Why SMS-based MFA is not enough.
SMS codes are better than no MFA — and worse than you think. SIM swapping quietly bypasses them, especially for high-value targets.
SMS codes were the MFA gateway drug — they got millions of people onto a second factor, and that's real progress. But SMS is also the weakest form of MFA, and for high-value accounts at small and mid-sized businesses, it's getting bypassed regularly through SIM swapping.
How SIM swapping actually works
An attacker gathers enough information about you to impersonate a call to your mobile carrier. They claim your phone was stolen and they need your number moved to a new SIM. The carrier, under social pressure, complies. Your phone loses signal. The attacker's phone now receives your SMS codes. They already have your password from a breach. Within minutes, your email, banking, and payroll are exposed.
Real examples from real businesses
“A small-business owner in Morris County had his carrier number ported on a Saturday morning.”
Red flag: He'd been locked out of his own phone by lunch. His bank login had SMS MFA. $38K gone by Monday. Only the bank's fraud team got most of it back.
“A VP of Finance at a 30-person firm had her personal number SIM-swapped after a minor data breach at an unrelated retailer.”
Red flag: The attacker used the SMS code to reset her personal Microsoft account, which was the recovery email for her work Gmail. Cascading compromise.
What to use instead
- Authenticator apps (Microsoft Authenticator, Duo, Authy) — codes generated on your device, nothing sent via SMS.
- Push-based MFA with number matching — you confirm a number shown on your laptop inside the app.
- Hardware security keys (YubiKey, Google Titan) — the strongest option, phishing-resistant by design.
- If a service only supports SMS, pressure them to support app-based MFA and use a dedicated, private number for that account.
High-value users need hardware keys.
Business owners, finance leads, and IT admins should carry a YubiKey. We can set up and roll them out across your team.
- 1Audit your accounts — anywhere you're using SMS for MFA, switch to an authenticator app if possible.
- 2For email, banking, payroll, and your domain registrar, use a hardware security key.
- 3Add a PIN or passcode to your mobile carrier account to prevent port-out fraud.
- 4Don't use your mobile number as a recovery method for your most sensitive accounts.
- 5Review recovery options on every critical account — many accept weaker methods than you think.
Want help securing your business?
Schedule a quick security review with our team. 15 minutes, no sales pressure — walk away knowing exactly where your gaps are.
Schedule a quick security reviewKeep reading
Why multi-factor authentication matters.
Microsoft found that MFA blocks 99.9% of automated account takeover attempts. If you haven't turned it on yet, this is the single highest-leverage move you can make.
ReadTip #5 · Passwords & MFAThe password manager habit.
Nobody has the memory to use 40 unique strong passwords. A password manager gives you that superpower in about ten minutes of setup.
Read