For a long time, turning on Multi-Factor Authentication (MFA) has been one of the best ways to protect accounts and devices. And to be clear, MFA is still a must.
But the way people attack accounts has changed. That means some older MFA methods are starting to show their age.
The most common MFA option is a 4 or 6 digit code sent by text message (SMS). It’s familiar, it’s easy, and it’s definitely better than “password only.” The problem is that criminals have gotten really good at getting around SMS codes. If your business handles sensitive data (or just wants to avoid a preventable headache), SMS-based MFA is no longer the level of protection you want.
It’s time to move to phishing-resistant MFA, which is the next step up in account security.
Why SMS codes are easier to beat than most people realize
Text messaging was never designed to be a secure authentication tool. It relies on cellular networks, and those networks have weaknesses that attackers can take advantage of.
In some cases, criminals can intercept or redirect SMS messages by abusing telecom systems and protocols (including SS7, which helps carriers route calls and texts). The scary part is that this can happen without anyone touching your phone.
And even if the text message itself is not intercepted, SMS codes are still easy to phish.
If someone gets tricked into typing their username, password, and text code into a fake login page, the attacker can grab all of it immediately and use it right away on the real site. That’s game over in real time.
Understanding SIM swapping attacks
One of the biggest risks with SMS MFA is SIM swapping.
A SIM swap is when a criminal contacts your phone carrier, pretends to be you, and claims they lost their phone. Then they convince the carrier to move your phone number to a new SIM card that the criminal controls.
If it works, your phone may suddenly lose service, and the attacker starts receiving your calls and texts, including MFA codes. From there, they can often reset passwords and take over accounts, even if they did not know your password to begin with.
This is not always a “super hacker” situation. A lot of SIM swaps succeed because someone at a carrier help desk got socially engineered.
Why phishing-resistant MFA is the new gold standard
Phishing-resistant MFA is designed to block the common “fake login page” trick. Instead of relying on a code that a user can type into the wrong place, phishing-resistant methods use cryptography that only works with the real website or service you are trying to sign into.
One of the most common standards behind this is FIDO2. It uses passkeys (built on public key cryptography) that connect a specific device and a specific website together. If a user clicks a phishing link, the authentication method will not work because the site does not match what it was created for.
In simple terms, it’s like having a key that only fits one lock. A fake lock does not get the key.
Hardware security keys
One of the strongest options is a hardware security key.
These are small physical devices (often USB or tap-to-auth keys) that you plug in or tap when you log in. Instead of typing a code, you confirm the login with the key, and it completes a secure handshake with the service.
There is no code to steal, and an attacker cannot “remote” their way into your key. To use it, they would need the physical device.
Authenticator apps (and how to use them the right way)
If hardware keys are not realistic for your team, authenticator apps are a big upgrade from SMS.
Apps like Microsoft Authenticator and Google Authenticator generate codes on your phone locally. That means there is no text message traveling over a cellular network, so SIM swapping and text interception stop being the easy win they are with SMS.
One note here: basic “Approve sign-in?” push notifications can be abused. Attackers will sometimes spam a user with repeated approval prompts, hoping the person hits approve just to make it stop. This is often called MFA fatigue.
A safer approach is “number matching,” where the login screen shows a number and your authenticator app asks you to enter that same number before it approves the sign-in. It’s a simple step that makes accidental approvals much less likely.
Passkeys: where authentication is heading
Passwords get stolen constantly. Because of that, more systems are moving toward passkeys.
Passkeys are stored on your device and protected by something you already use, like Face ID, a fingerprint, or a device PIN. They are phishing-resistant by design, and they can sync across your ecosystem (for example, through iCloud Keychain or Google Password Manager).
Passkeys also reduce IT headaches, because there are fewer password resets, fewer lockouts, and less password management overall. Better security, less friction.
Security and usability can both win
Moving away from text codes can feel like a change for some users, because SMS has been “the default” for years.
The key is communication. When people understand how SIM swaps and phishing really work, they are usually more open to the switch, especially when they realize it is protecting their paychecks, their clients, and their personal accounts too.
A phased rollout can make sense for the broader team, but phishing-resistant MFA should be required for high-risk accounts right away, especially admins and executives. Privileged accounts should not be protected by SMS.
The cost of doing nothing
Sticking with legacy MFA can create a false sense of security. It might check a compliance box, but it can still leave you exposed to account takeover, breaches, and expensive recovery work.
Upgrading authentication is one of the highest ROI security moves you can make. Hardware keys and modern authentication tools cost far less than incident response, downtime, and reputation damage.
If you’re ready to move beyond passwords and text codes, we can help you roll out a secure setup that protects your data without making your team miserable. Reach out and we’ll map out the best option for your business.
