Two-factor authentication (2FA) is a method that strengthens account security by requiring a second authentication factor in addition to a password. The basic principle combines two or more of three factors: "knowledge" (password), "possession" (smartphone), and "biometrics" (fingerprint/face). SMS codes sent to phone numbers are the most widely used "possession" factor.
SMS authentication works simply. When logging in with a password, a 4-6 digit confirmation code is sent via SMS to the registered phone number. Entering this code proves "possession of the device with that phone number." Banks, social media, email services, and e-commerce sites nearly all support SMS authentication, with its popularity driven by the convenience of requiring no additional apps or hardware.
However, SMS authentication has serious vulnerabilities. SIM swap attacks can hijack phone numbers, redirecting SMS codes to attackers. Interception of SMS via SS7 (phone network signaling protocol) vulnerabilities is also technically possible. Furthermore, smishing can direct victims to fake login pages where SMS codes are entered in real-time for man-in-the-middle attacks. NIST (National Institute of Standards and Technology) designated SMS authentication as "deprecated" as early as 2016, recommending migration to safer alternatives.
Safer authentication methods include: authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) that generate time-based one-time passwords (TOTP) on-device, eliminating interception risk. Hardware keys (YubiKey, Titan Security Key) are physical USB/NFC devices with the highest phishing resistance. Passkeys (FIDO2) combine biometrics with cryptographic keys, eliminating passwords entirely. Even when only SMS authentication is available, enabling it is safer than having no 2FA at all. Compare authentication methods in two-factor authentication and phone number risks.