SMS 2FA Insecurity

This cluster focuses on criticisms of SMS-based two-factor authentication (2FA) due to vulnerabilities like SIM swapping and SS7 attacks, with recommendations for secure alternatives such as TOTP or hardware keys.

📉 Falling 0.2x Security

4,983

Comments

Years Active

Top Authors

#2680

Topic ID

Activity Over Time

2009

2010

2011

2012

103

2013

2014

131

2015

2016

228

2017

318

2018

307

2019

467

2020

408

2021

692

2022

697

2023

578

2024

535

2025

275

2026

Top Contributors

lxgr (46) exabrial (44) UncleMeat (25) lotsofpulp (22) bigiain (21)

Keywords

e.g IT US TOTP OTP SMS arstechnica.com HN SIM U2F sms 2fa totp secure phone sim authentication password otp mobile

Sample Comments

vmception • Jun 16, 2020 • View on HN

Why are you using SMS 2FA?

_Algernon_ • Aug 6, 2022 • View on HN

You shouldn't be using sms as 2fa anyways. It's barely better than no 2fa at all. Use an authenticator app.

exabrial • Apr 7, 2020 • View on HN

Please stop supporting sms for 2FA. It's not better than nothing, it's worse than nothing. Given the extent of technology workers on hacker news please work to remove this antipattern from your products.

ivanjermakov • Aug 8, 2025 • View on HN

Related: SMS 2FA is not secure https://news.ycombinator.com/item?id=27447206

sand500 • Oct 5, 2022 • View on HN

SMS 2FA is not secure. Lots of HN posts about it:https://hn.algolia.com/?q=sms+2fa

sammy2255 • Sep 12, 2023 • View on HN

Ironically SMS 2fa is less safer than just using a password

sha666sum • Oct 17, 2019 • View on HN

SMS 2FA is better than nothing if, and only if, you don't allow password resetting by owning the SMS.

tapoxi • Feb 26, 2021 • View on HN

Don't use SMS as 2FA, it's insecure. TOTP is a much better solution.

stephenr • Aug 1, 2017 • View on HN

I think you need to re-visit your SMS support decision. SMS for 2FA is not secure, at all.

ThePowerOfFuet • Jun 26, 2021 • View on HN

Why are you using SMS 2FA anyway?