SMS two-factor authentication used to be the default upgrade: type your password, wait for a text, enter the six-digit code. It was easy to understand, easy to ship, and better than password-only login. But SMS is no longer the security endpoint. Major platforms are pushing users toward passkeys, verified email, authenticator apps, and security keys because phone-number-based recovery has become a common account-takeover path.

That does not mean every user can abandon SMS everywhere today. Many services still offer it. Some services still require it. The practical goal is to move high-value accounts away from SMS where better options exist and to store recovery material in a way that does not create a new weakness.

Quick answer

Use passkeys or hardware security keys first for important accounts. Use authenticator-app TOTP when passkeys are unavailable. Treat SMS as a fallback, not a preferred factor. Store recovery codes in an encrypted vault with the account details they protect.

Why SMS 2FA is losing favor

SMS depends on the phone number ecosystem. That ecosystem was built for communication, not high-assurance authentication. Attackers can target carrier support, SIM swap processes, number porting, voicemail, message forwarding, malware, phishing pages, and social engineering to get or replay codes.

The risk is not theoretical. Microsoft's current support guidance says it is phasing out SMS as a method of authentication and account recovery for personal Microsoft accounts, pointing users toward passkeys and verified email. The FTC also tells consumers that text or email passcodes are the least secure common two-factor method and recommends authenticator apps or security keys when available.

For users, the message is clear: SMS is a useful safety net, but it should not be the strongest protection on accounts that control money, email, cloud files, domains, payroll, healthcare, or identity.

Option 1: passkeys

Passkeys are usually the best everyday replacement when a service supports them well. They are phishing-resistant because the credential is bound to the legitimate website or app. You do not type a one-time code into a page that may be fake. You approve a cryptographic sign-in with a local device PIN, biometric check, or security-key action.

Use passkeys for:

  • Primary email accounts.
  • Cloud storage and device accounts.
  • Banking, payment, tax, and payroll accounts when supported.
  • Password manager and secure vault accounts.
  • Phone carrier and domain registrar accounts.
  • Developer, admin, and business-critical SaaS accounts.

Passkeys still need recovery planning. Register a second authenticator where possible, know which provider stores each passkey, and keep backup methods current.

Option 2: hardware security keys

Hardware security keys can be excellent for high-risk users and high-value accounts. They provide strong phishing resistance and are easier to separate from the phone number layer. The tradeoff is logistics: you need a spare key, a safe place to keep it, and a documented process for replacing a lost key.

If an account supports hardware keys, consider registering at least two. Keep one available and one stored safely. Record which keys are registered and what the recovery process requires.

Option 3: authenticator-app TOTP

TOTP is the familiar six-digit authenticator code that changes every 30 seconds. It is stronger than SMS because the code is generated locally from a secret already stored on your device or vault. It does not rely on your carrier delivering a text message.

But TOTP is not phishing-resistant. If you type the password and the TOTP code into a real-time phishing site, an attacker may relay both to the real service. TOTP also creates recovery work: if you lose the device that holds the TOTP secret, you need backup codes or another recovery method.

Use TOTP when passkeys or hardware keys are unavailable, and store the backup codes carefully.

Option 4: recovery codes

Recovery codes are often overlooked because they are shown only during setup. That is a mistake. A recovery code may bypass your normal second factor when your phone is lost. NIST describes these as look-up secrets and notes that they are not phishing-resistant.

Recovery codes should be treated like emergency keys:

  • Store them in an encrypted account record.
  • Record the date they were generated.
  • Regenerate them after a suspected exposure.
  • Do not save them only inside the account they recover.
  • Do not keep them as screenshots in a synced photo library.

Krypt's answer: store the recovery layer safely

Krypt is a zero-knowledge password manager and secure vault for the account details that often get scattered after a 2FA upgrade. Passwords, TOTP context, recovery codes, support notes, sensitive files, and device-replacement instructions can live together in local-first encrypted storage.

That matters because moving away from SMS is not just a toggle. It is an account migration. You need to know which accounts still use SMS, which now use passkeys, which use TOTP, where the backup codes are, and what happens when your phone changes.

Use Krypt to track:

  • Which accounts still have SMS enabled.
  • Which accounts have passkeys or hardware keys registered.
  • Which accounts use TOTP.
  • Backup codes and generation dates.
  • Phone carrier PINs and account recovery notes.
  • Recovery email and trusted-device details.

A migration plan for normal users

  1. Start with your email account because password resets usually flow through email.
  2. Upgrade your phone carrier account with a strong password, account PIN, and non-SMS options if available.
  3. Turn on passkeys for cloud, banking, payment, and domain accounts where supported.
  4. Move remaining important accounts from SMS to authenticator-app TOTP where passkeys are not available.
  5. Save recovery codes in an encrypted vault record for each account.
  6. Remove old screenshots of QR codes and backup codes after regenerating codes where needed.
  7. Review recovery methods after every phone replacement, SIM change, or device reset.

Do not try to upgrade every account in one sitting. Fix the accounts that can reset everything else first.

FAQ

Is SMS still better than no 2FA?

Usually yes. SMS is weaker than passkeys, hardware keys, and authenticator apps, but password-only login is often worse. Use SMS as a fallback when it is the only available option, then upgrade when the service supports stronger methods.

Should I delete my phone number from every account?

Not blindly. Some services use phone numbers for recovery, fraud alerts, or regulatory contact. Review each account and understand what removing the number changes before you do it.

Where should I store my authenticator QR code?

Do not keep plaintext QR screenshots. If you need to preserve setup context, store it in an encrypted vault record and make sure your backup and Recovery Kit are current.

Technical references

For platform movement away from SMS, see Microsoft's SMS phase-out guidance. For standards language on look-up secrets and out-of-band authentication, read NIST SP 800-63B. For consumer advice, see the FTC's account protection guidance and CISA's MFA page.

Use Krypt to move passwords, TOTP context, and recovery codes out of screenshots and into encrypted vault records.