Despite the growth of authenticator apps and passkeys, SMS remains the world's most widely used method of two-factor authentication (2FA). From banking and e-commerce to government services and social media platforms, the humble text message continues to be the default security layer for billions of online accounts worldwide.
Why SMS 2FA Dominates
The reasons are practical rather than technical:
- Universal reach: Every mobile phone can receive SMS — no smartphone, no app, no internet connection required
- Zero setup: Users don't need to download an authenticator app, scan QR codes, or configure anything. They just receive a code and type it in
- Familiarity: People understand text messages. There's no learning curve, no confusion, and no support tickets
- Immediate delivery: SMS OTPs (one-time passwords) are typically delivered within 5-10 seconds
For businesses, SMS 2FA also eliminates the biggest barrier to security adoption: user friction. If security is too difficult, users disable it. SMS makes it simple enough that people actually use it.
The Numbers Behind SMS 2FA
- Over 80% of organisations use SMS as their primary 2FA method (Duo Security)
- SMS OTP volumes grew 30% in the UK between 2022 and 2024 (Ofcom)
- Accounts with any form of 2FA are 99.9% less likely to be compromised than those without (Microsoft)
The Security Debate
Security researchers have raised valid concerns about SMS 2FA vulnerabilities:
- SIM swapping: Attackers convince mobile networks to transfer a victim's number to a new SIM
- SS7 interception: Exploiting legacy telephony protocols to intercept messages
- Social engineering: Tricking users into sharing OTP codes
However, these attacks are targeted and sophisticated — they're used against high-value individuals, not mass consumer accounts. For the vast majority of use cases, SMS 2FA provides a dramatic improvement over password-only authentication.
SMS 2FA vs Authenticator Apps
Authenticator apps (Google Authenticator, Microsoft Authenticator) are technically more secure because codes are generated locally and can't be intercepted in transit. But they have significant adoption challenges:
- Require a smartphone with a specific app installed
- Lost or replaced phones mean lost access (recovery is painful)
- Non-technical users find setup confusing
- Some demographics (older users, less tech-savvy) won't use them
The best approach is to offer SMS 2FA as the default with authenticator apps as an option for users who want stronger security.
Implementing SMS 2FA with Faretext
Faretext's SMS API makes implementing OTP verification straightforward. A typical flow:
- Your application generates a random code and calls the Faretext API to send it via SMS
- The user receives the code within seconds
- The user enters the code into your application
- Your application verifies the code and grants access
Our direct carrier connections ensure OTPs are delivered quickly and reliably — critical for time-sensitive security codes that typically expire within 5-10 minutes.
Best Practices for SMS OTP
- Keep codes short: 6 digits is the standard — long enough to be secure, short enough to type easily
- Set expiry times: OTPs should expire within 5-10 minutes
- Rate limit requests: Prevent bots from triggering excessive OTP sends (this also protects against artificially inflated traffic)
- Use a recognisable sender ID: Recipients should immediately know who sent the code
Connect with Faretext to discuss implementing SMS 2FA for your platform.
Sources: Duo Security — Trusted Access Report · Microsoft Security Blog · Ofcom — Telecoms Research
