iKartik
Software. Science. Future.
Tech

FBI Warns SMS Authentication Is Not Safe

Following the Salt Typhoon breach, the FBI warns that SMS authentication is dangerously outdated. This systemic vulnerability demands urgent action to adopt encrypted, modern alternatives.
Kartik Chaturvedi

by Kartik Chaturvedi

FBI Warns SMS Authentication Is Not Safe

In 2019, I wrote The Most Important Number, warning about the vulnerability of phone numbers and SMS-based authentication. The headline at the time was that then-CEO of Twitter Jack Dorsey had his account compromised through a SIM swap attack. Now, in December 2024, those warnings have proven prescient following what's being called "the worst hack in our nation's history."

Feds Warn SMS Authentication Is Unsafe After ‘Worst Hack in Our Nation’s History’
Even the U.S. government is telling Americans to use encrypted apps.
GizmodoMatt Novak

According to the FBI, the Chinese government-aligned operation dubbed "Salt Typhoon" has achieved what security researchers long feared: deep infiltration of telecommunications infrastructure, allowing widespread interception of unencrypted SMS messages and calls. This breach has forced even the FBI – historically resistant to encryption – to reverse course and actively recommend encrypted communications.

The Warning Signs Were There

In my 2019 article, I detailed how SMS-based two-factor authentication (2FA) created a false sense of security. The fundamental flaws in SMS security haven't changed in over a decade, making it vulnerable to interception and SIM swapping attacks. More recently, in my guide to digital security, I emphasized that SMS-based one-time passcodes (OTPs) are the least secure form of multi-factor authentication.

SMS messages are not encrypted—a threat actor with access to a telecommunication provider's network who intercepts these messages can read them.
~ guidance from the U.S. Cybersecurity and Infrastructure Security Agency (CISA)

From Individual Attacks to Infrastructure Breach

What's changed since earlier SMS-based attacks isn't the underlying vulnerability – it's the scale of exploitation. While previous attacks targeted individuals through SIM swapping, Salt Typhoon demonstrates how these weaknesses can be exploited at an infrastructure level. CISA has now explicitly warned against using SMS for authentication, stating that "SMS messages are not encrypted—a threat actor with access to a telecommunication provider's network who intercepts these messages can read them."

Moving Beyond SMS

While individual users must take steps to protect themselves, the greater responsibility lies with companies and organizations that continue to rely on SMS for authentication and customer communication. The Salt Typhoon operation has demonstrated that SMS vulnerability isn't just a consumer issue – it's a systemic risk that requires a coordinated response from the business community.

Companies must recognize that every SMS authentication code they send creates another opportunity for interception. Every password reset link delivered via text message is a potential security breach. Banks, social media platforms, and other service providers need to move away from SMS not just as a security measure, but as a matter of corporate responsibility.

Here are the secure alternatives that both individuals and organizations should be adopting:

Software Authenticator Apps

These apps generate secure codes offline without requiring cellular service, making them immune to SIM swapping and interception. They're free, widely supported by major services, and easy to implement for both users and companies.

Hardware Security Keys

Physical USB or NFC keys provide the highest level of security through public-key cryptography. They're immune to phishing and remote attacks, making them ideal for high-value accounts and enterprise environments, and are widely supported by operating systems and services.

Passkeys

The newest standard combines security with convenience, using device biometrics for authentication. Built into modern operating systems, passkeys eliminate the need for SMS while providing a superior user experience.

The Path Forward

While the security community has long advocated against SMS authentication, the Salt Typhoon operation has forced a broader reckoning with this vulnerability. If there's a silver lining to this massive breach, it's that it has finally pushed organizations like CISA and the FBI to take a strong public stance against SMS-based authentication.

For individuals and organizations alike, the message is clear: the time to move beyond SMS authentication is now. The threats we once theorized about have become reality, and the infrastructure we relied on has proven more vulnerable than many imagined. As I wrote in 2019, your phone number is "more important than a credit card number, and yet more exposed than one." That warning has never been more relevant than it is today.

For individuals and families, start by upgrading the authentication methods on your critical accounts today. For businesses, the time has come to treat SMS authentication as a legacy system that must be retired. The technology exists to move beyond SMS – what we need now is the will to implement it.

For more guidance on securing your online accounts, see my recent article on essential digital security steps.

Additional Resources

  1. CISA: Guidance for Families – Official guidance from CISA on protecting sensitive information
  2. Two-Factor Auth Directory – A comprehensive list of websites and their supported 2FA methods
  3. Apple's Guide to Passkeys – Understanding passkeys in the Apple ecosystem
  4. Google's Authentication Tools – Tool to review and improve your account security
  5. Have I Been Pwned? – Check if your accounts have been compromised in data breaches
Subscribe to get my Dispatch newsletter, new posts, and the latest updates from me.

No spam, no sharing to third party. Only you and me.

Similar topics

The Great IT Outage of 2024: Inside the Update that Stopped the World

The Great IT Outage of 2024: Inside the Update that Stopped the World

What was supposed to be a routine security update turned into the worst IT outage in history and caused 8 million Windows machines to crash globally, revealing vulnerabilities in our digital infrastructure.
A Guide to Digital Security

A Guide to Digital Security

Don't make it easy for hackers to make you a target. Use these easy steps to protect your online world.
Facebook's Shameless Takeover of WhatsApp

Facebook's Shameless Takeover of WhatsApp

WhatsApp users are now Facebook users — and its latest privacy policy updates only reiterate that fact. It's time for a better alternative.
Facebook's Shameless Attack on Apple

Facebook's Shameless Attack on Apple

Facebook's attack on Apple's new privacy controls further expose how much data the social network collects, and only makes a stronger case for why Facebook is wrong and Apple is right.
The Most Important Number

The Most Important Number

You have a truly important piece of personal information that is extremely vulnerable, and you probably don’t know about it.