The short answer
Two-factor authentication is one of the most effective things you can do to protect an account, and any second factor beats a password alone. But not all second factors are equal. A code texted to your phone is the weakest of the common options — worth keeping if it is all an account offers, worth upgrading the moment something stronger is available.
Why a text-message code is the weak link
An SMS code is tied to your phone number, not your phone. And a phone number can be moved away from you: an attacker who convinces (or bribes) a carrier to port your number, or to move it onto a new SIM, starts receiving your codes without ever holding your device. That is the SIM-swap attack, and it is the reason a determined attacker treats SMS as a speed bump rather than a wall.
The mechanics of a SIM swap — how the port happens and what to do if your number is hijacked — are their own subject. If your codes suddenly stopped arriving or your phone lost service unexpectedly, read SIM-swap attack recovery. This guide answers the broader question: which second factor to choose in the first place.
What NIST actually says
The federal standard worth knowing is NIST's SP 800-63B. It classifies SMS and voice one-time codes as a “RESTRICTED” authenticator: still permitted, but carrying risk a provider has to weigh and disclose. Note the exact word — restricted, not banned.You will sometimes read “NIST banned SMS 2FA”; that is not what the guidelines say. The honest reading is that SMS is acceptable when nothing better exists, and you should prefer a stronger factor when you can.
The ladder: move up when you can
- SMS or voice code — better than a password alone. Keep it as a fallback.
- Authenticator app — time-based codes generated on your device, with nothing sent over the phone network to intercept. A large step up from SMS.
- Passkey or hardware security key— bound to the real website, so it cannot be phished or replayed. CISA calls this class “phishing-resistant” MFA, and it is the strongest option for the accounts that matter most (email, bank, password manager).
Add the strongest factor each account supports — especially your email, since it is the reset key to everything else. If an account was already taken over, work the full lock-down in how to secure any account after it has been hacked, and if an attacker keeps getting back in, account compromise recovery can help.
Sources
- Cybersecurity & Infrastructure Security Agency (CISA), Implementing Phishing-Resistant MFA (fact sheet). https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
- Cybersecurity & Infrastructure Security Agency (CISA), Turn On Multifactor Authentication (Secure Our World). https://www.cisa.gov/secure-our-world/turn-mfa
- National Institute of Standards and Technology (NIST), SP 800-63B Rev. 4 — Digital Identity Guidelines: Authentication. https://pages.nist.gov/800-63-4/sp800-63b.html
- FIDO Alliance, Passkeys — passwordless sign-in. https://fidoalliance.org/passkeys/
