For years the standard advice has been to turn on two factor authentication, and that advice is genuinely good. Adding a second step beyond your password is one of the best things you can do to protect an account. But there is a wrinkle that most people never hear about. The most common form of that second step, a code texted to your phone, is also the weakest one on the list. It is far better than nothing, and if a text code is all an account offers you, you should absolutely use it. Still, treating an SMS code as ironclad is a mistake, because the way phone numbers work leaves a door open that a determined attacker can walk right through.

The main weakness has a name, and it is called SIM swapping. Your phone number is not welded to your physical phone. It lives with your mobile carrier, and it can be moved to a new SIM card or device, which is exactly what happens when you legitimately upgrade phones. An attacker who wants into your accounts can call your carrier, pretend to be you, and talk a support rep into moving your number to a SIM card they control. They pull this off using personal details about you that are often for sale online or scraped from old data breaches. The moment your number lands on their device, every text meant for you, including your security codes, arrives on their screen instead of yours.

Once an attacker controls your number, the login code stops protecting you and starts helping them. They go to your bank or your email, type in your username, and click the option to reset the password. The service dutifully sends a verification code by text, and that code now arrives on the attacker's phone rather than yours. With your number in their hands, they can often clear the very hurdle that was supposed to keep them locked out. This is exactly why high value targets, like people holding large amounts of crypto, have been drained despite having two factor turned on. The second factor was real, but it was tied to something that could be stolen without ever touching your actual phone.

SIM swapping is the headline risk, but it is not the only one worth knowing. Text messages travel over an old phone network system that was never designed with strong security in mind, and codes can in some cases be intercepted along the way. More common than any of that, though, is plain old phishing. A fake login page can ask for your password and then, in real time, ask for the SMS code you just received, passing both to the real site while you believe you are simply logging in. Because you are the one typing the code into a convincing copy, no carrier flaw or network trick is even required. The text based system quietly trains you to type whatever code arrives, and attackers count on that reflex.

The good news is that stronger options already exist, and most of them are free to use. An authenticator app, like the ones offered by several major companies, generates a rotating code right on your device without sending anything over the phone network. Because that code never travels as a text, stealing your phone number does nothing to help an attacker get in. Even stronger are physical security keys, small devices that plug in or tap against your phone to confirm you are really at the genuine website. Passkeys, a newer approach built into modern phones and computers, work on the same idea and resist phishing by design. Any one of these closes the exact gap that a plain SMS code leaves wide open.

You do not have to overhaul your entire digital life in one afternoon, but a few targeted moves matter a great deal. Start with your most important accounts, which usually means your primary email, your bank, and anything holding money or crypto. Switch those from text codes to an authenticator app or a security key wherever the option is offered. Separately, call your mobile carrier and ask them to add a port freeze or a unique PIN to your account, which makes an unauthorized SIM swap much harder to pull off. Be stingy about handing out your primary phone number, and consider a separate number for services that force you to use SMS. Small friction on your side becomes a real wall on theirs.

None of this is a reason to turn off two factor, and that is the point worth landing on. SMS codes are much safer than a password standing alone, and for many everyday accounts they are perfectly fine. The mistake is assuming a text code carries the same strength everywhere, including on the accounts that could wreck your month if they fell into the wrong hands. Match the level of protection to what is actually at stake. Use an app or a key on the accounts that matter most, lock down your phone number with your carrier, and stay skeptical of any page pushing you to type in a code. The second factor was always meant to be a hurdle, so make it one an attacker cannot clear from a stolen phone number.