>
ADVERTORIAL

Two-factor — and why SMS codes are the weak link

25 Jun 2026 · 3 min read · Comments

This article contains affiliate links. If you buy through them, we may earn a commission — at no extra cost to you.

Two-factor authentication is one of the most effective security upgrades you can make. But not all two-factor is the same — and the most common version, the one most services default to, has a specific, well-documented vulnerability that most people don't know about.

Two-factor authentication works by requiring something you know (your password) and something you have (typically a code). Even if someone steals your password, they can't log in without the second factor. It's genuinely good. The question is what "something you have" means.

The problem with SMS codes

SMS codes are sent to your phone number. Your phone number is controlled by your carrier. And carriers can be manipulated — sometimes through social engineering, sometimes through outright bribery of employees — into transferring your number to a SIM card the attacker controls. This is called a SIM swap.

Once your number is transferred, every SMS code sent to "your" phone goes to the attacker's device. Your password plus any SMS-based two-factor is now theirs. High-value targets — people with significant cryptocurrency, executives, journalists — are regularly compromised this way.

Two-factor methods — relative strength
Method
Strength
Vulnerable to
SMS code
Weak
SIM swap, SS7 attacks, phishing
Authenticator app (TOTP)
Good
Real-time phishing (if attacker acts fast)
Hardware key (passkey)
Strong
Physical theft of the key

What to use instead

An authenticator app generates time-based codes on your device. They're not transmitted over the phone network — no SIM swap can intercept them. Apps like Google Authenticator or Authy work this way. NordPass also includes a built-in authenticator, which means your 2FA codes and passwords live in the same secure vault.

Two-factor is worth having even in its weakest form. SMS 2FA is vastly better than no 2FA. But if you're going to use it, it takes about two minutes per account to upgrade from SMS to an authenticator app — and the gap in protection is significant.

Frequently asked questions

What is credential stuffing?+

Credential stuffing is when attackers take email and password combinations exposed in one breach and automatically try them against other services. If you reuse passwords, a breach at one site gives attackers access to every account with the same credentials.

Is it safe to store all your passwords in one place?+

Yes, when using a reputable password manager. The encrypted vault is far more secure than reused or weak passwords. Password managers like NordPass use zero-knowledge architecture — meaning even the company cannot see your stored passwords.

What is two-factor authentication and should I use it?+

Two-factor authentication (2FA) requires a second verification step beyond your password — typically a code from an app. Use an authenticator app (Google Authenticator, Authy) rather than SMS codes, which are vulnerable to SIM-swap attacks.

Passwords and 2FA codes in one secure vault
NordPass stores your passwords and generates your authenticator codes. One app, one master password, everything synced across your devices.
⭐ 4.5/5 · millions of passwords protected
Try NordPass →

Sam Feldman
Sam Feldman
"A good banner has no fixed form and has no inherent meaning."
Austin, TX · https://sams.blog/weekly
RELATED READING
The password catastrophe nobody thinks about
You reuse one password. The hackers are counting on it.
Password managers, explained for normal people
You’re About to Get the Exact Security Setup I Built for My Own Parents — the One That Actually Works

Most people have one layer of protection. They’re missing three.

  • The 3-layer setup I’d never skip — stripped to what matters.
  • Who’s really watching you — your browser, your provider, and the “free” tools selling your data. How to shut them out.
  • A 30-second leak check — most people’s passwords are already out there. See if yours are, and what to do.
  • Pull your info back, data brokers are selling your address and number right now. Here’s how to get removed.

20 minutes, start to finish — then it runs in the background. Enter your email and I’ll send it over.

Something went wrong — please try again.
You're in — check your inbox shortly.
100% confidential. Unsubscribe anytime.