SMS two-factor authentication is better than nothing. But not by much and the gap between “SMS 2FA” and “properly secured account” is bigger than most people realise.

The main problem is SIM swapping. It’s not a hacking technique in the technical sense it’s social engineering aimed at your phone carrier. An attacker calls your carrier, pretends to be you, claims their phone was lost or damaged, and asks them to transfer your number to a new SIM. Once that lands, every SMS code sent to your number goes to them instead. The carrier, in most cases, asks for information that’s either publicly available or already in a data breach somewhere. It’s a low-skill attack with a high success rate against high-value targets.

There’s also the SS7 problem. SS7 is the decades-old protocol that mobile networks use to route calls and messages. Researchers have known since 2014 that it can be exploited to intercept SMS in transit no SIM swap needed. The fix requires carriers to replace ageing infrastructure they have no financial incentive to replace.

None of this means your Gmail is about to get raided. SMS 2FA still blocks most opportunistic attacks. But if your email, bank, or crypto account is valuable enough to be worth targeting specifically, SMS is a weak link. The fix is straightforward: switch to an authenticator app. It generates codes locally on your device no network involved, nothing to intercept, no carrier to social-engineer. Proton Pass has a built-in TOTP authenticator if you’re already using it for passwords. Otherwise, any reputable offline authenticator app does the job.