SMS codes are better than nothing, but they're also the weakest widely-used 2FA method. Here's what to switch to instead.
SMS-based two-factor authentication became the default because it's universally accessible — everyone has a phone number, no app or hardware required. That accessibility came at a real cost: SMS is vulnerable to SIM swapping, network interception, and real-time phishing in ways that newer methods simply aren't.
None of this means SMS 2FA is worthless — it's still meaningfully better than no second factor at all. But for accounts that actually matter, stronger options exist today that take only marginally more effort to set up.
Three upgrades from SMS, each with a different effort-to-security tradeoff.
| Method | Phishing Resistant? | Setup Effort | Best For |
|---|---|---|---|
| Authenticator App (TOTP) | Partially | Low | Most accounts, easy upgrade from SMS |
| Hardware Security Key | Yes, strongly | Moderate | High-value accounts (email, financial, work) |
| Passkeys | Yes, strongly | Low once supported | Newer accounts/services with support |
The table tells you the resistance level. This is how each one actually behaves day to day.
Most people only need to act on their top few accounts to get most of the benefit.
Three specific risks, and what actually mitigates each one.
| Risk | How It Affects SMS | Mitigated By |
|---|---|---|
| SIM swapping | Attacker ports your number to their device | Authenticator app, hardware key, passkey |
| Network interception | SMS can be intercepted on some networks | Any non-network-based method |
| Phishing | Codes can be relayed to an attacker in real time | Hardware key, passkeys (phishing-resistant by design) |
For a quick, broad upgrade from SMS — switch to an authenticator app today on every account that supports it. For your highest-value accounts — a hardware security key, ideally two registered as backups. Where supported — passkeys are the most seamless long-term direction.
The biggest single improvement most people can make is simply moving their primary email off SMS — everything else tends to flow from that one account.
View Our Full Security RankingsFor most casual threats it's fine, but against a targeted attack (SIM swapping, real-time phishing), it's meaningfully weaker than app-based or hardware-based methods — the gap matters most for high-value accounts specifically.
Most apps support backup and recovery through cloud sync or exported backup codes set up in advance — without this, losing the device can genuinely lock you out, which is why setting up a recovery method ahead of time matters.
Yes — passkeys are phishing-resistant by design and can't be reused across sites the way a leaked password can, eliminating an entire category of common attacks.
No — reserve hardware keys for your highest-value accounts. An authenticator app is a sufficient, much lower-effort upgrade for the majority of lower-stakes accounts.
A lost key alone typically isn't enough to access your accounts, since it works alongside your password or PIN. That said, losing one is still a reason to consider revoking it from your accounts and registering a replacement.
Where possible, disable it if a stronger primary method is set up — leaving SMS active as a fallback re-introduces the same weaknesses you upgraded away from.
This depends on your device ecosystem — Apple, Google, and Microsoft each have their own passkey syncing systems, and cross-ecosystem syncing (e.g., Apple to Windows) is still inconsistent in 2026.
This guide covers the framework — our category page covers current device and platform support across every 2FA method we've reviewed.