Moat
✦ Key takeaways
- ✓ SMS codes travel over networks you don't control and can be intercepted or redirected.
- ✓ SIM swapping lets an attacker receive your texts without ever touching your phone.
- ✓ An authenticator app generates codes offline, so there's nothing to intercept.
- ✓ Any 2FA beats none — but move high-value accounts off SMS where you can.
Two-factor authentication (2FA) adds a second step to logging in: something you know (your password) plus something you have (a code). The idea is rock solid. The problem with SMS isn't the concept — it's the delivery. Text messages were never designed to carry secrets, and several weaknesses follow from that.
1. SIM swapping
Your phone number isn't really tied to your phone — it's tied to a record at your carrier. In a SIM swap, an attacker convinces (or bribes, or socially engineers) the carrier to move your number to a SIM they control. Once they do, your texts — including 2FA codes — arrive on their device. You may not even notice until your own phone loses signal. This is the single most common way SMS 2FA is defeated, and it has drained countless bank and crypto accounts.
2. Network interception (SS7)
The global telephone signalling system, SS7, has known flaws that let well-resourced attackers reroute or read text messages remotely. You don't have to do anything wrong for this to happen — the weakness is in the network itself, far outside your control.
3. Phishing and lock-screen leaks
SMS codes are just as easy to phish as passwords — a fake login page simply asks for the texted code too. And because texts often preview on your lock screen, anyone glancing at your phone can read a code without unlocking it.
Don't panic and disable SMS everywhere. If a service only offers SMS 2FA, it's still far better than a password alone. The goal is to upgrade to an authenticator app wherever the option exists — especially for email, banking and anything financial.
Why an authenticator app is safer
An app like Moat uses TOTP: it generates codes from a secret stored on your device, using the current time. Two things change everything:
- The codes never travel. They're computed on your phone, offline. There's no message to intercept, reroute, or SIM-swap.
- The secret stays put. It lives in your device's secure storage and, with Moat, is end-to-end encrypted if you back it up — so not even we can see it.
That removes the entire class of carrier- and network-based attacks in one move. App-based codes can still be phished in real time (so always check the domain you're on), but they close the doors that SMS leaves wide open.
The short version
Ranked from weakest to strongest, your everyday options look like this: password only → SMS code → authenticator app → passkey / hardware key. Most people get the biggest single jump in security by moving from SMS to an authenticator app — and it takes about a minute per account.
