Two-factor — and why SMS codes are the weak link
25 Jun 2026 · 3 min read · Comments
This article contains affiliate links. If you buy through them, we may earn a commission — at no extra cost to you.
Two-factor authentication is one of the most effective security upgrades you can make. But not all two-factor is the same — and the most common version, the one most services default to, has a specific, well-documented vulnerability that most people don't know about.
Two-factor authentication works by requiring something you know (your password) and something you have (typically a code). Even if someone steals your password, they can't log in without the second factor. It's genuinely good. The question is what "something you have" means.
The problem with SMS codes
SMS codes are sent to your phone number. Your phone number is controlled by your carrier. And carriers can be manipulated — sometimes through social engineering, sometimes through outright bribery of employees — into transferring your number to a SIM card the attacker controls. This is called a SIM swap.
Once your number is transferred, every SMS code sent to "your" phone goes to the attacker's device. Your password plus any SMS-based two-factor is now theirs. High-value targets — people with significant cryptocurrency, executives, journalists — are regularly compromised this way.
What to use instead
An authenticator app generates time-based codes on your device. They're not transmitted over the phone network — no SIM swap can intercept them. Apps like Google Authenticator or Authy work this way. NordPass also includes a built-in authenticator, which means your 2FA codes and passwords live in the same secure vault.
- Switch SMS 2FA to an authenticator app wherever the service allows it
- Prioritise accounts with the most at stake: email, banking, primary social
- NordPass generates and stores your TOTP codes alongside your passwords
- Passkeys, where offered — are better still: no code to phish at all
Two-factor is worth having even in its weakest form. SMS 2FA is vastly better than no 2FA. But if you're going to use it, it takes about two minutes per account to upgrade from SMS to an authenticator app — and the gap in protection is significant.
Frequently asked questions
What is credential stuffing?+
Credential stuffing is when attackers take email and password combinations exposed in one breach and automatically try them against other services. If you reuse passwords, a breach at one site gives attackers access to every account with the same credentials.
Is it safe to store all your passwords in one place?+
Yes, when using a reputable password manager. The encrypted vault is far more secure than reused or weak passwords. Password managers like NordPass use zero-knowledge architecture — meaning even the company cannot see your stored passwords.
What is two-factor authentication and should I use it?+
Two-factor authentication (2FA) requires a second verification step beyond your password — typically a code from an app. Use an authenticator app (Google Authenticator, Authy) rather than SMS codes, which are vulnerable to SIM-swap attacks.
