Security

Why We Don't Support SMS MFA (And Why You Shouldn't Either)

SMS-based multi-factor authentication has serious security vulnerabilities that make it unsuitable for enterprise applications.

October 26, 2025
5 min read
By TitaniumVault Team

Multi-factor authentication (MFA) is crucial for securing modern applications. However, not all MFA methods are created equal. Here's why TitaniumVault deliberately doesn't support SMS-based MFA, and why you should consider avoiding it too.

The Security Problems with SMS MFA

While SMS MFA is better than no MFA at all, it has several critical vulnerabilities that make it unsuitable for enterprise-grade security:

1. SIM Swapping Attacks

Attackers can convince mobile carriers to transfer your phone number to a SIM card they control. Once they have your number, they can intercept SMS codes and bypass your “second factor.” This attack has been used to compromise high-profile accounts, including cryptocurrency exchanges and social media accounts.

2. SS7 Protocol Vulnerabilities

The Signaling System 7 (SS7) protocol, which underlies much of the world's mobile phone infrastructure, has known vulnerabilities that allow attackers to intercept SMS messages. State-sponsored actors and sophisticated cybercriminals can exploit these flaws to read SMS codes in real-time.

3. Phishing and Social Engineering

SMS codes can be socially engineered from users through phishing attacks. Attackers often create fake login pages and prompt users to enter both their password and the SMS code, effectively defeating the MFA protection.

Better Alternatives: TOTP and WebAuthn

TitaniumVault supports two robust alternatives that provide significantly better security:

TOTP (Time-based One-Time Passwords)

Apps like Google Authenticator, Authy, and 1Password generate time-based codes locally on the user's device. These codes:

  • Don't rely on cellular networks or SMS infrastructure
  • Can't be intercepted through SIM swapping or SS7 attacks
  • Work offline, making them more reliable
  • Are standardized (RFC 6238) and widely supported

WebAuthn / FIDO2 (Hardware Security Keys)

Hardware security keys like YubiKey represent the gold standard for MFA:

  • Phishing-resistant by design
  • Based on public-key cryptography
  • No secrets transmitted over the network
  • Resistant to all known MFA attacks
  • Backed by major tech companies and security organizations

Industry Recommendations

Major security organizations have moved away from recommending SMS for MFA:

  • NIST deprecated SMS-based MFA in their Digital Identity Guidelines
  • The FIDO Alliance promotes hardware-based authentication
  • Microsoft, Google, and other tech giants encourage moving beyond SMS

Making the Transition

If your application currently uses SMS MFA, here's how to transition:

  1. Add support for TOTP authenticator apps alongside SMS
  2. Encourage users to switch through in-app messaging and email campaigns
  3. Implement WebAuthn for users who want the highest security
  4. Eventually deprecate SMS MFA with plenty of advance notice
  5. Provide backup codes as a recovery mechanism

Conclusion

Security is about making informed trade-offs. While SMS MFA is better than passwords alone, modern applications should implement stronger alternatives. At TitaniumVault, we've made the decision to support only TOTP and WebAuthn, ensuring our customers have access to robust, phishing-resistant authentication methods.

Interested in implementing strong MFA for your application? Try TitaniumVault free for 14 days or view our pricing.

Want to learn more about secure authentication?

Explore our other articles on authentication best practices, or see how TitaniumVault can help secure your application.

More ArticlesView Features