Skip to content
Deepak Gupta markTech Graveyard

Tech Graveyard/authentication

SMS-Based MFA (2011 to Dying)

The most cited example of cybersecurity inertia. NIST deprecated SMS MFA in 2017. It took SIM-swap attacks on Coinbase and Twitter founders to force action.

Born 2011 · Still dying · Status: dying

Certificate of Death

Name of decedent

SMS-Based MFA

Born
2011
Died
Age
15+

Cause of death

SIM-swap attacks on high-profile accounts forced regulatory action

Survived by

TOTP apps, push notifications, passkeys, hardware security keys

Invented by

Popularized by Google 2-Step Verification, February 2011

Status: DyingFinal breath: 2027

Filed by D. Gupta · guptadeepak.com

The hook

NIST Special Publication 800-63B deprecated SMS as an MFA channel in 2017. Eight years later, US banks still require it.

Thesis. SMS MFA survived not because it works, but because the cost of replacing it falls on companies while the cost of breach falls on users.

The story

The origin

Google launched 2-Step Verification in February 2011. SMS was the obvious channel: everyone has a phone, the carriers already deliver text messages, no app install required. The first 10 years of mainstream MFA were built on a primitive nobody designed for security.

The peak

By 2018 SMS MFA was the standard 'we take security seriously' feature. Banks, social platforms, exchanges. Every signup flow that added MFA added SMS first because it was the easiest factor to ship.

The first crack

NIST SP 800-63B in 2017 deprecated SMS as out-of-band authentication. The technical community already knew SS7 attacks and SIM swaps were trivial; the regulatory acknowledgment was the news.

The breach pattern

Twitter founder Jack Dorsey SIM-swapped in August 2019. Coinbase suffered a $400M social-engineering loss in 2024 with SMS in the attack chain. Public, named, expensive. The pattern got harder to ignore.

The slow death

TOTP apps and push-based MFA already dominate new deployments. SMS persists in legacy systems and regulated industries where switching costs are real and regulators move slowly. Final breath projected 2027.

Key data points

  • Google 2-Step Verification launch: February 2011
  • NIST SP 800-63B deprecation: 2017
  • Jack Dorsey SIM-swap incident: August 2019
  • Coinbase 2024 social-engineering loss: $400M
  • Estimated cost of SMS MFA at scale: $0.05 to $0.20 per message

Contrarian angle

SMS MFA is not being killed by attackers. It is being killed by the SMS providers raising prices faster than companies can budget for them.

The flip side

What replaces it

The paired prediction in Future Tech.

Read the prediction

FAQ

Is SMS MFA still better than no MFA?

Yes, barely. It blocks unsophisticated credential-stuffing attacks. It does not block phishing kits, SIM-swap attacks, or SS7 interception. Treat it as a floor, not a ceiling.

Are TOTP apps actually phishing-resistant?

No. TOTP codes can be phished in real time on a fake login page. They are better than SMS for SIM-swap protection, but they are not phishing-resistant. Only WebAuthn-class factors are.

Why didn't NIST's deprecation kill SMS MFA immediately?

NIST guidance is advisory for the private sector. Federal contractors comply faster than banks. Banks comply when state regulators mandate change, which happens 5 to 7 years behind NIST.

More from guptadeepak.com

Want the technical deep-dive on what replaces this?

Read the companion article

Related obituaries

More from the authentication graveyard.