Why It's Time to Move Beyond SMS MFA | New Resources Consulting

Why It’s Time to Move Beyond SMS MFA: Modern Authentication Demands Modern Defenses

For years, SMS-based multi-factor authentication has been the default choice for organizations trying to add a second layer of protection to their login processes. It was familiar, universally accessible, and easy for users to adopt. But in today’s threat landscape, convenience has become a liability. Attackers have evolved far beyond guessing passwords or scraping leaked credentials; they are now targeting the weaknesses of the very systems we put in place to protect our identities.

And nowhere is that more evident than in the unraveling reliability of SMS MFA.

The Crumbling Foundation of SMS MFA

SIM swapping has become one of the most damaging and widely reported attack vectors in recent years. In early 2025 alone, researchers documented a 38% spike in successful SIM swap attacks, with average losses exceeding $11,000 per victim. Attackers don’t need advanced tools; they just need personal information and persuasive social engineering skills. With a convincing story and a bit of pressure on a mobile carrier support representative, a criminal can reroute a victim’s number to their own SIM card. Once that happens, every SMS message, including MFA codes, flows directly into the attacker’s hands.

But social engineering is only one piece of the problem. Beneath the surface lies a more troubling reality: The underlying telecommunications infrastructure simply wasn’t designed to withstand modern threat actors. SS7 and Diameter, the signaling protocols that route calls and SMS messages worldwide, still rely on trust models created decades ago. Skilled adversaries can exploit weaknesses in these protocols to intercept messages in transit, often without leaving a trace. Your user receives their SMS code as usual; they just don’t realize someone else received it first.

Layer onto this the increasing sophistication of smishing campaigns, where attackers replicate legitimate brands and trick users into handing over MFA codes on fraudulent sites. The problem is no longer theoretical. It’s systemic. SMS wasn’t built for security, and the cracks are showing.

One of the most striking real-world examples came from an incident in which a recycled phone number enabled someone to access an Amazon account without the original password. That’s how fragile SMS-based identity truly is: Control the phone number, and you control the identity tied to it.

The Bluetooth MFA Detour: Better, but Not Good Enough

As awareness of SMS vulnerabilities has grown, some vendors have turned to Bluetooth-based proximity verification as an alternative. At first glance, the idea seems promising: If your phone is physically near your computer, you must be the one trying to log in. But Bluetooth brings a different class of security concerns, ones that aren’t immediately obvious to end users.

Bluetooth Low Energy (BLE), the backbone of most proximity features, is convenient but notoriously challenging to secure. Academic researchers have demonstrated BLE spoofing attacks (BLESA) that allow adversaries to impersonate paired devices during reconnection. These attacks break the very assumption that proximity-based MFA depends on the belief that the device near you is authentic and trustworthy. These vulnerabilities have been observed across major operating systems, including Linux, Android, and iOS.

And BLE’s weaknesses don’t stop at spoofing. Signals can be replayed, relayed across distances, or intercepted with relatively inexpensive equipment. Even consumer-grade trackers like AirTags and SmartTags have been shown to fall victim to signal manipulation, eavesdropping, and firmware tampering, a reminder that Bluetooth’s attack surface is wide.

None of this means proximity verification is useless, far from it. Solutions like Duo’s Proximity Verification add valuable phishing resistance and domain validation, dramatically reducing the risk of approving malicious requests. But at the end of the day, Bluetooth is still a radio protocol with inherent limitations. It moves the security needle forward, but not far enough.

The Case for Authenticator Apps: Stronger, Simpler, Safer

If SMS is too vulnerable and Bluetooth is too inconsistent, then where should organizations go next? Increasingly, security professionals agree: Authenticator apps using TOTP (Time-Based One-Time Passwords) represent the most practical, resilient step forward.

The strength of authenticator apps lies in their cryptographic foundation. Every 30 seconds, they generate a new code based on a shared secret and the current time, no cellular network, no radio protocol, no transmission path for attackers to intercept. The code resides only on the device, protected by hardware encryption and biometrics. And unlike SMS or push notifications, authenticator apps work fully offline, eliminating entire categories of attack.

Industry experts, from CISA to the FBI to major identity providers, have repeatedly emphasized the importance of moving away from SMS. This guidance has become even more urgent following recent telecommunications breaches and widespread MFA bypass incidents. Stronger authentication isn’t optional anymore; it’s foundational.

Beyond security, authenticator apps strike a surprisingly good balance between security and usability. They’re fast, predictable, widely supported, and free. Most users already know how to scan a QR code and enter a six-digit number. For organizations, the shift is often smoother than expected, especially compared to deploying hardware keys or rolling out new Bluetooth dependencies.

What CIOs and CTOs Should Be Doing Right Now

If you lead technology or security strategy, the takeaway is clear: Authentication is evolving, and your organization must evolve with it. Attackers have already moved upstream from passwords to MFA. That means your defenses must move upstream too.

Here’s what you can do immediately to reduce risk and strengthen your identity security posture:

Start by eliminating SMS MFA wherever possible. Phase it out for all high-privilege accounts first: administrators, executives, IT staff, and finance teams, then expand organization-wide.
Shift your users to authenticator apps as the new default. They offer the best combination of strong security, low friction, and minimal operational overhead.
Implement phishing-resistant authentication for your most critical workflows. This includes FIDO2 security keys, passkeys, and platform-based authenticators such as Windows Hello and iOS Secure Enclave.
Reinforce identity workflows around resets and recovery. The strongest MFA is only as secure as the process that resets it. Introduce identity proofing, Temporary Access Passes, and conditional access restrictions.
Educate your workforce consistently. Your users are part of your identity ecosystem. Help them understand why authentication is changing, what to expect, and how it protects both them and the organization.
Most importantly, treat identity security as a strategic priority, not an IT feature. Identity now sits at the center of access, compliance, zero trust, insider threat mitigation, and cyber resilience. The organizations that manage it well will be the ones prepared for the next generation of threats.

Chris Hippensteel | New Resources Consulting

Why It’s Time to Move Beyond SMS MFA

Share This Story, Choose Your Platform!

Related Posts

How to Build an AI Strategy that Actually Drives Business Value – Mid-Market Edition

What AI Business Consulting Is & Why It’s Different from Traditional IT Consulting – For Mid‑Market Leaders

Chris Hippensteel Named to Milwaukee Business Journal’s 40 Under 40 List

When Your Digital Footprint Becomes a Weapon: Social Engineering in the Age of Oversharing

Launching 404: Limits Not Found – NRC’s New Podcast for People Who Actually Work in IT

We’re here to help.

Your Details

Company Details