aswad
Sign in Get Paswad
Product
Passkeys Web passport Transaction signing Pricing
Solutions
For Banks For Fintech For Governments Insurance Healthcare E-commerce & Retail Education Gaming & Entertainment Crypto & Web3 SaaS & B2B Case studies
Developers
Docs Console
More
Security Compare Blog Sign in Get Paswad

SMS Codes and 2FA: The Security Blanket That's Full of Holes

Muslih Ali Muslih Ali in 2FA

SMS and authenticator codes beat a lone password, but they're still phishable, SIM-swappable, and vulnerable to push fatigue. Here's where the 2FA blanket has holes, and why passkeys replace the password instead of patching it.

Share
A smartphone showing a notification, like an SMS one-time code

There's a particular smugness that settles over you the day you turn on two-factor authentication. I remember it well. I'd flipped on SMS codes for every account I cared about, felt the warm glow of a responsible adult, and basically considered myself uninvited from the entire category of people who get hacked. That feeling lasted right up until I learned what a SIM swap was, at which point the warm glow curdled into something closer to indigestion. The codes weren't useless. They were just a much thinner blanket than I'd been pulling over myself, and the parts of me sticking out from underneath were exactly the parts an attacker wanted.

I want to be fair to 2FA before I start kicking it, because the backlash sometimes overshoots. A second factor is a genuine, meaningful upgrade over a password alone. If your only defense is a password and that password leaks in one of the roughly eternal breaches that happen every week, an attacker walks straight in. Add a second factor and that same leaked password suddenly isn't enough by itself. That's real protection and it's stopped an enormous amount of low-effort credential-stuffing crime. So when I tell you SMS codes are full of holes, I'm not telling you to switch them off and go back to a password and a prayer. I'm telling you the blanket has holes, and you should know exactly where they are before you trust your warmth to it.

The text-message code is the leakiest one

SMS was never designed to be a security channel. It's a 1980s messaging protocol we bolted authentication onto because everyone already had a phone number, and convenience has a way of becoming infrastructure before anyone checks whether it's safe. The most direct hole is the SIM swap. An attacker calls your carrier, does a passable impression of you with some personal details they bought or guessed, and convinces a support rep to move your number to a SIM card they control. Now every code your bank texts you lands on the attacker's phone instead of yours. You'll know something's wrong when your own phone abruptly loses signal, which is a delightful way to discover you're being robbed, in real time, with no way to call for help on the device that just got stolen out from under you.

And SIM swaps aren't even the only door. Text messages can be intercepted through weaknesses in the carrier signaling networks that route them, which sounds exotic but has been demonstrably abused to drain bank accounts. Codes can also just be phished the ordinary way, and that brings us to the hole that affects every code-based system, not only SMS.

A smartphone displaying a one-time passcode notification
A six-digit code is only as safe as wherever you end up typing it.

Authenticator apps are better, and still phishable

The standard advice, and it's decent advice as far as it goes, is to ditch SMS for an authenticator app that generates time-based codes, the rolling six digits that change every thirty seconds. This is a real improvement. TOTP codes never travel over the carrier network, so SIM swaps and signaling interception stop mattering. The seed lives on your device. Nobody can call your phone company and reroute it. If you're on SMS today, moving to an authenticator app is a genuinely good afternoon's work.

But here's the uncomfortable bit, and it's the same uncomfortable bit that haunts every code: a TOTP code is still just a secret you read off a screen and type into a box, and a box can lie about who it belongs to. A phishing page asks for your code, you read your authenticator and type the six digits, and the modern phishing kit forwards them to the real site within the thirty-second window before they expire. The fact that the code is short-lived doesn't save you, because the attacker isn't saving it for later, they're relaying it live while you watch. Your authenticator app did its job perfectly. It generated a valid code. It just had no way of knowing that the page asking for it was a fraud, because typing a number into a form is an act of pure faith, and faith is precisely what phishing exploits.

Push fatigue: when "approve" becomes a reflex

Then there's the supposedly smarter version, the push notification. Instead of typing a code you just tap "approve" on your phone. Nicer, until you meet the prompt-bombing attack. An attacker who already has your password just tries to log in over and over, firing a push notification at your phone each time. At 2am, on the fourth buzz, half-asleep and assuming it's some app being needy, plenty of people tap approve just to make the buzzing stop. That's it. That's the whole attack. It has worked against large, sophisticated companies whose employees absolutely knew better, because the attack doesn't target knowledge, it targets the worn-down reflex of a tired human who wants the notification to go away. I've tapped "approve" on things at 2am that I could not describe to you the next morning. We all have. The push prompt outsources a security decision to your most exhausted, least vigilant self.

Abstract image representing notifications and codes
Push fatigue isn't a hack of the system. It's a hack of you at 2am.

Why passkeys aren't "better 2FA", they're a different shape

Here's the reframe that finally made it click for me, and it's the reason I stopped thinking of passkeys as a fancier second factor. Every flavour of 2FA we've discussed shares one design assumption: you've got a password, and we're bolting an extra check on top of it to compensate for the fact that passwords are weak. SMS, TOTP, push, they're all patches over the same wound. The password is still there, still phishable, still leakable, still the thing the attacker is ultimately trying to pair with a stolen code. Two-factor is the security equivalent of a second deadbolt on a door made of cardboard.

Passkeys don't add a factor. They replace the password entirely with something that can't be typed, can't be read off a screen, and can't be relayed to a fake site. A passkey logs you in by having your device sign a one-time challenge with a private key that never leaves it, and that signature is cryptographically tied to the real website's domain. There's no code to forward, because there's no code. There's no secret to phish, because nothing transferable ever leaves your device. There's no push prompt to fatigue you into approving, because the act of authenticating is a domain-checked cryptographic signature, not a yes-or-no buzz at 2am. On a lookalike site, your device just refuses to sign, and it doesn't ask your tired self for permission to override. This is the whole bet behind Paswad: not a stronger lock on the cardboard door, but a different door.

So no, I'm not telling you to rip out your authenticator app tonight and panic. If you're still on SMS, move to an app, today, it's a real upgrade. If push fatigue scares you, good, it should, and number-matching prompts help. But understand the ceiling you're living under. Every code-based system, no matter how slick, eventually asks a human to type or tap a secret into a screen, and humans can be fooled about which screen they're looking at. Passkeys are the first widely available login that takes that decision away from your exhausted judgment and hands it to math. After years of bolting more locks onto the password, the honest answer turned out to be replacing the password, and most of the holes in the blanket close on their own once there's no code left to steal.

FAQ

Is SMS two-factor authentication better than no second factor at all?

Yes, clearly. A password-only account falls the moment that password leaks in a breach, and SMS 2FA stops the simplest credential-stuffing attacks cold. It's the weakest second factor, not a useless one. If SMS is all a service offers, keep it on, but switch to an authenticator app or passkey wherever you can.

What is a SIM swap and how does it beat SMS codes?

A SIM swap is when an attacker convinces your mobile carrier to move your phone number to a SIM card they control, usually by impersonating you to support. Once they own your number, every SMS code your accounts send arrives on their phone instead of yours. Your own phone losing signal is often the first sign it's happened.

Are authenticator app codes safe from phishing?

They're safe from SIM swaps and network interception, since the codes never travel over the carrier network. But they're still phishable: a fake login page can collect your six-digit code and relay it to the real site within its short validity window. Any system where you type a secret into a box can be tricked about which box you're filling.

How is a passkey different from 2FA?

2FA bolts an extra check on top of a password that stays in place. A passkey replaces the password entirely with a private key that never leaves your device and signs a domain-bound challenge to log you in. There's no code to forward, no secret to phish, and no approval prompt to fatigue you into tapping, so most of the classic 2FA attacks simply don't apply.