SMS Two-Factor Auth Is Broken; The Rest of 2FA Is Fine

A carrier employee in 2025 got social-engineered into porting a phone number in under 10 minutes. The attacker walked straight into the victim's bank account using the intercepted SMS code. If that story makes you want to turn off 2FA entirely, you have diagnosed the wrong problem.

SIM swapping is a real attack. Telecom customer service is an embarrassingly weak link, and the carriers have spent years treating account security as someone else's problem. But the conclusion is not "2FA is cooked." The conclusion is "SMS is a terrible channel for delivering authentication codes and always was."

The Actual Threat Model

SMS 2FA works by betting that an attacker cannot intercept a text message sent to your phone. SIM swapping breaks that bet by moving your number before the message ever arrives. That attack chain does not touch TOTP (time-based one-time password) apps at all. Authy, Google Authenticator, 1Password's built-in TOTP, Bitwarden's authenticator: none of these involve your carrier. The code lives on your device and rotates every 30 seconds. A SIM swap is irrelevant to them.

Hardware keys go further. A YubiKey or Google Titan key requires physical possession and uses WebAuthn, which is phishing-resistant by design. You cannot socially engineer a Tier 1 carrier rep into cloning one. Per Splashtop's 2026 security analysis, MFA fatigue attacks are growing via AI automation and voice cloning, but those attacks target approval-based push notifications, not hardware keys. The attack surface keeps shrinking the farther you get from SMS.

There is a fair version of the skeptic's argument: most people will not switch to a YubiKey. The friction is real. App-based TOTP is still a setup process that most non-technical users abandon halfway through. If your threat model includes your parents or your company's least security-aware contractor, SMS 2FA might be better than nothing even knowing the SIM swap risk. I will grant that. But the answer to usability friction is better onboarding and product design, not removing the security layer entirely.

What Builders Should Actually Ship

If you are building authentication for an app right now, the decision tree is short. Do not use SMS as your primary 2FA channel. The deliverability problems alone should scare you off: email providers tightening DMARC policies caused Mailgun's delivery rates to drop 27.5% in 2025-2026. SMS has its own reliability issues layered on top of the security ones. Implement TOTP support and offer passkeys where your stack supports them. Libraries like otplib in Node or pyotp in Python make TOTP integration a morning's work, not a sprint.

For hardware key support, the WebAuthn spec is stable and browser support is solid. The webauthn4j library for Java, py_webauthn for Python, and Duo's WebAuthn implementation have real production mileage. This is not experimental infrastructure.

The exploitation window for vulnerabilities shrank from weeks to hours by 2026 according to current threat analysis. A properly implemented TOTP or hardware key setup closes a massive slice of that window. Teams that pull 2FA because "SIM swapping is easy" are removing a door lock because the window latch is broken.

Fix the window latch. Keep the lock.