In today’s digital world, many of us protect our online accounts using two-step verification. This process, known as multi-factor authentication (MFA), usually requires a password and an extra code, often sent via SMS, to log in. It adds an extra layer of protection, but there’s a growing concern: receiving these codes through text messages might not be as secure as we think.
Why Text Messages Aren’t the Safest Option
When you get a code on your phone, you might assume it’s sent directly by the company you’re logging into—whether it’s your bank, email, or social media. In reality, these codes are often delivered by external service providers hired by big tech firms. Some of these third-party firms have been connected to surveillance operations and data breaches, raising serious concerns about privacy and security.
Worse, these companies operate with little public transparency. Several investigative reports have highlighted how this lack of oversight puts user information at risk. Additionally, government agencies such as the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have warned people not to rely on SMS for authentication. Text messages are not encrypted, which means hackers who gain access to a telecom network can intercept them easily.
What Should You Do Instead?
Don’t ditch multi-factor authentication altogether. It’s still a critical defense against account hijacking. But you should consider switching to a more secure method—such as using an authenticator app.
How Authenticator Apps Work
Authenticator apps are programs installed on your smartphone or computer. They generate temporary codes for your accounts that refresh every 30 seconds. Because these codes live inside your device and aren’t sent over the internet or phone networks, they’re far more difficult for criminals to intercept.
Apps like Google Authenticator, Microsoft Authenticator, LastPass, and even Apple’s built-in password tools provide this functionality. Most major platforms now allow you to connect an authenticator app instead of relying on SMS.
Want Even Better Protection? Try Passkeys
If you want the most secure login method available today, look into passkeys. These are a newer, password-free login option developed by a group of leading tech companies. Instead of typing in a password or code, you unlock your account using your face, fingerprint, or device PIN.
Here’s how it works: your device stores a private key, while the website keeps the matching public key. Only when these two keys match—and you prove your identity through a biometric scan — are you allowed to log in. Because there are no codes or passwords involved, there’s nothing for hackers to steal or intercept.
Passkeys are also backed up to your cloud account, so if you lose your device, you can still regain access securely.
Multi-factor authentication is essential—but how you receive your codes matters. Avoid text messages when possible. Opt for an authenticator app, or better yet, move to passkeys where available. Taking this step could be the difference between keeping your data safe or leaving it vulnerable.