Two-Factor Authentication

TOTP vs. SMS Authentication: Why Time-Based Codes Win

11 min read Updated Feb 13, 2026

Compare TOTP and SMS two-factor authentication methods. Learn why time-based one-time passwords are more secure than SMS codes, and how to migrate from text-based 2FA.

Table of Contents

When you enable two-factor authentication on an account, you are often presented with a choice: receive a code via text message (SMS) or use an authenticator app that generates time-based one-time passwords (TOTP). Both add a second layer of security beyond your password, but they are not equivalent. TOTP is more secure, more reliable, and increasingly the recommended standard. This article explains exactly why and helps you migrate away from SMS-based 2FA.

How SMS Authentication Works

SMS-based two-factor authentication is straightforward. When you log in with your password, the service sends a numeric code (typically six digits) to the phone number on your account. You type the code into the login prompt to complete authentication.

The simplicity of SMS 2FA is both its greatest strength and its fundamental weakness. The code travels through the public telephone network – a system designed for voice communication decades before security was a primary concern. That transmission path introduces multiple points of vulnerability.

The SMS Delivery Chain

When a service sends you an SMS verification code, the message passes through several systems:

  1. The service’s application server generates a code and sends it to an SMS gateway provider (Twilio, Vonage, or similar).
  2. The gateway forwards the message to the originating carrier’s SMS center (SMSC).
  3. The SMSC routes the message through the SS7 signaling network to the recipient’s carrier.
  4. The recipient’s carrier delivers the message to the phone associated with the target number.

Each link in this chain is a potential interception point. The code exists in plaintext at every stage. It passes through third-party infrastructure that neither you nor the service directly controls.

How TOTP Authentication Works

TOTP eliminates the transmission problem entirely. During setup, the service and your authenticator app exchange a shared secret – usually by scanning a QR code. From that point on, both sides independently compute the same code using the shared secret and the current time.

The technical details of how TOTP works are defined in RFC 6238. The algorithm combines the shared secret with the current Unix timestamp (divided into 30-second intervals), runs it through HMAC-SHA1 (or SHA-256/SHA-512), and extracts a six- or eight-digit numeric code. Because both the server and your device know the secret and the time, they generate matching codes without any network communication.

This means the verification code never leaves your device. There is nothing to intercept in transit, no carrier to compromise, and no third-party message relay to attack.

SMS Vulnerabilities: Why Text Messages Are Not Secure

The weaknesses of SMS authentication are not theoretical. They are actively exploited by attackers ranging from opportunistic criminals to state-sponsored groups.

SIM Swapping

SIM swapping is the most common attack against SMS-based 2FA. The attacker contacts your mobile carrier – by phone, online, or in person – and convinces them to transfer your phone number to a new SIM card. Once the swap is complete, all SMS messages and calls to your number go to the attacker’s device.

SIM swapping has become industrialized. Attackers bribe carrier employees, use social engineering scripts refined over thousands of attempts, and exploit online account management portals. In some cases, insiders at mobile carriers are paid to perform swaps directly. The FBI’s Internet Crime Complaint Center reported that SIM swapping losses exceeded $68 million in 2021 alone, and the numbers have continued to rise.

High-profile SIM swap victims include Twitter CEO Jack Dorsey (whose Twitter account was hijacked in 2019), cryptocurrency investors who have lost millions, and journalists and activists targeted by government-linked groups. The attack is effective because the carrier’s customer service processes are not designed to resist determined social engineering.

SS7 Protocol Vulnerabilities

The Signaling System 7 (SS7) protocol suite governs how telephone carriers exchange information – call routing, SMS delivery, roaming, and billing. Designed in the 1970s when only a handful of trusted telephone companies had access, SS7 has no authentication or encryption. Any entity with access to the SS7 network can request that SMS messages be rerouted.

Access to SS7 is not as restricted as carriers would like. Surveillance companies sell SS7 access as a service. Researchers have demonstrated interception of SMS messages using SS7 vulnerabilities at security conferences. In 2017, German banks reported that attackers used SS7 exploits to intercept SMS verification codes and drain customer accounts.

While SS7-based attacks require more sophistication than SIM swapping, they are harder to detect and can be performed remotely against targets anywhere in the world.

Real-Time Phishing and Adversary-in-the-Middle Attacks

Modern phishing kits like EvilGinx and Modlishka act as reverse proxies. The victim visits a fake login page that looks identical to the real one. When they enter their password, the phishing server forwards it to the real service. The real service sends an SMS code, the victim enters it on the fake page, and the phishing server relays it to the real service – all in real time.

This attack works against both SMS and TOTP codes because the attacker captures and uses the code within its validity window. However, TOTP’s 30-second window is narrower than SMS codes (which often remain valid for 5-10 minutes), giving attackers less room for error.

The only 2FA method that fully defeats adversary-in-the-middle phishing is hardware security keys using FIDO2/WebAuthn, which cryptographically verify the domain.

SMS Delivery Failures

Beyond security, SMS has reliability problems. Messages can be delayed by carrier congestion, fail to deliver across international boundaries, or arrive out of order. Users traveling internationally may not receive SMS at all if roaming is disabled or if their carrier does not have agreements with local networks.

TOTP codes are generated locally and work offline, on airplanes, in areas with no cell coverage, and across any country. The only requirement is that your device’s clock is reasonably accurate.

TOTP Advantages in Detail

No Network Dependency

TOTP codes are computed locally using the shared secret stored in your authenticator app. You do not need cellular service, Wi-Fi, or any network connection to generate a code. This makes TOTP reliable in situations where SMS is impractical – traveling abroad, working in areas with poor cell coverage, or using a tablet that does not have a phone number.

No Third-Party Transmission

The SMS delivery chain involves your carrier, the recipient’s carrier, SMS gateway providers, and the SS7 network. Each intermediary is a potential point of failure or compromise. TOTP involves only two parties: your device and the service’s server. The shared secret is exchanged once during setup, and after that, no further communication is needed.

Shorter Validity Window

SMS codes typically remain valid for 5-10 minutes. TOTP codes change every 30 seconds, and most implementations accept only the current code and perhaps one adjacent code (to account for clock drift). This tighter window means an attacker who somehow obtains a TOTP code has far less time to use it.

No Phone Number Required

TOTP does not require a phone number. You can use an authenticator app on any device – a phone, a tablet, a desktop computer, or even a password manager that supports TOTP. This is significant for privacy (you do not need to give services your phone number) and for flexibility (you are not tied to a specific carrier or number).

Resistance to Social Engineering

SIM swapping works because carrier customer service representatives can be socially engineered. There is no equivalent attack against TOTP. An attacker cannot call anyone to transfer your authenticator app to their device. The only way to compromise TOTP is to obtain the shared secret itself – which is stored encrypted in your authenticator app or password manager, not at a carrier susceptible to social engineering.

When SMS Is Still Acceptable

Despite its weaknesses, SMS 2FA is dramatically better than no 2FA. If a service only offers SMS as a second factor, enable it. The vast majority of attacks are automated credential-stuffing bots that will move on to easier targets when they encounter any form of 2FA.

SMS is also acceptable as a backup 2FA method when a stronger primary method is configured. Many services allow you to enroll both an authenticator app and a phone number, with SMS serving as a fallback if you lose access to your authenticator.

The risk calculation changes for high-value targets. If you hold significant cryptocurrency, are a public figure, work in sensitive industries, or are likely to be individually targeted, SMS 2FA is insufficient. Use TOTP at minimum, and consider hardware security keys for your most critical accounts.

The Industry Is Moving Away From SMS

The shift from SMS to stronger authentication methods is accelerating. NIST (the National Institute of Standards and Technology) first flagged SMS as a “restricted” authenticator in Special Publication 800-63B in 2017, citing its known vulnerabilities. While NIST stopped short of banning SMS, the designation signaled to the industry that SMS-based verification is being phased out as a recommended practice.

Major services have followed this direction. Google has pushed users toward Google Authenticator and hardware keys. Microsoft encourages the Microsoft Authenticator app over SMS. Twitter (now X) removed SMS 2FA from free accounts in 2023. Banks in the European Union, under the PSD2 directive, have largely moved to app-based authentication for strong customer authentication.

The trend is clear: SMS 2FA is a transitional technology. Services are not removing SMS support overnight, but new implementations increasingly default to TOTP or push-based authentication, and security-conscious organizations are actively migrating away from SMS.

Migrating From SMS to TOTP

Switching from SMS to TOTP is straightforward for most services. The general process:

Step 1: Choose an Authenticator

You need a TOTP-capable app. Options include standalone authenticator apps (Google Authenticator, Microsoft Authenticator, Authy) and password managers with built-in TOTP support (PanicVault, KeePassXC, Bitwarden). For a detailed comparison, see our guide to the best authenticator apps.

Using a password manager as your authenticator has a practical advantage: your TOTP secrets are backed up alongside your passwords in the same encrypted database. If you use PanicVault, your TOTP secrets are stored in a KeePass-format database protected by the same encryption architecture as your passwords, and they travel with your database across all your Apple devices.

Step 2: Update Each Account

For each account where you have SMS 2FA enabled:

  1. Go to the account’s security or 2FA settings.
  2. Look for an option to add an authenticator app or change your 2FA method.
  3. The service will display a QR code or a text-based secret key.
  4. Scan the QR code with your authenticator app (or enter the secret manually).
  5. Enter the verification code your app generates to confirm setup.
  6. If the service asks, choose whether to keep SMS as a backup or remove it entirely.

Step 3: Save Backup Codes

Most services provide a set of one-time backup codes when you configure 2FA. Store these in your password manager or in a secure offline location. Backup codes are your recovery path if you lose access to your authenticator device.

Step 4: Back Up Your Authenticator Secrets

This step is critical and frequently overlooked. If your authenticator device is lost, stolen, or broken, you need to be able to restore your TOTP secrets. With standalone apps like Google Authenticator, this means exporting and securely storing your secrets. With a password manager, your regular database backup covers TOTP secrets automatically.

Prioritize Migration for Critical Accounts

If migrating all accounts at once feels overwhelming, prioritize:

  1. Email accounts – Your email is the master key to most of your other accounts via password reset.
  2. Financial accounts – Banks, investment platforms, cryptocurrency exchanges.
  3. Cloud storage and productivity – Google Workspace, iCloud, Microsoft 365.
  4. Social media – Especially accounts with large followings or business use.
  5. Developer and infrastructure accounts – GitHub, AWS, domain registrars.

TOTP Limitations to Be Aware Of

TOTP is not perfect. Being honest about its limitations helps you make informed decisions.

Phishing is still possible. A real-time phishing relay can capture and use a TOTP code within its 30-second window. TOTP significantly raises the bar compared to SMS, but it is not phishing-proof. Hardware security keys with WebAuthn remain the only fully phishing-resistant option.

Shared secret compromise. If an attacker obtains the shared secret (from the server’s database, from your authenticator app’s storage, or during the initial setup), they can generate valid codes indefinitely. This is why the server-side storage of TOTP secrets matters, and why storing your secrets in an encrypted database (like a KeePass vault) is important.

Clock synchronization. TOTP depends on both parties having synchronized clocks. Most devices sync via NTP and this is rarely an issue, but a device with a significantly wrong clock will generate incorrect codes. Server implementations usually accept codes from adjacent time steps to accommodate minor drift.

Recovery complexity. Losing access to your TOTP secrets without backup codes means going through account recovery processes, which can be slow and frustrating. Proper backup practices – storing secrets in your password manager, saving backup codes, and keeping recovery options current – mitigate this risk.

The Verdict

TOTP is superior to SMS for two-factor authentication by every meaningful security metric. It eliminates the entire class of carrier-based attacks (SIM swapping, SS7 interception), works without network connectivity, requires no phone number, and provides a tighter validity window.

SMS 2FA still has value as a widely available baseline that stops automated attacks. If a service only offers SMS, use it. But for any account where you have a choice, TOTP is the clear winner. And for your most critical accounts, pair TOTP with hardware security keys for the strongest available protection.

The migration from SMS to TOTP is a one-time effort that pays ongoing security dividends. Pick an authenticator, update your accounts, back up your secrets, and move on knowing your second factor is no longer dependent on the security of the public telephone network.

Related Articles

More on The Complete Guide to Two-Factor Authentication

Continue exploring this topic with these related guides.

Google Authenticator vs. Password Manager TOTP: Which Should You Use?

Compare Google Authenticator to built-in TOTP in password managers. Feature-by-feature analysis of backup, sync, encryption, and UX to help you choose the right 2FA method.

10 min read

Hardware Security Keys vs. TOTP Apps: Which Is More Secure?

Compare hardware security keys like YubiKey and Google Titan with TOTP authenticator apps. Analyze phishing resistance, usability, cost, and which 2FA method fits your security needs.

9 min read

How SIM Swapping Bypasses SMS 2FA

Learn how SIM swapping attacks work, why SMS-based two-factor authentication is vulnerable, real-world cases, carrier protections, and how to defend your accounts with TOTP.

10 min read

How to Back Up Your TOTP Codes

Complete guide to backing up TOTP secrets and authenticator codes. Encrypted backups, password manager storage, QR code archiving, and recovery planning.

11 min read

How to Move Your 2FA Codes to a Password Manager

Step-by-step guide for migrating TOTP codes from standalone authenticator apps to a password manager. Covers export methods, re-enrollment, verification, and avoiding lockouts.

11 min read

How to Set Up 2FA on Every Major Service

Step-by-step guide to enabling two-factor authentication on Google, Apple, Microsoft, Amazon, social media, banking, and email services.

10 min read

Protect Your Passwords with PanicVault

A secure, offline-first password manager using the open KeePass format. Your passwords, your file, your control.

Download on the App Store