So, Herman, I was looking through my messages the other day, trying to find a specific confirmation code for a login—you know the drill—and I realized my inbox is basically a graveyard of six-digit numbers. It is just page after page of these expiring codes from banks, social media, even my grocery delivery app. It felt like looking at a digital landfill.
Herman Poppleberry here, and I know exactly what you mean. It is like a digital fossil record of every time we have tried to prove we are who we say we are. It is actually a bit overwhelming when you look at it all at once. You see the timestamps and realize just how much of our lives is mediated by these tiny, ephemeral strings of digits.
It really is. And it got me thinking about today's prompt from Daniel, which is about why on earth we are still using short message service, or S-M-S, for two-factor authentication. Daniel points out that even firms with otherwise stellar cybersecurity—we are talking top-tier tech giants and global financial institutions—still rely on it, despite the reliability issues when you are traveling or changing numbers, and the glaring lack of encryption.
It is a fascinating paradox, right? We are in February of twenty-twenty-six. We have sophisticated facial recognition that maps thousands of invisible dots on your face, we have hardware security keys that are practically unhackable, and we have passkeys becoming the industry standard. And yet, the backbone of digital security for millions of people is a protocol developed in the nineteen-eighties. It is like using a Victorian-era padlock to secure a high-tech server room.
Exactly. And Daniel also mentioned the unique role it plays here in Israel, specifically for emergency alerts to the ultra-Orthodox community who might not use smartphones. So, I want to dig into that cultural nuance later, but first, let's talk about the standard itself. Why is S-M-S so persistent? If it is objectively less secure than an authenticator app or a physical key, why hasn't it been phased out? Why are we still getting these texts in twenty-twenty-six?
Well, the short answer is the "lowest common denominator" problem. If you are a massive company, say a global bank or a service like Google or Meta, you need a security method that works for everyone. And when I say everyone, I mean the person with the latest titanium smartphone in San Francisco and the person with a ten-year-old feature phone in a rural village in a developing nation. S-M-S is the only thing that is truly universal. It doesn't require data, it doesn't require an app store, and it doesn't require a high-speed internet connection. It just needs a cellular signal.
But isn't that a bit of a "security through convenience" trap? I mean, just because everyone has it doesn't mean it is the right tool for the job. We don't use screen doors for bank vaults just because screen doors are easy to open.
Oh, absolutely. It is a massive compromise. But from a business perspective, friction is the ultimate enemy. If a bank tells a customer they have to download a specific app, manage a recovery phrase, or buy a fifty-dollar hardware key just to check their balance, a huge percentage of those customers are going to get frustrated and give up. S-M-S requires zero setup from the user. You already have a phone number, you already know how to read a text. For a product manager, that "zero friction" is a siren song that is very hard to resist, even if the security engineers are screaming in the background.
I get the friction argument, but let's talk about the actual security risks. Daniel mentioned the lack of encryption. When I get a code via text, that message is traveling through the cellular network in plain text, right? It is not like my iMessages or my WhatsApp chats.
Correct. It is not end-to-end encrypted. It is more like a postcard than a sealed letter. It passes through the systems of your mobile carrier, and potentially other carriers if the message is being routed internationally. Each of those points is a potential intercept. And that leads us to the big boogeyman of S-M-S security: Signaling System Number Seven, or S-S-seven.
I have heard that name come up in security circles. That is the protocol that handles how different phone networks talk to each other, right? It is like the behind-the-scenes switchboard of the global phone system.
Exactly. And here is the kicker: S-S-seven was designed in the nineteen-seventies, long before anyone was worried about hackers intercepting text messages or state-sponsored actors spoofing identities. It was built on a foundation of trust between a few large national carriers. It is full of vulnerabilities that allow attackers to essentially "trick" the network. If a sophisticated attacker gets access to the S-S-seven network—which they can do by bribing a small carrier or finding a vulnerable entry point—they can essentially redirect calls and messages intended for your number to their own device. They don't even need your physical phone. They just tell the network, "Hey, Corn's number is actually over here now," and the network believes them.
That is terrifying. It makes the whole "something you have" part of two-factor authentication feel like a lie. I don't "have" my number; the network just thinks I do. And then there is the more common one we hear about, which is S-I-M swapping. That feels more like a human problem than a technical one.
Yes, and S-I-M swapping is actually more of a social engineering problem. An attacker calls your phone company, pretends to be you—maybe they found your mother's maiden name and your birthdate on a leaked database—and they convince a customer service representative to port your number over to a new S-I-M card that the attacker controls. Once they have your number, they can trigger "forgot password" requests for your email, your bank, your everything. All those two-factor codes go straight to the attacker's phone. We saw a massive wave of this in twenty-twenty-four and twenty-twenty-five, where even high-profile tech executives were getting their accounts drained.
It feels like such a huge vulnerability for something as critical as banking. I mean, we have seen cases where people have lost their entire life savings because of a S-I-M swap. So, if firms know this, why are they still pushing S-M-S? Is it just about the support calls?
A huge part of it is legacy infrastructure. Updating a massive banking core that was written in C-O-B-O-L forty years ago to support something like Web-Authn or passkeys is a monumental, multi-million dollar task. But also, think about the support costs. If a user loses their phone and they were using an authenticator app without a cloud backup, they are locked out. That leads to a very expensive, thirty-minute phone call to customer support where a human has to verify their identity. If they are using S-M-S, they just go to the store, get a new phone, put in their S-I-M, and they are back in business. Companies often choose the path of least resistance for their support teams, even if it means a slightly higher risk for the user. They have calculated that the cost of occasional fraud is lower than the cost of a massive increase in support tickets.
That is a cynical but probably accurate take. But what about Daniel's point about reliability? I have definitely been in situations where I am traveling, I have a local S-I-M card in, and I can't log into a service because it wants to send a code to my home number which isn't active. It is incredibly frustrating to be locked out of your own money because you crossed a border.
It is a major pain point. And it is even worse if you are in an area with poor cellular reception but great Wi-Fi. An authenticator app works offline or over Wi-Fi because it is just a mathematical algorithm running on your phone. But S-M-S needs that cellular handshake. In twenty-twenty-six, with the world being as mobile as it is, you would think we would have moved past this. But the "universal" nature of S-M-S keeps it on life support.
You would think so. Now, let's pivot to the Israel-specific context Daniel mentioned. He talked about how S-M-S serves a unique role for the ultra-Orthodox community here. For those who aren't familiar, can you explain what a "kosher phone" is? Because it is a very specific piece of technology.
Sure. Within certain ultra-Orthodox, or Haredi, communities, there is a strong desire to limit exposure to the internet and unfiltered content for religious and cultural reasons. So, they use what are called "kosher phones." These are usually basic feature phones—think old-school Nokia bricks—where the internet browser, the camera, and even standard messaging apps are disabled at the hardware or firmware level. They are strictly for voice calls and, in many cases, very basic S-M-S. They are even marked with a specific seal of approval from a rabbinical committee.
Right, so for this community, a smartphone app for two-factor authentication or a modern emergency alert app is physically impossible to use. They don't have an app store. They don't even have a data plan.
Exactly. And this became a huge issue for public safety. Israel has a very sophisticated emergency alert system called "Red Alert" or "Tzeva Adom." Most people have an app on their smartphone that blares an alarm the second a rocket is detected headed for their area. But if you are using a kosher phone, you don't have apps. During the conflicts we have seen over the last few years, this created a dangerous information gap.
So the solution was to use the cellular broadcast system and S-M-S?
Yes. The Home Front Command worked to ensure that these emergency alerts could be pushed through as high-priority S-M-S messages or even automated voice calls to these devices. They also use "Cell Broadcast," which is a different protocol that sends a message to every phone connected to a specific tower, regardless of the number. In that specific context, S-M-S isn't just a convenience; it is a life-saving bridge to a community that has intentionally opted out of the smartphone ecosystem. It is the only way to reach tens of thousands of people in seconds.
That is a really important nuance. It shows that while S-M-S might be "primitive" from a security standpoint, its simplicity is also its strength in terms of accessibility. It is a technology that doesn't care how smart your phone is. It is the "universal translator" of the digital age.
Precisely. But that brings us back to the question: can we have both? Can we have the accessibility of S-M-S for those who need it, while moving the rest of the world toward more secure standards? Because right now, it feels like the "legacy" option is holding everyone back.
Well, that is where things like passkeys come in, right? We have talked about this before, but it feels like in twenty-twenty-six, we are finally seeing a real push to replace passwords and two-factor authentication with something more integrated.
We are. Passkeys are based on the F-I-D-O two standards, and they essentially turn your device itself into the security key. Instead of a code being sent to you, your phone or computer uses a cryptographic key pair to prove your identity. It is much more secure because the "secret" never leaves your device, and it is inherently resistant to phishing. An attacker can't trick you into typing a passkey into a fake website because the browser itself handles the handshake and will only talk to the legitimate domain.
But even with passkeys, don't you often need a fallback? And isn't that fallback usually... S-M-S?
You hit the nail on the head. That is the "trap" Daniel is talking about. Even if you use the most secure method available, if the service allows you to reset your access via an S-M-S code, then your security is only as strong as that S-M-S link. It is the weakest link in the chain. It is like having a high-security biometric lock on your front door, but leaving a spare key under a plastic rock in the garden.
So, why don't companies let us disable S-M-S recovery entirely? I know some services like Google or certain high-security crypto exchanges allow it, but for my local bank, it is not even an option. I have to have a phone number on file.
It goes back to that fear of the "locked out" user. Companies are terrified of a customer losing their physical security key or their phone and having no way to get back into their account. They see S-M-S as the ultimate "safety net" because most people will eventually get their phone number back from the carrier, even if they lose their device. From a liability standpoint, they would rather you get hacked because of a S-I-M swap—which they can blame on the carrier—than have you lose access to your money because you lost a YubiKey, which they would have to explain to you.
It is a trade-off between absolute security and absolute recoverability. And most firms are choosing recoverability because it is better for their bottom line and their support metrics.
Exactly. But I think we are starting to see a shift. The National Institute of Standards and Technology, or N-I-S-T, in the United States actually recommended against using S-M-S for two-factor authentication as far back as twenty-sixteen. They didn't outright ban it, but they labeled it "deprecated," which is a fancy way of saying "use this only if you have no other choice." And in twenty-twenty-four, we saw new regulations in the European Union that started putting more pressure on banks to move toward "strong customer authentication" that isn't easily intercepted.
Ten years ago N-I-S-T said it was a bad idea! And yet here we are in twenty-twenty-six. It is amazing how slowly these standards move. I mean, think about the billions of dollars spent on cybersecurity every year, and yet this massive hole remains open for the sake of convenience.
It is also worth mentioning that the cost of S-M-S isn't zero for these companies. Sending billions of international text messages is actually quite expensive. There is a whole industry of "S-M-S aggregators" that charge companies for every code sent. Some companies are actually moving away from S-M-S not because of security, but because they are tired of the bill!
That is hilarious. So it won't be the hackers that kill S-M-S, it will be the accountants.
Honestly, that is often how it happens in tech. But there is another factor: "International S-M-S O-T-P Fraud," or Artificially Inflated Traffic. This is a fascinatingly devious scam where fraudsters partner with corrupt or complicit mobile network operators in certain countries. They then use bots to trigger thousands of two-factor authentication requests from a company's website to phone numbers in those countries. The company pays the aggregator, the aggregator pays the network operator, and the fraudster gets a kickback from the operator.
Wait, so the companies are paying for the privilege of being spammed with fake authentication requests?
Exactly. Elon Musk actually talked about this when he took over Twitter, now X. He claimed the company was losing sixty million dollars a year to fraudulent S-M-S messages. Whether that sixty million number is exact or not, the problem is very real. It is one of the reasons many platforms started charging for S-M-S two-factor authentication or pushing people toward authenticator apps. They realized they were being bled dry by bots.
That is a huge incentive to move away from it. If it is insecure, unreliable, and expensive, the writing should be on the wall. But let's talk about what the alternative looks like for the average person. If I want to be as secure as possible today, in twenty-twenty-six, what should I be doing?
The gold standard is still a hardware security key, like a YubiKey. It is a physical device you plug into your computer or tap against your phone via N-F-C. It is virtually impossible to phish because the key only works on the legitimate website it was registered for. An attacker can't trick you into "typing in" your YubiKey. It is a hardware-level handshake.
But most people aren't going to carry a physical key on their keychain. It feels a bit "secret agent" for the average person.
Right. So the next best thing is a dedicated authenticator app. Google Authenticator, Microsoft Authenticator, or my personal favorite, something like Two-F-A-S or Raivo, which are open source and allow for encrypted backups. These apps generate Time-based One-Time Passwords, or T-O-T-P.
And those don't rely on the cellular network, so they work when you are traveling or in a basement with no signal.
Exactly. And since the "seed" for the code is stored on your device, it can't be intercepted via S-S-seven or redirected via a S-I-M swap. It is significantly more secure.
So, if I have a choice between S-M-S and an authenticator app, I should always pick the app. But here is the catch: many services don't give you the choice to only use the app. They force you to have a phone number on file as a backup.
And that is the problem. If the phone number is there, it is a backdoor. My advice to people who are really concerned is to use a "V-O-I-P" number, like Google Voice, for their two-factor authentication if the service allows it. Those numbers aren't tied to a physical S-I-M card, so they are immune to traditional S-I-M swapping. You can protect your Google account with a hardware key, which then protects your Google Voice number, creating a much more secure chain.
That is a clever workaround. But it is still a workaround. It shouldn't be this hard to be secure.
It shouldn't. But we are in this awkward transition period. We are moving from the "something you know," which is a password, to "something you have," which is your phone or a key. S-M-S was the first attempt at "something you have," but it turns out the thing you "have" is actually a virtual number controlled by a third-party carrier, not the device in your pocket.
That is a great way to put it. You don't really "have" your phone number in the way you think you do. You are just renting it from a carrier who can be tricked into giving it to someone else.
Precisely. And in Israel, that "rental" is even more complex because of the regulations around kosher phones and the way the numbers are allocated. There is a whole specific numbering range for kosher lines. If you try to port a kosher number to a non-kosher device, it often won't work because the system recognizes the prefix, which actually adds a weird layer of "unintentional security" to those lines.
I never thought about that! The restriction itself becomes a security feature. But for the rest of us, the lack of encryption is still a major issue. If I am on a public Wi-Fi or even just using a cellular tower that has been compromised by a "Stingray" device... wait, are Stingrays still a thing in twenty-twenty-six?
Oh, absolutely. International Mobile Subscriber Identity catchers, or "Stingrays," have only gotten smaller and more sophisticated. They pretend to be a legitimate cell tower, and your phone connects to them because they broadcast a stronger signal. Once you are connected, they can intercept any unencrypted traffic, which includes your S-M-S two-factor codes. It is a classic "man-in-the-middle" attack.
It feels like the more we talk about this, the more insane it seems that we still use this system. It is like leaving the key to your high-security vault under the doormat and just hoping no one looks there.
It really is. But again, look at it from the perspective of a company like a major airline. They have millions of customers, many of whom are infrequent travelers who might only log in once a year. If they force a complex security standard, their help desk will be overwhelmed every holiday season. They would rather deal with the occasional fraud case than a million "I can't log in" calls. It is a cold, hard calculation of risk versus cost.
So, what is the "aha moment" here? Is there a version of the future where S-M-S for security finally dies?
I think the "aha moment" is realizing that S-M-S was never meant to be a security tool. It was a messaging tool that we hijacked for security because it was convenient. The death of S-M-S two-factor authentication will happen when passkeys become the default on every new smartphone and computer. When your "login" is just your thumbprint or your face, and the cryptography happens in the background, the need for a six-digit code sent via a nineteen-seventies protocol just evaporates.
I can't wait for that day. No more scrolling through a graveyard of expiring codes. No more worrying if my S-I-M card is being swapped while I sleep.
We are getting there. Apple, Google, and Microsoft are all pushing passkeys very hard now. The challenge is the "long tail" of older websites and services that will take a decade to catch up. We will be talking about this in twenty-thirty, I am sure.
And what about the kosher phone users? Will they be left behind in a passkey-only world?
That is a great question. There will likely always be a need for a "voice-based" or "legacy" fallback for those communities. Perhaps a dedicated hardware token that doesn't require internet? Some banks already offer those little "fob" devices that generate a code. They are basically an offline version of an authenticator app.
Right, the little R-S-A tokens. I remember my dad having one of those for work years ago. It felt so high-tech at the time.
Exactly! Everything old is new again. Those tokens are actually much more secure than S-M-S because they aren't connected to a network. They are air-gapped. If we could get those into the hands of people who don't use smartphones, that would be a huge step up from S-M-S.
It is interesting how the solution might actually be "going back" to older, more specialized hardware rather than relying on a "one size fits all" messaging system.
Definitely. Specificity is often the friend of security. The more "general purpose" a tool is, like S-M-S, the more attack vectors it has.
That makes a lot of sense. So, let's wrap this up with some practical takeaways for our listeners. Because even though the system is flawed, we still have to live in it for now.
Right. Number one: If a service offers an authenticator app option, take it. Immediately. Go into your settings, enable the app, and if it lets you, disable S-M-S as a backup.
Number two: If you are worried about S-I-M swapping, call your mobile carrier and ask them to put a "port freeze" or a "secondary password" on your account. It is not perfect, but it adds another layer of friction for an attacker.
Number three: For your most critical accounts, like your primary email and your bank, consider buying a hardware security key. They are relatively cheap now—you can get one for twenty-five or thirty dollars—and the peace of mind is worth it.
And number four: Be aware of the "recovery" trap. Check your "forgot password" settings. If your ultra-secure account can be reset by a single text message to your phone, you are still vulnerable. You need to secure the recovery path as much as the login path.
And finally, for our listeners in Israel or those traveling here, understand the context. S-M-S is still a vital lifeline for emergency services and certain communities. It is a reminder that technology doesn't exist in a vacuum; it has to serve the needs of the people where they are, even if that means using a less-than-perfect standard.
That is a great point. It is easy to criticize the tech from a purely theoretical standpoint, but the reality on the ground is always more complicated.
Exactly. It is about balancing the "ideal" with the "functional."
Well, Herman, I think we have thoroughly deconstructed the "weirdness" of S-M-S today. It is a relic, a vulnerability, a life-saver, and a multi-million dollar fraud engine all at once.
It is the ultimate digital duct tape. It is holding everything together, even though we know we should probably be using real bolts.
Beautifully put. And hey, if you have been enjoying our deep dives into these weird prompts, we would really appreciate it if you could leave us a review on your podcast app. Whether it is Spotify or Apple Podcasts, those ratings really help more people find the show.
Yeah, it genuinely makes a difference for us. We love seeing the feedback and it helps us keep this collaboration going. We read every single one.
This has been My Weird Prompts. You can find all our past episodes, including our deep dives into other security topics, at myweirdprompts dot com. We have an R-S-S feed there for subscribers and a contact form if you want to reach out.
And if you have a prompt of your own, or just want to say hi, you can email us at show at myweirdprompts dot com. We are available on all the major platforms, so make sure to subscribe wherever you listen.
Thanks for joining us in Jerusalem today. We will be back soon with another prompt from Daniel.
Until next time, stay secure and stay curious.
Goodbye everyone!
Goodbye!
