Skip to content

Why is SMS-based 2-factor authentication not as secure as app-based 2-factor authentication?

  • by
  • 3 min read

2-factor authentication (2FA) is widely used across various platforms to verify and authenticate one to their account, e-wallet, transaction validation and so on. This process makes it quite easy to validate if indeed the authorised account holder is performing crucial and important actions like transferring funds, purchasing items online.

How does 2-factor authentication work?

Suppose you need to book tickets for a movie online. After selecting the seats, you are redirected to the payment portal and asked to put in your card details for the same. But submitting the correct account details doesn’t necessarily mean that it is indeed you who have booked the tickets; it could be a fraud who has acquired the required account details.

To authenticate that it is indeed you, you are sent an OTP (one time password) — that is valid for a specific time period — via SMS or an authentication app like Google Authenticator on the mobile number you registered with the authorities when you set up the account. When you are prompted to submit the OTP on the portal, it must match with the OTP sent on the registered number else the transaction is rejected.

Major organisations like Google, Facebook and almost all banks, e-wallets, and various kinds of payment portals are using 2FA to increase the security of their customer accounts.

Also read: How Huawei phones might be compromising your privacy and security

SMS-based 2FA

Why is SMS 2-factor authentication not as secure as app-based 2FA?

When you receive the OTP via SMS, it is SMS 2-Factor authentication. This has been the traditional means using which organisations have authenticated their users.

But recently, Reddit got hacked and all of the data before 2007 was deleted. On further investigation, it was found out that this happened because all of their employees used SMS 2FA for all of their authentication purposes.

Since text messages can be easily hacked into, using it for authentication purposes cannot be deemed as safe anymore and we should resort to other methods.

Google accounts, various cryptocurrency wallets have all been hacked as the hackers were able to breach the system by intercepting texts that contained the OTP used for authentication purposes.

This is because almost all mobile telecom networks use SS7 (Signalling System number 7) to manage calls and texts. This makes all mobile networks vulnerable for hackers to swoop in and get access to crucial data transferred via SMS.


An alternative to using SMS 2FA is using app-based 2FA instead. This guarantees that your data is not being intercepted via SMS. Some app based authenticators you could go for are:

Stay safe!

Also read: What is Keylogging? 6 ways to protect yourself

Featured image by Sarah Pflug

Parinita Haldar

Parinita Haldar