remotely.
Delivery can be ported, mirrored, or forwarded.
No cryptographic proof of which device received the code.

Why SMS isn’t a second factor

SMS is a postcard to your number. If someone redirects your mail, they get your code. That’s not proof of possession—just delivery.

Device‑bound secret

True possession

✔︎ Private key / TOTP seed on your device

SMS code

✘ Code generated remotely; no secret on device

Challenge–response

True possession

✔︎ Cryptographic proof of possession

SMS code

✘ Whoever sees the code can use it

Reroutable/forwardable

True possession

✔︎ No (tied to the device)

SMS code

✘ Yes (porting/mirroring/forwarding)

Transport security

True possession

✔︎ Local generation / secure channel

SMS code

✘ Often unencrypted across telecom paths

Evidence in the real world

Beyond SIM swaps and SS7 issues, researchers found unencrypted data broadcast by satellites — including SMS — accessible to anyone with the right equipment. If texts can be read from orbit, they’re not a trustworthy possession proof.

Source: University of California, San Diego and the University of Maryland, College Park (Oct 2025).

Read the study summary →

Common ways SMS breaks

SIM Swapping: attacker convinces carrier to move your number to their SIM.
Number Port‑out: your texts are routed to another carrier/device.
Mirrored Endpoints: laptops/tablets receive the same texts.
SS7 Interception: telecom signaling allows rerouting/reading messages.

Use factors that truly differ

Authenticator apps (TOTP)

Store a secret on your device and generate codes locally. Works offline. Examples: Aegis, 1Password, Authy, Google Authenticator.

True possession factor (device‑stored secret)
Can be phished; for phishing resistance use passkeys

Passkeys / Security keys (FIDO2/WebAuthn)

Use a private key in a secure element to sign a server challenge. Phishing‑resistant and bound to your device.

Fast login with biometrics
Best protection against account takeovers

Questions & objections

“SMS works fine for me.”

It works—until someone else receives your texts. Possession must be proven on your device, not inferred from delivery.

“But SMS is better than nothing.”

Label it accurately: it’s an extra step of the knowledge factor, not a possession factor.

“Our carrier added extra checks.”

Good—but a routable number still isn’t a device‑bound authenticator.

“Is TOTP perfect?”

No factor is perfect. TOTP is possession but can be phished; passkeys add phishing resistance.