Is SMS-based logins a good idea?

Is using SMS for logins, account recovery, or password resets a good idea?


Using SMS codes for logins and password resets expose customers to SIM-swapping and man-in-the-middle attacks. Companies that continue to offer SMS to verify consumers are ethically challenged and don't defend customers against targeted attacks.

If you use SMS codes for 2FA, it must only be offered when other more secure 2FA options exist, and SMS should never ever be used as an account recovery fallback.

Year after year, criminals writ-large demonstrate that they know SMS one-time codes are a weak link. They hurt customers by attacking that weak link. Don't hurt your customers! SMS is not cool anymore. Pass it on!

Here are a few high-profile SIM-swap attacks. And here is a blog post explaining in more detail.