Why You Should Stop Using SMS 2FA Codes On Your Smartphone
Yes, SMS codes are dangerous.
“The password era is ending,” says Microsoft, confirming its intent to push a billion-plus users to delete them altogether. For years, users have been pushed to add two-factor authentication (2FA) codes to those passwords. But those should be ended as well. They’re not secure, and a new warning should see you stop using them now.
According to Lighthouse Reports, “Google, Amazon, Meta and thousands of other companies leave customers vulnerable over one-time codes to save time and money.” The report highlights one third-party SMS 2FA service provider, but it could have focused on other companies doing the same.
“Across the world, phone networks carry billions of passwords and login codes on a daily basis,” the team warns. “For most people they are a necessary annoyance, until they are breached with damaging consequences.” Unfortunately, companies “don’t send login codes to their customers directly… they rely on a sprawling and opaque network of contractors and subcontractors” to send them instead.
This means “any of these middleman companies can see everything transmitted. The codes that come saying ‘Do not share with anyone’ might in fact already have been shared with more or less anyone.” That’s why America’s cyber defense agency warned Americans to stop using SMS 2FA after Chinese hackers compromised U.S. networks.
Ironically, as bad as SMS 2FA might be, it’s still better than nothing but when it comes to 2FA, most users actually do use nothing. Google has just warned that when asked about “security practices used for personal online protection,” while 60% of U.S. consumers “use strong, unique passwords… less than 50% enable 2FA.”
Google, Microsoft and others are now leaving users in doubt what they must do — use passkeys instead of passwords or 2FA of any sort. And if passkeys are not available, then use an authenticator app that is linked to your smartphone.
Passkeys and authenticator codes can’t be intercepted, and passkeys can’t even be shared — even if you want to or more likely you’re tricked into doing so. Passkey adoption is still modest and that needs to change. This year we have seen a raft of password and 2FA bypass and interception warnings. The time to act is now.
It seems incredible, that in 2025 the authentication adoption rates are still so low. 2FA usage grew from 33% to 45% between 2017 and 2023, but remains stuck on less than 50% even today, even as big tech makes it mandatory on many accounts. Stop using SMS 2FA codes and add passkeys to all eligible accounts. Use authenticator apps if not. If you persist with passwords only, prepare to be breached.