The Security Downside of SMS-based Multi Factor Authentication (MFA)

MFA is not always secure.

Multifactor authentication (MFA) is thought to be an effective technique for identifying legitimate system users before granting access. MFA is a security mechanism that requires users to provide at least two types of correct authentication alongside valid credentials.

This means that a user has to provide a correct username and password. Then the user must provide another form of proof like a verification code or use a physical object which only a legitimate user can possess.

Some forms of MFA are vulnerable to security threats and may not serve the intended purpose of providing access only to authorized users. Such include using text messages for MFA verification.


The use of SMS in MFA is one of the most popularly used means for authenticating users. Industry leaders like Google and Microsoft often send verification codes using phone numbers linked to different accounts. Upon submitting the correct code, a user is granted access.

However, what many individuals may be unaware of are the severe security threats of using SMS-based MFA. For example, a leading communications company based in San Diego, Voxox, failed to secure a database housing over ten million messages with a password. The database was leaked, and anyone could access real-time messages with two-factor verification codes for Google, Microsoft, and Huawei IDs[1]. Imagine a malicious individual with access to such a database.

SIM Swap Attacks

Also, an SMS-based MFA is insecure due to the ease with which a SIM Swap attack can be executed. A SIM Swap attack does not require one to possess any expertise as an individual with the necessary information can do it with ease. In a country like the U.S., a social security number of the targeted SIM holder can be used to request a SIM Swap with one phone call to the carrier. The new SIM can be used to request authentication codes providing an attacker direct access to all accounts.

Network Security Flaws

The SS7 network used by most carriers for text or call management has numerous security flaws that can be easily exploited. SS7 networks can be breached, allowing a hacker to intercept any message sent to or from your device. SS7 portals, for instance, can allow a hacker to forward all intercepted messages to online devices before rerouting them to the original destinations. As such, it is possible to intercept and use a verification code even before the owner can use it.

Forensic expert Jonathan Zdziarski argues that using text messages isn’t the best MFA approach. He stated that “mobile phone as a means of authentication can be socially engineered out of your control”[2]. This and other vulnerabilities has led the National Institute of Standards and Technology (NIST) to discourage companies from using MFA based on text messages. Rather than using SMS messages, NIST and leading organizations advocating for the use of other more secure means like dedicated MFA apps such as RSA SecurID and Google Authenticator and dedicated secure devices e.g. dongle.