If your firm’s idea of multi-factor authentication is “we get a text message with a code,” you don’t really have MFA. You have something that feels like MFA, and that feeling is worth less than you think.
NIST deprecated SMS as a second factor back in 2016 in their Digital Identity Guidelines. The federal government has been saying for ten years that text messages aren’t strong enough. Ten years. And most small firms still use SMS because it was what their IT guy set up in 2018 and nobody went back and fixed it.
The reason SMS is weak isn’t the math. The codes themselves are fine. The problem is how the code gets to you.
SIM swapping is absurdly easy
A SIM swap is when an attacker convinces your mobile carrier to move your phone number to a new SIM card. The new SIM is in the attacker’s phone. Your phone stops working, their phone starts receiving your calls and texts, and any MFA codes sent to your number now go to them.
It sounds like an exotic attack. It’s actually a commodity. The FBI’s IC3 has been publishing warnings about SIM swapping since 2022, documenting hundreds of millions in losses. Most of those losses run through accounts protected by SMS two-factor.
How does the attacker get your carrier to swap your SIM? Usually they just call customer service and social-engineer the rep. Sometimes they bribe an insider at a retail store. Sometimes they use leaked customer data from carrier breaches to answer the security questions. Reuters has covered cases where employees at major U.S. carriers were paid a few thousand dollars to perform swaps. The whole thing takes an attacker about an hour, start to finish.
Once the number is moved, the attacker goes to your bank’s login page, enters your password (usually stolen from a data breach you forgot about), triggers the “text me a code” option, and the code arrives in their hand. They log in. They move the money. They use the same technique to reset your email password, your cloud storage, your social accounts. The whole identity cascade happens in twenty minutes.
SMS also fails in more boring ways. SIM swapping is the dramatic version. The everyday version is that attackers who already compromised your password can often trigger an SMS code while the victim is in the middle of a phishing attempt, and the victim types the code into the fake site thinking it’s the real one. That’s how Reddit described their 2023 breach, where an employee was phished into handing over both password and SMS code to attackers running a proxy server between them and the real login page.
What you should actually use
An authenticator app. Microsoft Authenticator, Google Authenticator, Authy, Duo, pick one. It generates codes on the device itself. The codes don’t travel over the cellular network. A SIM swap does nothing to you. An attacker who compromises your carrier can’t touch the app.
Even better is a physical security key like a YubiKey. It plugs into your laptop or taps your phone, and it won’t authenticate to a fake login page because the key verifies the actual site before it responds. Security keys make phishing nearly impossible on accounts that use them. Google famously stopped having employee phishing breaches after they moved their whole workforce to security keys.
Best of all is passkeys, which are the newer version of this technology built into every modern phone and computer. No password, no code, just your device authenticating you. Microsoft, Google, and Apple all support them now, and Microsoft 365 handles them natively.
For a law firm or CPA practice, the realistic path is authenticator apps for everyone, security keys for administrators and partners, and move toward passkeys as your software supports them. None of this is expensive. The apps are free. A YubiKey is about $50 and lasts for years.
The one hard part is turning SMS off once you’ve done the upgrade. People get attached to texts. They know how texts work. They understand them. But keeping SMS enabled as a “backup” defeats the entire point. An attacker who compromises your number doesn’t care that you also have an authenticator app. They’ll just use the SMS option, because it’s still there.
If SMS is available, SMS will be used, and not by the person you want using it. Turn it off. The CISA guidance on phishing-resistant MFA makes this distinction explicitly: phishing-resistant MFA means hardware keys or passkeys. Anything else is the middle tier, and SMS doesn’t even make the middle tier.
Your bank, your email, your Microsoft 365, your practice management system, anything that matters. If the second factor is a text message, you’re one bribed retail store employee away from watching your accounts empty out in real time. The technology to prevent it has been widely available for almost a decade. The upgrade is a Tuesday morning project, not a capital expense. The only thing that keeps firms from doing it is that SMS has felt fine so far.
Felt fine isn’t a security control.