Multi-factor authentication was supposed to solve the password problem. And it did — for a while. But the version of MFA most businesses rely on today, a six-digit code sent to your phone via text message, has a significant and well-documented weakness that attackers are actively exploiting. Your MFA level up is overdue, and the gap between “we have MFA” and “we have effective MFA” is wider than most organizations realize.
SMS-based codes are better than no second factor at all. But they were never designed to be a security control. They ride on a cellular infrastructure built decades ago, and that infrastructure has real vulnerabilities. Understanding why SMS falls short — and what to use instead — is one of the most practical security investments you can make right now.
MFA Level Up: Why SMS Is No Longer Enough
SMS authentication has three fundamental problems that phishing-resistant alternatives eliminate entirely.
The first is SS7 vulnerabilities. SS7 is the signaling protocol that connects mobile networks globally, and it has known security flaws that allow attackers with the right access to intercept text messages in transit. This isn’t theoretical — the EFF and security researchers have documented active exploitation of SS7 weaknesses for years.
The second is SIM swapping. This attack doesn’t require any technical skill. An attacker calls your mobile carrier, claims to be you, says they lost their phone, and asks to transfer your number to a new SIM. If the support agent complies — and social engineering makes this more likely than you’d expect — your number moves to the attacker’s device. Every SMS sent to your number, including MFA codes, now goes to them. Your phone goes silent, your accounts get reset, and by the time you figure out what happened, the damage is done.
The third is real-time phishing relay. Sophisticated phishing sites now act as a proxy between you and the legitimate login page. You enter your credentials and SMS code on what looks like a real site. The attacker captures everything in real time and logs into the actual service before your code expires. Your SMS code provided no protection at all.
What Phishing-Resistant MFA Actually Means
Phishing-resistant MFA works differently at a technical level. Rather than generating a code that a user types in — which can be captured and replayed — it uses cryptographic protocols that bind the authentication to the specific domain being accessed.
The leading standard is FIDO2, which uses public key cryptography. When you register a FIDO2 authenticator with a service, a unique key pair is created and linked to that specific domain. When you log in, the authenticator signs a challenge from that domain. If an attacker tricks you into visiting a fake login page, the domain doesn’t match — the authenticator won’t complete the handshake, and the attacker gets nothing. It’s not a user training problem. It’s cryptographically impossible to phish.
Hardware Security Keys
Hardware security keys are the gold standard for phishing-resistant authentication. These are small physical devices — most look like a USB drive — that you plug into your computer or tap against your phone to authenticate. The key performs a cryptographic handshake with the service. There are no codes to type, no codes to intercept, and no way to relay the authentication to a fake site.
For administrator accounts, finance staff, executives, and anyone with elevated access, hardware keys should be the mandatory standard. The cost per device is low. The protection they provide is as close to complete as authentication technology currently gets. If an attacker wants to compromise an account protected by a hardware key, they need to physically steal the key — which is a very different problem than phishing from the other side of the world.
Authenticator Apps with Number Matching
If hardware keys aren’t immediately practical across your entire organization, a modern authenticator app with number matching enabled is a substantial upgrade over SMS. Apps like Microsoft Authenticator and Google Authenticator generate codes locally on the device — no cellular network involved, no SIM swap risk.
The critical detail is number matching. Basic push notification approvals are vulnerable to MFA fatigue attacks, where an attacker with stolen credentials floods a user’s phone with approval requests until the user taps approve just to make it stop. Number matching requires the user to enter a specific number displayed on their login screen into the app, confirming they are physically present at the authenticated session. This closes the MFA fatigue vulnerability.
Passkeys: The Direction Everything Is Heading
Passkeys represent the convergence of strong security and practical usability. A passkey is a digital credential stored on your device and protected by biometrics — your fingerprint or Face ID. It’s based on the same FIDO2 cryptographic standard as hardware keys, which means it’s phishing-resistant by design.
What makes passkeys compelling for business adoption is the user experience. There are no passwords to manage, no codes to type, and no hardware to carry separately. Passkeys sync across ecosystems — iCloud Keychain for Apple devices, Google Password Manager for Android — so users aren’t locked to a single device. For IT teams, they eliminate the password reset burden. For users, they’re faster and easier than any other authentication method.
Major platforms including Microsoft, Google, Apple, and most enterprise SaaS tools now support passkeys. If your organization isn’t planning a passkey adoption roadmap, it’s worth starting that conversation.
How to Roll Out Your MFA Upgrade
A successful MFA level up doesn’t happen all at once, and forcing a disruptive rollout creates workarounds that undermine the whole effort. A phased approach works better.
Start with your highest-risk accounts: administrators, finance, payroll, HR, and executive leadership. These are the accounts attackers target most, and protecting them first delivers the most immediate risk reduction. Require phishing-resistant MFA — hardware keys or passkeys — for all privileged access with no exceptions.
Then expand to the general user population with authenticator apps and number matching, removing SMS as an available option rather than just an alternative. If SMS is still on the menu, most users will choose it. Remove the choice.
Pay particular attention to your account recovery process. MFA is only as strong as the controls around resetting it. If an attacker can bypass your MFA by calling the helpdesk and claiming a lost device, your authentication upgrade didn’t fully solve the problem. Treat MFA resets with the same verification rigor you’d apply to a wire transfer approval.
Finally, audit for bypass routes before declaring the rollout complete. Legacy authentication protocols, service accounts, and conditional access gaps are where the exceptions live — and exceptions are where breaches start.
The Real Cost of Staying on SMS
SMS MFA may satisfy a checkbox on a compliance questionnaire. It doesn’t provide meaningful protection against the attacks that are actually targeting businesses today. The cost of hardware keys or authenticator app management is a fraction of the cost of a single incident response engagement — and a negligible fraction of the cost of a data breach.
If your organization is ready to upgrade its authentication posture but isn’t sure where to start, we can help. Our Cyber Shield security assessment gives you a clear picture of your current authentication state, identifies your highest-risk accounts, and builds a practical roadmap your team can execute. Get your Cyber Shield assessment and find out exactly where you stand.
Frequently Asked Questions
What is an MFA level up? An MFA level up means replacing older, weaker authentication methods — particularly SMS codes — with phishing-resistant alternatives like hardware security keys, FIDO2-based authenticator apps with number matching, or passkeys. The goal is to eliminate authentication methods that can be bypassed through SIM swapping, SS7 exploitation, or real-time phishing relay attacks.
Is SMS MFA better than no MFA at all? Yes — SMS MFA does block a large proportion of automated credential-stuffing attacks. But it provides no protection against targeted attacks using SIM swapping or real-time phishing relay. For any account containing sensitive data or elevated access, SMS should be treated as a temporary stopgap, not a long-term solution.
What is a SIM swap attack? A SIM swap is a social engineering attack where a criminal contacts your mobile carrier, impersonates you, and convinces support staff to transfer your phone number to a SIM card they control. Once successful, they receive all calls and SMS messages sent to your number — including MFA codes — and can use them to reset credentials and access your accounts.
What makes FIDO2 and passkeys phishing-resistant? FIDO2-based authentication uses cryptographic key pairs tied to specific domains. When you authenticate, your device signs a challenge from that exact domain. A phishing site on a different domain receives nothing — the authentication simply won’t complete. There are no codes that can be captured and replayed, making the attack vector that SMS codes are vulnerable to completely ineffective.
Do hardware security keys work for remote or hybrid teams? Yes. Hardware keys work over USB or NFC and are fully compatible with remote work environments. Most enterprise identity platforms including Microsoft Entra ID and Okta have well-documented support for hardware security key deployment. Physical key distribution does require planning, but many organizations handle it through standard IT provisioning processes.
Where should we start with an MFA upgrade? Start with your highest-risk accounts: administrators, finance, payroll, executives, and anyone with access to sensitive systems or data. Require phishing-resistant MFA for those accounts immediately, with no SMS fallback. Then expand to the broader user population using authenticator apps with number matching before phasing out SMS entirely.
—
