Two-factor authentication has become a baseline security requirement for businesses of every size. And despite periodic headlines suggesting SMS-based 2FA is outdated, it remains the most widely deployed second factor in the world — and for good reasons.
The adoption numbers
According to Statista's 2024 cybersecurity survey data, over 80% of organisations worldwide use SMS as a two-factor authentication method. While authenticator apps and hardware keys are growing, they remain significantly behind SMS in adoption. In the consumer space, SMS OTP is even more dominant — it is the verification method most people encounter when logging into banking apps, e-commerce accounts, and social media platforms.
What NIST actually says
There is a persistent misconception that the US National Institute of Standards and Technology (NIST) has deprecated SMS for 2FA. This is not accurate. In their Special Publication 800-63B (Digital Identity Guidelines), NIST flagged SMS as a "restricted" authenticator for the highest assurance levels, meaning it should not be the sole factor for the most sensitive government systems. However, NIST explicitly acknowledges that SMS 2FA is acceptable for most use cases and vastly preferable to password-only authentication.
The relevant NIST guidance states that out-of-band authentication using SMS is permitted when the verifier considers the risks acceptable — which it is for the overwhelming majority of commercial applications.
Comparing the alternatives
Authenticator apps (Google Authenticator, Microsoft Authenticator) generate time-based one-time passwords on the user's device. They are more resistant to SIM-swapping attacks than SMS but require the user to have a smartphone, to have installed the specific app, and to know how to use it. For tech-savvy users this is straightforward; for the broader population, it introduces friction that reduces adoption.
Hardware security keys (YubiKey, Titan) provide the strongest 2FA protection and are phishing-resistant. However, they cost money, can be lost, and require physical possession at the point of login. They are appropriate for high-value accounts but impractical as a universal consumer solution.
Passkeys and biometrics represent the newest approach, using device-based cryptographic keys tied to biometric verification. This is a promising direction, but adoption is still in early stages and requires compatible devices and platforms.
Why universal reach wins
The fundamental advantage of SMS 2FA is that it works for everyone. Every mobile phone can receive an SMS. No app installation. No hardware purchase. No technical knowledge required. For businesses serving diverse customer bases — including older users, less tech-savvy users, and those with basic handsets — SMS is often the only 2FA method that achieves near-universal adoption.
Google's security research demonstrated that adding SMS 2FA stops 100% of automated bot attacks and 96% of bulk phishing attacks. While authenticator apps and security keys score marginally higher against targeted attacks, SMS provides a massive security improvement over passwords alone.
Implementing SMS 2FA
Businesses implementing SMS-based two-factor authentication need a reliable, fast delivery infrastructure. OTP codes typically have a 60-90 second validity window, making delivery speed critical. Key requirements include:
- Direct carrier connections — Tier 1 routes ensure codes arrive in seconds, not minutes
- High availability — your SMS API must be available 24/7 with failover capabilities
- International coverage — if your users are global, you need reliable international SMS delivery
- Fraud monitoring — AIT detection prevents fraudsters from exploiting your 2FA system to generate artificial traffic
The pragmatic approach
The most effective security strategy is layered. Offer SMS 2FA as the default, and provide authenticator apps or hardware keys as options for users who want stronger protection. This ensures maximum adoption while giving security-conscious users the tools they prefer. An imperfect 2FA method that everyone uses is infinitely more secure than a perfect method that nobody adopts.
Faretext's SMS API delivers OTP codes via direct Tier 1 carrier connections with 97-99% delivery rates. Get started with 25 free credits to test 2FA delivery.
Frequently asked questions
Is SMS 2FA still secure in 2025?
Yes, for the vast majority of use cases. SMS 2FA blocks 100% of automated attacks and 96% of phishing attempts. While not the strongest option for extremely high-value targets, it provides a massive security improvement over passwords alone and achieves far higher adoption than alternatives.
What is SIM swapping and how does it affect SMS 2FA?
SIM swapping is when an attacker convinces a mobile carrier to transfer a victim's phone number to a new SIM. This is a targeted attack requiring social engineering, making it rare but serious for high-value accounts. For most businesses and consumers, the risk is minimal compared to the security benefit of having 2FA enabled.
How fast do OTP codes need to be delivered?
Most OTP codes expire within 60-90 seconds, so delivery within 5-10 seconds is essential. This is why direct Tier 1 carrier connections matter — aggregated or grey routes may introduce delays that cause codes to expire before arrival.
Sources: NIST SP 800-63B — Digital Identity Guidelines, Statista — Multi-Factor Authentication Worldwide, Google Security Blog — How Effective Is Basic Account Hygiene
