Google Alerts Users: SMS Codes Are Vulnerable, Switch to Passkeys or Authenticator Apps

Google has issued an urgent security warning, emphasizing that SMS-based verification codes are increasingly susceptible to hijacking by cybercriminals. The company highlighted a surge in infostealer attacks and stressed that users must update their authentication methods to remain secure.

In its latest advisory, Google reported an 84% increase in infostealer attacks globally over the past year, a trend fueled by hackers targeting entire user profiles—including session cookies, tokens, and browsing histories—rather than just passwords. This shift allows attackers to impersonate victims without cracking encryption.

SMS Verification: A Weak Link

For years, two-factor authentication (2FA) using text messages has been considered a key line of defense. However, sophisticated SIM-swapping schemes, telecom-level interceptions, and phishing campaigns have made SMS codes increasingly insecure. Google warns that attackers can redirect numbers, trick users into revealing one-time passwords (OTPs), or intercept unencrypted messages.

The National Security Agency (NSA) has similarly warned against relying on SMS for authentication, noting that it is “fairly simple to redirect SMS messaging and defeat the ‘what you have’ factor.” U.S. cyber agencies also advise avoiding text-based 2FA, as attackers with access to telecom networks can read these messages in transit.

Despite these warnings, billions of accounts—from email to banking to social media—continue to rely on SMS as a primary security layer.

Stronger Alternatives: Passkeys and Authenticator Apps

Experts emphasize that abandoning multi-factor authentication is not the solution; the focus should be on modernizing 2FA. Tech giants including Google, Apple, and Microsoft now encourage the use of passkeys, a cryptographic standard stored securely on users’ devices that replaces traditional passwords.

App-based authenticators, which generate time-sensitive codes that cannot be intercepted by telecom networks, are also strongly recommended. Security specialists warn that leaving SMS as a fallback option undermines stronger protections. As one researcher explained: “If an account can still be unlocked with a password and an SMS, that account is still vulnerable.”

Leading password managers and cybersecurity firms now advise users to disable SMS-based 2FA entirely when stronger options are active.

A Five-Step Security Audit

To reduce exposure in an era of increasingly sophisticated attacks, Google recommends the following security measures for all major accounts:

1. Use a strong, unique password or passphrase managed by a password manager.
2. Enable a non-SMS authentication method, such as a dedicated authenticator app.
3. Disable SMS-based 2FA if stronger options are already enabled.
4. Add a passkey wherever the platform supports it.
5. Run regular security and privacy checkups available within account settings.

While these steps may seem demanding, security experts emphasize that outdated protections are no longer sufficient. The message from Google and U.S. cyber agencies is clear: modern threats require updated defenses, and users must take proactive measures to protect their accounts.