Why SMS-Based 2FA Is Better Than Nothing but Worse Than an App

Some people skip two-factor authentication entirely because they heard SMS codes are insecure. That is like refusing to wear a seatbelt because it will not help in a plane crash. SMS 2FA blocks the vast majority of automated attacks, phishing bots, and credential-stuffing attempts.

But SMS has real weaknesses: SIM-swapping attacks let criminals intercept your codes by convincing your carrier to transfer your number. An authenticator app like Google Authenticator, Authy, or a hardware key avoids this entirely because the codes never leave your device. Use SMS 2FA when it is the only option, but upgrade to an app everywhere you can.