Why is SMS 2 Factor authentication not secure?
Firstly, I would say that there is nothing wrong 2FA; it is wrong when we use 2FA with SMS, and this is a typical kind of "mis-configuration".
Second, 2FA via SMS is easy to setup and requires no download of any app or reader except a mobile phone with SIM card.
Anyway, NIST, USA has recommended that 1-time SMS is no longer secure to.
SMS Vulnerabilities
- Intercepting SMS codes
- Spoof SMS verification
- Phone account hijacking
Alternative secure authentication options
- OTP method - one-time password
- FIDO U2F (leading option for 2FA) - similar to smart card wit PKI.
- Push Authentication - faster than typing password
- Multi-Factor Authentication (MFA) - best solution
Links: