Why Is Two-Factor Authentication Not Enough Anymore?

Two-factor authentication still matters. But the version most people are using – an SMS code texted to your phone – is now a known attack surface, not a reliable defense. And even stronger forms of 2FA are being bypassed by techniques that are becoming increasingly common and accessible to attackers.

Here's what's actually happening, and what a more honest version of the advice looks like in 2025.

What 2FA Was Designed to Solve

The core idea behind two-factor authentication is sound: instead of securing an account with just something you know (your password), you add something you have (your phone, a hardware key) or something you are (a biometric). Even if an attacker steals your password, they can't get in without the second factor.

For most of the 2010s, this worked well enough. The attackers most people needed to worry about were running credential stuffing campaigns – taking leaked username/password combinations from data breaches and trying them at scale across the web. Against that threat, any form of 2FA was a meaningful barrier. If an attacker had your password but not your phone, they were stopped.

That's still true for unsophisticated attacks. The issue is that sophisticated attacks have become a lot more common, and several of them are specifically designed to defeat 2FA.

The SMS Problem

SMS-based 2FA is the version most people use, and it's also the weakest form available. The vulnerabilities aren't theoretical – they've been exploited repeatedly against real targets.

SIM swapping is the most widely reported attack vector. It works by convincing (or bribing) a mobile carrier's customer support staff to transfer a victim's phone number to a SIM card controlled by the attacker. Once the number is moved, all SMS messages – including authentication codes – route to the attacker's device. The victim's phone simply loses signal. High-profile SIM swap victims have included cryptocurrency executives, Twitter employees, and journalists. The attacks succeed because mobile carrier verification processes are inconsistent and often rely on social engineering rather than any technical barrier.

SS7 vulnerabilities are the deeper infrastructure problem. SS7 (Signaling System No. 7) is the protocol that underpins global phone network interconnection – the technology that makes it possible to receive a call or text when you're abroad. It was designed in 1975 with essentially no authentication built in, and the fundamental architecture has never been replaced despite decades of known exploitation. Researchers have demonstrated that with access to the SS7 network – which is accessible to telecom operators globally, some of whom have looser security practices than others – SMS messages can be intercepted without the target knowing anything is wrong.

For most people, a full SS7 attack isn't a realistic threat. SIM swapping very much is. And both mean that a code sent to your phone via SMS is not a secure second factor if your attacker is motivated enough to go after it.

Phishing That Defeats 2FA in Real Time

The more widespread threat right now isn't carrier-level attacks – it's adversary-in-the-middle (AiTM) phishing, and it's become genuinely alarming in its effectiveness and accessibility.

Traditional phishing steals your password. AiTM phishing steals your password and your authenticated session simultaneously. Here's how it works: you receive a phishing link that looks exactly like a legitimate login page. When you enter your credentials, the phishing server passes them to the real site in real time and requests the 2FA code. You get a code prompt – either via SMS or an authenticator app – enter it, and the phishing server passes that too. You might see an error or a redirect and assume something minor went wrong. Meanwhile, the attacker now has a valid session cookie for your account that bypasses authentication entirely for its remaining lifetime.

Toolkits for running AiTM attacks – most notably Evilginx and Modlishka – are freely available and documented online. They're used by penetration testers but also by actual attackers, and they work against time-based one-time password (TOTP) authenticator apps just as effectively as SMS. The 2FA code is only valid for 30 seconds, but that's enough time for an automated proxy to pass it through.

Microsoft's security team reported in 2022 that a single AiTM phishing campaign targeted over 10,000 organizations, bypassing Microsoft 365 multi-factor authentication at scale. This isn't an edge case.

When Authenticator Apps Aren't Enough Either

Authenticator apps – Google Authenticator, Authy, Microsoft Authenticator – are a meaningful step up from SMS. They're not vulnerable to SIM swapping or SS7 attacks because the code is generated locally on your device, not transmitted over the phone network. Against most threats, they're significantly better.

But as the AiTM phishing problem illustrates, authenticator app codes can still be stolen in real time by a proxy forwarding your input to the legitimate site. The code is valid long enough to be intercepted and used. This doesn't mean authenticator apps are useless – they absolutely raise the bar compared to SMS – but it does mean they're not a complete solution against a targeted attacker.

There's also the account recovery problem. Many services that support authenticator apps also offer SMS-based recovery as a fallback "in case you lose access to your authenticator." That fallback reintroduces exactly the vulnerability you tried to eliminate. An attacker who can SIM swap your number can trigger the recovery flow, receive the recovery code via SMS, and regain account access regardless of your authenticator app setup.

What Actually Solves This: Passkeys and Hardware Keys

The attacks described above share a common property: they all involve stealing or intercepting a code that you type or transmit. The solution, logically, is to use an authentication method where there's no code to steal.

Hardware security keys (FIDO2/WebAuthn standard, physical devices like YubiKey or Google Titan Key) work via cryptographic challenge-response. When you authenticate, the key signs a challenge that's specific to the exact domain you're accessing. A phishing proxy can't use this signature because it's cryptographically bound to the legitimate site's domain – logging into a convincing fake of Google won't trigger a valid response from a key registered with the real Google. This is called phishing-resistant authentication, and it's the most robust form available to consumers today.

Passkeys are the software equivalent now being rolled out by Apple, Google, Microsoft, and major services. They use the same FIDO2 cryptographic architecture as hardware keys, stored on your device and protected by biometric verification or your device PIN. Like hardware keys, passkeys are domain-bound – a passkey for your Google account won't be triggered by a phishing page impersonating Google, because the cryptographic binding checks the actual domain. Google reported that passkey adoption drove significant improvements in both security and login success rates in early rollouts, and Apple's passkeys implementation is now available across iOS and macOS.

The shift to passkeys isn't complete yet. Many services don't support them, and some implementations are better than others. But the direction is clear, and for services that support passkeys or FIDO2 hardware keys, the phishing and session hijacking vulnerabilities that plague SMS and TOTP 2FA simply don't apply.

The Honest Hierarchy of Authentication

Not all second factors are created equal, and it's worth being clear about the ranking.

SMS codes are the weakest form of 2FA – better than nothing, but vulnerable to SIM swapping, SS7 interception, and real-time phishing proxies. If a service only offers SMS 2FA, use it, but treat it as a partial defense rather than a reliable one.

TOTP authenticator apps are better. They eliminate carrier-level vulnerabilities, and against most attackers they're effective. They're still vulnerable to AiTM phishing proxies and to services with SMS-based fallback recovery.

Passkeys and FIDO2 hardware keys are the current best available option for consumer-level authentication. They're phishing-resistant by design, there's no code to steal or intercept, and they work faster and more smoothly than typing a 6-digit code. The main limitation is adoption – not every service supports them yet.

What to Actually Do

For accounts that matter most – email, banking, primary social accounts, password manager – check whether passkeys are available and enable them if so. Google, Apple, Microsoft, GitHub, and a growing list of services now support passkey login. For accounts that don't support passkeys, move to an authenticator app and remove SMS as a fallback recovery option where possible.

For the highest-risk accounts, a FIDO2 hardware key like a YubiKey is worth the $50–$70 investment. Journalists, activists, executives, and anyone who might be a targeted individual should treat hardware keys as a baseline, not an advanced option.

SMS 2FA is still worth using on accounts where it's the only option. The realistic threat model for most people doesn't include SIM swap attacks. But knowing the limitations means you won't be caught assuming you're more protected than you are.

FAQ

Is SMS 2FA better than nothing? Yes, meaningfully so – against credential stuffing and most opportunistic attacks, even SMS 2FA stops the majority of unauthorized access attempts. The issue is that it doesn't protect against motivated, targeted attackers. Use it where it's the only option, but upgrade where you can.

What's the easiest way to start using passkeys? Google and Apple both have passkey support built into their platforms. On an iPhone or Android device, many major services will prompt you to create a passkey at login or in account security settings. The setup takes about 30 seconds and you authenticate using Face ID, fingerprint, or your device PIN going forward.

Do password managers support passkeys? Increasingly yes. 1Password, Dashlane, and Bitwarden have all added passkey support. This lets you store passkeys across devices, which solves the problem of losing access if you change phones.

If passkeys are so good, why isn't everyone using them? Service adoption is still catching up. Many websites and apps haven't implemented passkey support yet, particularly smaller services and older enterprise platforms. The infrastructure is moving faster than expected, but full adoption across the web will take several more years.

What is a FIDO2 hardware key and do I need one? A FIDO2 key is a small USB or NFC device (like a YubiKey) that stores cryptographic credentials and handles authentication locally. You tap it or insert it when logging in. Most people don't need one – passkeys on a phone provide comparable protection for everyday use. But if you're in a high-risk category (journalist, executive, activist, crypto holder), a hardware key adds a layer of physical protection that a phone-stored passkey doesn't.

Final Thought

The advice to "enable two-factor authentication" hasn't become wrong – it's become incomplete. The version of 2FA that most people are running is fighting yesterday's attacks. The good news is that the upgrade path is clearer and more accessible than it's ever been: passkeys are free, built into devices most people already own, and genuinely better in almost every measurable way. The inconvenient truth is that the work of switching isn't automatic – you have to go update your accounts. That's still the bottleneck it's always been.