On January 9, 2024, the official U.S. Securities and Exchange Commission Twitter account announced that the SEC had approved Bitcoin ETFs. Bitcoin’s price spiked roughly 10 percent in minutes. The announcement was fake — attackers had SIM-swapped the phone number linked to the SEC’s account, intercepted the verification code, and posted on the SEC’s behalf. The actual approval came the next day.

The SEC is not a small business. It has a legal team, a security team, and a public-facing communications infrastructure. None of that mattered. Someone called a carrier, said the right things to the right low-level employee, and within hours they controlled a number that unlocked one of the most market-sensitive social media accounts in the world.

If the method is straightforward enough to use on a federal financial regulator, it will be used on your business. The question isn’t whether SMS two-factor authentication is a good idea anymore — the research has settled that. The question is what you replace it with, and how to actually do it without breaking everything or losing your staff.

Why SMS MFA Is Already Dead#

Text message authentication has two separate and serious problems. They’re worth understanding briefly, because the solution only makes sense once you know what you’re actually defending against.

The SS7 problem is structural. SS7 (Signaling System No. 7) is the protocol that routes calls and text messages between phone carriers globally. It was designed in 1975 on the assumption that only trusted telecom operators would ever have access to the signaling network. That assumption stopped being true decades ago. Today, anyone who can obtain access to an SS7 gateway — a rogue carrier, a state intelligence service, or a cybercriminal who paid $5,000 for a packaged exploit toolkit (documented on dark web markets as recently as May 2025) — can silently intercept text messages destined for any phone number in the world.

The attack is invisible to the victim. A fraudulent “location update” message tells the carrier network that the subscriber has roamed to a new area. SMS messages reroute to attacker-controlled infrastructure. The victim’s phone shows normal service or a brief flicker. The OTP arrives at the attacker. In 2017, this technique was used to drain German bank accounts after credentials were stolen separately — attackers intercepted the SMS 2FA codes needed to authorize wire transfers. In 2019, Metro Bank UK confirmed a similar attack on customer accounts.

The SIM-swap problem doesn’t require any technical access at all. An attacker calls your carrier, claims to be you, and asks them to transfer your number to a new SIM card. Using information assembled from data breaches and social media, they convince a carrier employee. From that moment, your phone number belongs to them — and so does every SMS code that number receives.

The FBI’s Internet Crime Complaint Center tracked 982 SIM-swap complaints in 2024 totaling roughly $26 million in losses. The average loss per victim was over $26,000. Across the UK, Cifas reported a 1,055 percent increase in unauthorized SIM swaps year-over-year. In June 2025, attackers used SIM swaps to compromise OKX exchange user accounts and generate unauthorized withdrawal permissions.

The regulatory community has reached the same conclusion. On May 30, 2025, NIST finalized SP 800-63B-4, its Digital Identity Guidelines. SMS OTP is now formally classified as a RESTRICTED authenticator. That language has a specific meaning: organizations that continue using it must offer an alternative, inform users of the risk, document a risk assessment, and maintain an active migration plan. CISA published a joint advisory with the FBI in December 2024 — following the Salt Typhoon breach of U.S. internet service providers — stating plainly: “Do not use SMS as a second factor for authentication.”

What Actually Replaces It#

Not all MFA is created equal. The upgrade path has three distinct tiers.

TOTP authenticator apps — Google Authenticator, Microsoft Authenticator, Authy — are the immediate improvement most businesses should make first. Instead of a code sent over the phone network, the app generates a time-based code using a shared secret stored on your device. There’s no SS7 intercept and no SIM-swap vulnerability. It costs nothing and works with almost every service that supports MFA.

The limitation is that a TOTP code is still a human-readable string. A sophisticated attacker can run what’s called an adversary-in-the-middle attack: they build a convincing fake login page, you enter your credentials and TOTP code in real time, they instantly relay those to the real site and hijack your authenticated session. Tools that automate this are freely available. TOTP is significantly better than SMS. It is not phishing-resistant.

Passkeys are the consumer-friendly version of the technology that closes the phishing gap. When you register a passkey with a website, your device generates a cryptographic key pair. The private key stays on your device — it never leaves it. When you log in, your device signs a challenge from the website using the private key, and the website verifies the signature with the public key it stored during registration. You authenticate with a fingerprint, face scan, or PIN. No password. No code to type.

The critical security property is that every passkey is cryptographically bound to a specific origin — the exact domain of the website. If an attacker builds a fake login page at login.micros0ft.com, your passkey for login.microsoft.com simply won’t work there. The authentication attempt fails at the protocol level, not because a human noticed something wrong. There’s no code to intercept, relay, or trick you into entering.

In 2025, passkeys are fully mature on every major platform. Apple syncs them across iPhone, iPad, and Mac via iCloud Keychain. Google Password Manager syncs them across Android and Chrome. Microsoft supports them through Windows Hello and the Authenticator app. You can also use your phone as an authenticator for a laptop by scanning a QR code — a Bluetooth proximity check ensures the devices are physically near each other, preventing remote attacks.

Hardware FIDO2 security keys — YubiKey, Google Titan — are the gold standard. They implement the same FIDO2/WebAuthn protocol as passkeys, but the cryptographic key is stored on a dedicated hardware chip that can never be extracted. Even if an attacker physically steals your computer, the private key stays in the device on your keychain. They work via USB (USB-A or USB-C depending on the model) and NFC for mobile phones.

The Cloudflare 2022 breach confirms the real-world difference. During the Oktapus phishing campaign that compromised over 130 organizations, Cloudflare employees who used hardware FIDO2 keys were entirely unaffected. Employees using Okta push notification MFA were compromised. One group lost nothing. The other group lost session tokens to a real-time phishing proxy that TOTP and push notifications are powerless against.

Deeper Dive: How Origin Binding Works

For readers who want the technical layer: FIDO2 signs a challenge that includes the current origin (scheme + hostname + port). The browser passes this to the authenticator before signing. A phishing proxy at a different domain receives a signed assertion that contains the wrong origin — cryptographically invalid. There is no string to intercept and replay. This is why FIDO2 defeats tools like Evilginx2 that successfully proxy TOTP and push-based MFA: those tools relay a human-readable code; FIDO2 produces a signature tied to a specific domain that cannot be reused elsewhere. The spec distinction: WebAuthn is the browser-side W3C API; CTAP2 is the protocol between the browser and an external hardware authenticator; FIDO2 is the umbrella framework covering both.

How the Options Stack Up#

MethodPhishing-ResistantCost Per UserUX FrictionFeasibility for SMB
SMS OTPNoFreeLowHigh — but NIST RESTRICTED; active threat
TOTP AppNoFreeMediumHigh — best interim step
PasskeysYesFreeLow (biometric)High on modern devices
FIDO2 Hardware KeyYes$30–$58 per keyMediumMedium — best for high-risk accounts

The cost column is the most important one for small businesses. Passkeys require no hardware purchase and work on phones and laptops your staff already own. For most SMBs, passkeys on email and cloud accounts plus TOTP on everything else is a reachable starting point this week.

Hardware keys make sense at the account level, not the user level — every admin account, every financial login, and every domain registrar account should have a hardware key regardless of business size.

Which Is Right for Your Business#

Solo / freelancer / 1–5 person shop

Enable passkeys on every account that supports them: Microsoft account, Google account, banking, domain registrar, social media. Add TOTP as a fallback where passkeys aren’t yet supported. Delete SMS as an option wherever the service lets you. Cost: $0. Time: one focused afternoon.

5–20 person business

Roll out passkeys across Microsoft 365 or Google Workspace for all staff. Purchase two FIDO2 hardware keys for each admin and privileged account — one for daily use, one backup stored securely. The YubiKey 5C NFC ($58) is the best single key for most environments: USB-C for modern laptops, NFC for iPhones and Android. Google Titan USB-C/NFC is a solid $35 option. Deploy TOTP as the minimum standard for all other accounts while passkey support catches up. Budget: roughly $150–$300 for hardware coverage of privileged accounts.

One licensing note if you’re on Microsoft 365: enabling FIDO2 keys for your users is free on any Entra ID tier. Enforcing phishing-resistant MFA as a policy requirement via Conditional Access requires Entra ID P1, which comes with Microsoft 365 Business Premium ($26/user/month). Business Basic and Business Standard users can allow the better methods but cannot mandate them through policy without upgrading. Google Workspace can enforce hardware key or passkey requirements across all staff on any tier — no premium license needed.

20–100 person business

Create a written MFA policy before you touch settings. Establish which accounts require hardware keys (all admin, privileged, finance, HR, and executive accounts — full stop), which require passkeys, and which are acceptable with TOTP as interim. Document it for your audit trail.

If your business handles controlled unclassified information under a DoD contract, CMMC Level 2 practice IA.L2-3.5.3 requires multi-factor authentication for privileged accounts and network access. FIDO2 hardware keys with FIPS 140-3 validation are the strongest compliant option and what assessors look for. CMMC Phase 2 enforcement begins November 10, 2026.

If your business is a HIPAA covered entity, a December 2024 HHS proposed rule — currently targeted for final publication in May 2026 — would make MFA explicitly mandatory for all systems accessing electronic protected health information. The proposed rule removes the “addressable” classification entirely.

The Action Plan#

Step 1: Audit. Open your password manager or, if you don’t have one, a spreadsheet. List every account that currently uses SMS MFA. Start with the highest-impact accounts: business email, banking, payroll, domain registrar, DNS host, cloud storage, and any admin consoles. These are the accounts whose compromise ends your business or costs you real money in hours.

Step 2: Prioritize. Work in three tiers. First tier (this week): email, banking, payroll, domain registrar. Second tier (this month): business software, CRM, HR tools, accounting. Third tier (ongoing): everything else. Don’t try to do it all at once — you’ll stall and do nothing.

Step 3: Enable passkeys first. For each high-priority account, go to security settings, look for passkey or security key options, and register your device. Log out and verify the passkey login works before doing anything else. Then remove SMS as an MFA option if the service allows it. Many services (including Google and Microsoft) now create passkeys automatically and push users toward them — lean into this.

Step 4: Add hardware keys to privileged accounts. Order two keys per admin or high-risk role. Register both to each account. When one key is your daily driver, the other is your emergency backup — keep it in a different physical location from the primary. Document the recovery process: if a key is lost, how does your staff regain access without creating a bypass that defeats the entire point?

Step 5: Handle the exceptions deliberately. Some services only support SMS. Document them explicitly. For high-value accounts stuck with SMS-only options — some older financial institutions, certain government portals — use a dedicated number that isn’t your main business line and isn’t a SIM that travels. Google Voice numbers aren’t SIM-based and are harder to swap. Push the vendor for better MFA support; vote with your business at renewal time.

For staff who resist change: passkeys are faster than SMS, not slower. No waiting for a text. Fingerprint, done. Frame it correctly and most resistance evaporates.

FAQ#

My bank only supports SMS. What do I do?

You can’t force the vendor’s hand today. For now: use a Google Voice number (not SIM-based, harder to swap) rather than your primary business line, and don’t use that number for anything else. Flag the account as high-risk in your audit, accept the residual risk formally, and evaluate switching to a financial institution with better authentication at your next contract renewal. Push the bank through their support channel — they track this feedback.

What if an employee loses their hardware key?

This is why you always register two. Primary key stays on the employee’s keychain. Backup key lives in a secured office location, a safe, or with IT. When a key is lost: verify the employee’s identity through a separate out-of-band method (video call, in-person), temporarily provision access, and re-register new keys. The weakness in any MFA system is always the recovery process — make sure yours doesn’t create a social-engineering-friendly backdoor.

Does this satisfy CMMC or HIPAA?

CMMC Level 2 IA.L2-3.5.3 requires MFA for privileged accounts and network access. FIDO2 hardware keys with FIPS 140-3 validation satisfy this requirement. SMS OTP does not meet the standard expected for CMMC compliance. HIPAA currently treats MFA as an addressable safeguard under the Security Rule — in practice, auditors expect it for remote access and admin accounts. A proposed HHS rule published December 2024 would make it explicitly mandatory; expect a final rule targeting May 2026.

Are passkeys the same as a password manager?

No. A password manager stores your passwords and fills them in. Passkeys replace passwords entirely — there’s no secret string to store, steal, or forget. The cryptographic key lives on your device and never leaves it. Passkeys and password managers are complementary: 1Password, Bitwarden, and Dashlane can all store and fill passkeys in addition to traditional passwords.

My team uses Microsoft Authenticator for push notifications. Isn’t that good enough?

Push notification MFA is better than SMS — there’s no SS7 intercept risk. But push notifications are not phishing-resistant. Evilginx-style attacks can proxy your session in real time: you approve a legitimate-looking push prompt while the attacker uses that approval to authenticate to the real service. Microsoft Authenticator now supports passkeys and FIDO2 credentials in addition to push and TOTP — check whether your version and configuration actually uses the phishing-resistant mode, not just the push notification mode.

Key Sources#

  • NIST SP 800-63B-4, Digital Identity Guidelines: Authentication and Authenticator Management, May 30, 2025 — csrc.nist.gov
  • CISA, Implementing Phishing-Resistant MFA (fact sheet) — cisa.gov
  • CISA + FBI Joint Advisory on Mobile Communications Best Practices, December 2024
  • FBI IC3 2024 Annual Report — SIM swap statistics
  • HHS OCR HIPAA Security Rule NPRM, Federal Register 2024-30983, January 2025
  • CMMC Assessment Guide Level 2 — dodcio.defense.gov
  • Yubico YubiKey 5 Series — yubico.com
  • Google Titan Security Key — store.google.com