Both are better than nothing
Let’s get this out of the way: if you’re choosing between SMS-based 2FA and no 2FA at all, turn on SMS. A weak second factor beats no second factor. But if you have the choice between SMS and a TOTP authenticator app, the authenticator is the better option. Here’s why.
How SMS 2FA works
When you log into an account with SMS-based 2FA, the service sends a text message containing a short numeric code to your phone number. You type the code into the login form, and if it matches, you’re authenticated.
Simple. Widely supported. Almost everyone has a phone that receives texts.
The problem is that SMS was designed for communication, not security. Text messages pass through your carrier’s network, and there are several points along that path where things can go wrong.
How TOTP works
TOTP generates codes on your device using a shared secret and the current time. If you want the full explanation, there’s a separate post on how TOTP works. The short version: your authenticator app and the server both have a copy of the same secret key. They both know what time it is. So they independently produce the same 6-digit code every 30 seconds. No network needed.
Where SMS falls short
SIM swapping
This is the biggest problem. A SIM swap attack happens when someone convinces your phone carrier to transfer your number to a new SIM card. The attacker calls customer support, impersonates you (using personal info from data breaches, social media, or social engineering), and asks to activate your number on their device.
Once they control your number, they receive your SMS codes. They can then log into any account where you use SMS-based 2FA.
SIM swapping isn’t theoretical. It’s been used to steal cryptocurrency, break into corporate accounts, and target journalists and activists. The FBI’s Internet Crime Complaint Center received over 2,000 SIM swapping complaints in a single year.
SS7 vulnerabilities
SS7 is a set of protocols that phone networks use to route calls and texts. It was designed in the 1970s, when the only entities on the network were trusted telecom companies. Security wasn’t a priority.
Researchers have demonstrated that attackers with access to the SS7 network can intercept text messages without the victim knowing. This kind of attack requires some technical sophistication and network access, so it’s not something a random script kiddie pulls off. But nation-state actors and well-funded criminal groups have used it.
Network dependency
SMS requires cellular service. No signal, no code. If you’re traveling internationally, in a basement, or somewhere with spotty coverage, you might not be able to log in.
TOTP works offline. The code is generated locally on your device. You could be in airplane mode, on a submarine, wherever. As long as your device’s clock is roughly correct, the codes work.
Delivery delays
Texts sometimes arrive late. Carrier congestion, network issues, or international routing can delay an SMS by seconds or even minutes. If the code expires before you receive it, you have to request a new one. Annoying, and occasionally a real problem when you need to log in quickly.
TOTP codes are available instantly. You open the app, and the code is there.
Where SMS has an edge
Convenience. You don’t need to install an app. You don’t need to scan QR codes. You don’t need to understand what a “secret key” is. The service texts you a code, and you type it in. For people who aren’t comfortable managing an authenticator app, SMS is easier to set up and use.
There’s also the backup question. If you lose your phone, you can get a new SIM with your same number from your carrier. Recovering access to an authenticator app can be harder if you didn’t set up backups.
The security gap, in plain terms
The core difference: TOTP codes never travel over a network. They’re generated on your device and typed into a login form. That’s it. There’s no message to intercept, no carrier to social-engineer, no protocol vulnerability to exploit.
SMS codes travel through infrastructure you don’t control: your carrier’s network, SS7 routing, cell towers. Every hop is a potential point of interception.
NIST (the U.S. National Institute of Standards and Technology) flagged SMS as a “restricted” authenticator back in 2016, recommending that services move toward app-based or hardware-based methods. That recommendation hasn’t changed.
Practical comparison
| SMS | TOTP | |
|---|---|---|
| Needs cellular service | Yes | No |
| Vulnerable to SIM swapping | Yes | No |
| Vulnerable to SS7 interception | Yes | No |
| Setup difficulty | Low | Low-medium |
| Code delivery | Sometimes delayed | Instant |
| Works offline | No | Yes |
| Open standard | No | Yes (RFC 6238) |
The bottom line
If a service offers TOTP as an option, use it. The setup takes a minute, and you get a meaningfully more secure second factor. If SMS is the only option available, use it anyway. Any second factor reduces your risk compared to a password alone.
For a free, browser-based TOTP generator you can try right now, check out 2fa.zip.