Salt Typhoon 2FA upgrade 2026: why TOTP beats SMS now

What changed for US 2FA security in 2024 and 2025

For most of the SMS-2FA era, the practical risk model was straightforward. Either an attacker SIM-swapped you (socially engineered a carrier store rep into porting your number) or they ran a phishing kit that proxied a fake login page and captured the code in real time. The first category was rare, expensive, and largely targeted high-value individuals. The second was defeated by basic user vigilance and modern phishing-resistant flows. SMS 2FA was widely treated as good enough for the average account.

Salt Typhoon broke that model in public. According to FCC public statements and reporting in Wired and the Wall Street Journal through late 2024 and into 2025, the campaign obtained sustained access to the equipment that carries calls, texts, and signaling between the major US carriers. That class of access changes what an attacker can see and do at the protocol layer. They are not stealing a phone. They are sitting on the wire that delivers your SMS code from the verification service to your phone.

CISA's response on December 18, 2024 was the joint advisory AA24-352A "Enhanced Visibility and Hardening Guidance for Communications Infrastructure" with the FBI, NSA, and CSE, plus the consumer-facing Mobile Communications Best Practice Guidance sheet. The carrier guidance is technical. The consumer sheet is two pages and the headline action is unambiguous: do not use SMS as a second factor; use a phishing-resistant authenticator instead.

This is not theoretical advice. NIST SP 800-63B has cautioned against SMS-based authentication since 2017. The 2024 Salt Typhoon disclosure is the moment that academic deprecation became operationally urgent. Most people reading this still receive SMS codes for at least one critical account. That has to change.

What CISA actually published in December 2024

The technical guidance avoids any threat-actor attribution debate and focuses on observed behaviors. Three pieces matter for the average person.

• Carrier signaling is compromised in some networks. The advisory describes intrusions that touched the equipment carriers use to route traffic between each other. This is the layer where an attacker can request or redirect SMS deliveries without ever interacting with your phone.
• SMS one-time codes should be replaced with phishing-resistant authentication. The consumer best-practice sheet calls out hardware security keys and authenticator apps as the recommended alternatives, in that order. SMS is explicitly listed under "avoid".
• End-to-end-encrypted messaging is the new floor for sensitive conversations. The guidance points consumers to Signal, iMessage between Apple devices, and Google Messages RCS between Android devices. Cross-platform SMS and RCS without end-to-end encryption is now treated as compromised by default.

The guidance does not name a country. It does not need to. The behaviors are the operational facts; the geopolitics is for the FCC and the White House. For an end user, the relevant takeaway is that the trust assumption SMS 2FA always relied on (that carrier signaling is safe by default) cannot be maintained any longer.

How SMS interception actually works at the carrier level

SMS 2FA fails to multiple classes of attack, all of which the average user underestimates.

SS7 and Diameter abuse. SS7 is the legacy signaling protocol that has tied global mobile networks together since the 1970s. Diameter is its modern successor used in LTE and 5G. Both were designed in an era when only a handful of trusted national carriers could touch them. They have no authentication of who is on the other end of a signaling request. An attacker with access to a single misconfigured carrier or a corrupted SS7 hub can issue a "subscriber location update" or an "SMS forwarding" message to redirect texts intended for your number to a node they control. The receiving service, your bank or Google, sees that delivery was confirmed. You see nothing. You never get the text. The attacker reads the code and uses it. This is not new. The risk has been demonstrated by researchers since 2014. What changed in 2024 is that the access required to do it at scale is no longer hypothetical.

VoLTE and 5G IMS attacks. Voice over LTE and the 5G IP Multimedia Subsystem run SMS as packets on the carrier's IP network. Recent academic research published in 2024 and 2025 has shown that misconfigured IMS interconnects leak SMS content in clear in some networks, and that targeted attackers with carrier foothold can read SMS without ever touching SS7. CISA's December 2024 guidance to carriers references "IP-based signaling" as a specific hardening priority. That is the IMS layer.

Fake base station (IMSI catcher) attacks. A small device in a parked van forces nearby phones to associate with it as a fake cell tower. SMS in transit can be captured. This was a state-level attack ten years ago. Today the hardware is available on commercial channels for under a few thousand dollars. Targeted, not mass-scale, but real.

SIM swap. The consumer-grade version of the same problem. An attacker calls or visits your carrier, impersonates you with stolen personal data (often bought on underground forums), and convinces a store rep to port your number to a SIM they hold. Your phone goes dead. The next inbound SMS code goes to them. Krebs on Security has documented dozens of high-value SIM swap cases through 2024 and 2025, including six-figure crypto theft. The FCC adopted new SIM-swap and port-out rules effective July 2024 specifically to slow this attack, but enforcement on store-floor reps remains uneven.

The common thread: SMS as a second factor assumes the path between the verification service and your phone is private. None of these attacks require the attacker to break encryption. They route around it. TOTP, by contrast, does not transmit a code at all.

Why TOTP authenticator apps are not affected

TOTP is defined in RFC 6238. When you scan a QR code to set up "Google Authenticator" or any compatible app, what gets stored on your device is a shared secret. Every 30 seconds, the app combines that secret with the current Unix timestamp using HMAC-SHA1 and produces a 6 to 8 digit code. The server, which holds the same secret, runs the same computation and accepts your code if it matches.

There is no transmission of the code over any network until you type it in. There is no SMS. There is no carrier involved. There is no SS7 layer. The shared secret never leaves your device after the initial QR scan. An attacker who owns a US carrier's signaling network has zero ability to read or forge your TOTP code, because the code does not traverse the carrier network at any point.

This is why CISA, NIST, and effectively every modern authentication guidance puts TOTP authenticator apps above SMS. They are not perfect. A phishing kit that proxies a fake login page can still trick you into typing the TOTP code into the wrong site. That is a different attack class (we covered the modern version in our adversary-in-the-middle 2FA bypass deep dive). But Salt Typhoon-class carrier intrusions are completely irrelevant to TOTP.

The four authenticator apps worth installing in May 2026:

• Google Authenticator (iOS, Android). Now supports Google account-bound cloud backup so you do not lose codes when you change phones. Set the backup option during install or you will regret it the day your phone dies.
• Microsoft Authenticator (iOS, Android). Strong for Microsoft 365 and Azure environments, supports number-matching push for enterprise scenarios (we covered why number matching defeats MFA fatigue push spam), and offers iCloud and Microsoft account backup.
• Authy (iOS, Android, desktop). Multi-device sync via the Twilio-owned backend, useful if you want a code on your laptop without your phone present. Lost some trust in 2024 after a breach exposed 33 million phone numbers (no secrets, but a reminder that cloud sync has trade-offs).
• 1Password and Bitwarden. Both password managers store TOTP secrets alongside passwords with full end-to-end encryption. Good choice if you already use a password manager and want one fewer app.

One installation rule. When you scan the QR code, also save the recovery codes the service shows you on the same screen. We come back to this later because almost everyone skips it and almost everyone regrets it.

The hardware token tier and where Passkeys fit

Above TOTP sits phishing-resistant MFA. The reference implementation is a FIDO2 hardware security key like YubiKey, Google Titan, or OnlyKey. You touch the key, the browser exchanges a cryptographic challenge with the site, and the response is bound to the exact domain you are on. A phishing site at a lookalike domain cannot replay or forward the response because the domain in the challenge will not match. This is the only second-factor class that defeats real-time AiTM proxy phishing kits.

Passkeys, formalized by the FIDO Alliance Passkeys initiative, are FIDO2 credentials stored in your platform (iCloud Keychain on Apple, Google Password Manager on Android, Windows Hello on Microsoft) and synced across your trusted devices. The cryptography is identical to a hardware key. The trade-off is that the credential lives in a cloud-synced vault instead of a physical token, which is friendlier for normal humans but means the vault provider's account security becomes part of your threat model. As of 2024 FIDO Alliance reporting, Passkey support has crossed every major consumer service (Google, Apple, Microsoft, Amazon, PayPal, eBay, GitHub, X, WhatsApp, TikTok, Adobe). Many services let you set up Passkeys with zero additional hardware.

The practical hierarchy for 2026:

1. Hardware FIDO2 key (YubiKey, Titan). Strongest. Best for email recovery accounts, bank logins, enterprise admin accounts, crypto exchanges.
2. Passkey on a trusted device. Almost as strong, friendlier UX, good for consumer accounts. Use this for X, Discord, Steam, Amazon, eBay.
3. TOTP authenticator app. Good baseline for everything that does not yet support Passkeys. Move every SMS-2FA account to this floor.
4. SMS 2FA. Only as a temporary fallback, only if nothing else is available. Plan to remove it.
5. No 2FA at all. Unacceptable on any account holding money, identity, or work data.

The migration ladder in one sentence per tier

If you take nothing else from this post, take this. Move every account that supports it to TOTP. Move the accounts you care most about (email recovery, bank, primary crypto, work identity) to FIDO2 hardware keys or Passkeys. Disable SMS 2FA wherever you can do it without losing recovery. Print the recovery codes. Store them in a safe place that is not your phone.

Switch your Google account to TOTP in 6 minutes

Google is the right place to start because Gmail is the recovery vector for most of your other accounts. If your email is compromised, the rest of the upgrade does not matter.

1. Open myaccount.google.com/security.
2. Under "How you sign in to Google", click "2-Step Verification".
3. Click "Authenticator app" and follow the QR code prompts. Scan with Google Authenticator (or 1Password or Bitwarden). Verify with one code.
4. Scroll down to "Voice or text message" and click the delete (trash) icon. This removes SMS as a second factor. Google will warn you. Confirm.
5. Scroll back up to "Backup codes" and download or print the 10 one-time recovery codes. Store them in your password manager and on paper somewhere offline.
6. Optional but strongly recommended: under "Passkeys and security keys", set up a Passkey on the device you are sitting at and a YubiKey if you own one.

Repeat the same flow for every secondary Google account (work, side project, family). Five minutes each.

Switch your Apple ID to phishing-resistant second factors

Apple does not let you turn off Apple ID two-factor because it is woven into iCloud. What you can do is make sure your trusted device list is clean and add Recovery Contacts and a printed Recovery Key.

1. On iPhone open Settings, tap your name, then Sign-In and Security, then Two-Factor Authentication.
2. Review the list of trusted devices. Remove anything you do not recognize. Each remaining trusted device acts as a Passkey-equivalent second factor.
3. Tap "Account Recovery" and add at least one Recovery Contact (a trusted family member with an Apple ID) and generate a Recovery Key. Write the Recovery Key down. Store it offline.
4. Tap "Trusted Phone Number" and add a second number you control. SMS to Apple ID will still arrive there, but it is no longer your only path back in.
5. If you use Apple Pay or have a serious iCloud Keychain footprint, set up at least one hardware security key under Sign-In and Security, Security Keys. Two YubiKeys (one daily-carry, one safe-stored) is the canonical setup.

Switch Microsoft 365 and personal Microsoft accounts

1. Open account.microsoft.com/security.
2. Click "Advanced security options".
3. Under "Ways to prove who you are", click "Add a new way to sign in or verify" and pick "Use an app". Configure Microsoft Authenticator.
4. Once Authenticator is active, remove your SMS phone number from the same screen. Microsoft will warn you. Confirm.
5. Scroll to "Passkeys and security keys" and add a hardware key or platform Passkey. Microsoft 365 is the most-targeted consumer cloud identity in 2026 (see our FBI Kali365 advisory writeup for why) so this account deserves a hardware factor if any does.
6. Generate and save a recovery code under "Recovery code".

Switch crypto exchanges (Coinbase, Binance)

Crypto exchange accounts are the highest-value SIM-swap targets on the internet. Move them off SMS first, second, and third.

• Coinbase. Settings, Security, 2-Step Verification, choose Authenticator. Scan with Google Authenticator. Verify. Then remove SMS from the same screen. Coinbase additionally lets you require a YubiKey for withdrawals; turn this on if you hold meaningful balances. Print and store the backup codes.
• Binance. Security menu, Two-Factor Authentication, enable Authenticator App. Disable SMS once Authenticator works. Binance also offers hardware security key (FIDO2) and Passkey support; enable at least one. Save the 2FA secret and recovery key in your password manager.
• Kraken, Gemini, Bitstamp, BitGo, Crypto.com. Same pattern. Move to TOTP, then add Passkey or YubiKey if available, then remove SMS.

Crypto exchange withdrawals are where SIM-swap actually empties wallets. The carrier-level SMS interception risk is icing on a cake that was already burning. If you hold serious balances, also enable address whitelisting and withdrawal time-locks where supported.

Switch social platforms: X, Instagram, Facebook, Discord, Steam

Social accounts get hijacked for impersonation scams (we covered the voice-clone "fake arrest" follow-on), reputation damage, and to use as launchpads for further phishing. Same flow, slightly different menu paths.

• X (formerly Twitter). Settings, Security and account access, Security, Two-factor authentication. Enable "Authentication app". Disable "Text message". Add Passkey or Security key on the same screen. Generate a backup code. Note: X requires a paid Blue / Premium subscription to use SMS 2FA at all, but the free TOTP option is what you want regardless.
• Instagram. Settings, Accounts Center, Password and security, Two-factor authentication. Pick the account. Enable Authentication app. Disable SMS. Save recovery codes.
• Facebook. Same Accounts Center path as Instagram. Add a Passkey while you are there; Facebook Passkey support shipped late 2024.
• Discord. User Settings, My Account, Enable Authenticator App. Save backup codes immediately (Discord does not surface them later as smoothly). Disable SMS Backup on the same screen.
• Steam. Steam Guard via the Steam Mobile App is TOTP-equivalent and the only option Valve recommends. Install Steam Mobile, enable Steam Guard Mobile Authenticator, write down the recovery code. Steam Trading requires the mobile authenticator, so this also unlocks safer trading.

Switch GitHub

For developers GitHub is identity. A hijacked GitHub account can lead to malicious commits in shared projects, NPM and PyPI package takeover, and leaked Actions secrets. Treat it like an admin account.

1. Open github.com/settings/security.
2. Under "Two-factor authentication", click Enable 2FA. Choose Authenticator app. Scan with your authenticator. Verify.
3. Save the 16-character recovery codes immediately. GitHub shows them only once.
4. Under "Passkeys", add a Passkey or hardware security key.
5. If you have an SMS number on the account, remove it once Authenticator and Passkey both work.
6. If you publish packages or maintain repos with collaborators, also enable required commit signing and review your Personal Access Tokens for any with overly broad scopes.

The recovery code printout rule

Every service above will offer you a one-time recovery code, a recovery key, or a list of backup codes during the upgrade. Treat these as the most important strings in your life. They are how you get back in when your phone dies, your authenticator app crashes, or you lose the device you set up the Passkey on.

The rule has three parts.

1. Save them in your password manager. 1Password, Bitwarden, Apple iCloud Keychain, Google Password Manager all support secure notes. Put the recovery codes there, tagged with the service name and date.
2. Print one paper copy. Yes, paper. Store it in a fireproof document box, a home safe, or with a trusted family member. The threat model for recovery is "my house burned down and my phone is in a river", not "an attacker is reading my mail". Paper resists that.
3. Never store recovery codes only on the same device as your authenticator app. If they are on the same phone, losing the phone loses both. The point is to separate the recovery factor from the primary factor.

Skipping this step is the single most common reason people end up locked out of their own accounts after a 2FA upgrade. It takes 90 seconds per account. Do it now.

What to do if you are already SIM-swapped

You will know because suddenly your phone has no service and you cannot make calls or send texts. The signal disappears and the SIM card icon shows "no service" or "SOS only". If that happens and you cannot explain it (you did not swap phones, you did not change plans), assume a port-out and move in the next 15 minutes.

1. Call your carrier from another phone. Verizon 800-922-0204, AT&T 800-331-0500, T-Mobile 611 from another T-Mobile line or 800-937-8997. Tell them you suspect an unauthorized port-out. Ask them to reverse the port and lock the account.
2. From a known-clean device, sign into your most sensitive accounts in priority order: primary email first, then bank, then crypto exchange, then everything else. Change passwords. Revoke active sessions. Remove SMS as a 2FA option. Add a Passkey or TOTP.
3. File reports. FCC consumer complaint at consumercomplaints.fcc.gov, FBI IC3 at ic3.gov, FTC at reportfraud.ftc.gov. If money moved, your local police report is also needed for any chargeback or insurance claim.
4. Set a carrier port-out PIN that is not your phone number or date of birth. All four major US carriers offer a separate port-out PIN distinct from your account PIN. Set both, set them long, store them in your password manager. This is the single biggest preventative control against repeat SIM swap.
5. Move email and bank off SMS permanently. If you did not do it before the swap, do it now.

Why we are publishing this now

SafeBrowz spends most of its time blocking the second-stage phishing pages that target your 2FA code after the social engineering succeeds. We see the kits. We see the lookalike domains. We see the AiTM proxy infrastructure that captures a TOTP code in real time and replays it 30 seconds later. The right answer for that attack class is phishing-resistant MFA: hardware keys and Passkeys.

But the prerequisite for that conversation is that the user is not still on SMS 2FA. As long as SMS is the second factor, none of the upstream improvements matter. Salt Typhoon was the public moment the technical floor of SMS 2FA collapsed. CISA said so explicitly. NIST has been saying so for years. The migration to TOTP is the floor, not the ceiling.

One more reason to move now. The same telecom signaling layer that delivers your SMS 2FA also delivers your account-recovery SMS for password resets, your two-step prompts for "is this you signing in?", and your fraud-alert texts from your bank. Even if you successfully upgrade the 2FA flow itself, every service that still treats your phone number as a backup identity factor is exposed by the same risk. Removing SMS from your security path means removing it everywhere it acts as a recovery factor, not just where it shows up as a code prompt. Audit every account's "alternate phone number" and "recovery phone" fields with the same discipline as the 2FA fields. The migration is only complete when SMS is no longer trusted anywhere in your account stack.

How SafeBrowz blocks the second-stage phishing of 2FA codes

Upgrading from SMS to TOTP removes the carrier-level attack surface. It does not remove the phishing surface. The next attack you will face after the upgrade is a lookalike login page that asks you for your TOTP code in real time and forwards it to the attacker's session within the 30-second validity window. That class of attack is exactly what our 3-layer detection engine is built to catch.

SafeBrowz runs a 3-layer detection architecture: Local + APIs + AI.

• Layer 1 - Local detection: 60+ URL patterns plus 550+ brand-specific signatures (Google, Apple, Microsoft, Coinbase, Binance, GitHub, X, Discord, Instagram, Facebook, Steam, every bank and crypto exchange in our coverage list) plus Cyrillic and Punycode homograph detection plus community blocklists, all running directly inside the extension before the page renders. Lookalike login pages for the services you just upgraded are caught at the URL layer.
• Layer 2 - API reputation: server-side aggregation of Google Safe Browsing, PhishTank, URLhaus, ScamAdviser, and 30+ scam-TLD heuristics. Newly registered lookalike domains (most AiTM phishing kits rotate domains every 24 to 72 hours) surface in these feeds quickly.
• Layer 3 - AI deep scan (Premium): a multi-language content analyzer that reads the rendered page and identifies social-engineering intent regardless of domain. For the 2FA-code phishing class, the giveaway signature is "branded login form on a non-canonical host asking for a 6-digit code". Premium users get this layer in 100+ languages.

Detection signatures come from threat-intelligence research and our internal brand database, not from user browsing data. SafeBrowz does not store per-user browsing history.

Pair SafeBrowz with the TOTP upgrade and you close both halves of the modern 2FA attack model: the carrier-signaling half (TOTP solves) and the lookalike-login half (SafeBrowz solves).

Frequently asked questions

Is SMS 2FA actually unsafe for the average person, or only for high-value targets?

It is unsafe for both classes in 2026, just at different scales. SIM swap and SS7 abuse have moved down the threat ladder from nation-state-only to opportunistic criminals, particularly for accounts with crypto or bank balances. CISA's December 2024 consumer guidance is written for the average person, not only for high-value targets. The cost of upgrading to TOTP is roughly twelve minutes per account; the cost of being wrong is your account.

If I move from SMS to TOTP, am I safe from phishing?

Safer, not immune. TOTP defeats carrier-level interception and SIM swap entirely. It does not defeat a real-time AiTM proxy phishing kit that captures the code as you type it and replays it within the 30-second window. For accounts you care most about (email recovery, bank, primary crypto exchange, work identity), upgrade past TOTP to FIDO2 hardware keys or Passkeys, which are bound to the exact origin domain and cannot be forwarded by a proxy.

Which authenticator app should I install if I have to pick one?

Google Authenticator is the safest default for most users because the backup option is well integrated, the UI is simple, and it is unlikely to disappear. Microsoft Authenticator is the right choice if you live in Microsoft 365 or Azure. 1Password or Bitwarden are right if you already use a password manager and want one fewer app to manage. Authy is fine technically but the 2024 phone-number breach makes us less enthusiastic about it for new users.

What happens to my TOTP codes if I lose my phone?

If you set up cloud backup (Google Authenticator with Google account, Microsoft Authenticator with Microsoft account, 1Password and Bitwarden by default, Authy by default), your codes restore on a new phone after you sign in. If you did not set up backup and you did not print the recovery codes for each account, you have to use each service's account recovery flow. This is why the "print recovery codes" step is not optional.

What if a service I use only offers SMS 2FA?

Three options in priority order. First, check the security page once a quarter; many services have added TOTP or Passkey support quietly. Second, ask customer support if there is a hidden option (some banks gate stronger 2FA behind a phone call). Third, set the strongest port-out PIN your carrier allows, use a number that is not your primary phone (a Google Voice or eSIM secondary number dedicated to 2FA is a common pattern), and treat the account as more recovery-fragile than the others.

Did Salt Typhoon actually intercept consumer SMS at scale, or only targeted intercepts?

Public reporting describes targeted access focused on specific phone numbers including law-enforcement intercept targets, not bulk consumer SMS reading. The CISA December 2024 guidance is precautionary; it treats the access level demonstrated as sufficient to justify moving consumers off SMS even though there is no public evidence of mass SMS theft. The threat model is "the capability exists in the wrong hands" rather than "it is being used against you right now". Either way, the migration cost is low enough that the precautionary posture is correct.

Related SafeBrowz coverage

• MFA fatigue push spam attack - why number matching defeats push spam and how it relates to TOTP
• Adversary-in-the-middle 2FA bypass - the modern phishing kit class that captures TOTP codes in real time
• Vishing bank phone scam - the social-engineering attack that often pairs with SIM swap
• WhatsApp 6-digit code takeover scam - the consumer-grade SMS interception attack that has been live for years
• FBI Kali365 Microsoft 365 phishing warning 2026 - OAuth device-code phishing, the post-MFA attack class
• How to spot a fake Microsoft email - the upstream phishing vector for Microsoft account takeover
• Voice cloning fake arrest scam - the social-media-driven follow-on attack to account takeover
• Safe online payments and virtual cards 2026 - protecting the financial side of the same threat surface
• Best anti-scam browser extensions 2026 - browser-side defense layer comparison
• Free URL check tool - paste any 2FA login URL to verify before you type the code

Bottom line: Salt Typhoon was the public moment SMS 2FA stopped being defensible by default. CISA's guidance is unambiguous, NIST has been there since 2017, and the migration path is twelve minutes per account with one paper printout. Move every account to TOTP today. Add a hardware key or Passkey to the accounts that hold your money, your email, or your identity. Block the lookalike login page that comes next. The Salt Typhoon advisory is the warning. What you do in the next hour decides whether you needed it.