VPN and SMS Two-Factor Authentication: Why Text Message Codes Leak Your Phone Number Even With Encryption in 2026

Despite using a VPN to encrypt your internet traffic, your phone number remains exposed whenever you rely on SMS two-factor authentication (2FA). This fundamental security gap affects millions of users who believe their VPN provides complete privacy protection. The truth is more nuanced: while a quality VPN service encrypts your web activity, it cannot protect metadata that telecommunications networks transmit outside the encrypted tunnel—and your phone number is metadata that never travels through your VPN connection at all.

Key Takeaways

Question	Answer
Does a VPN protect SMS 2FA codes?	No. VPNs encrypt internet traffic, but SMS messages travel through cellular networks completely outside your VPN tunnel, making your phone number visible to your carrier, the receiving service, and network intermediaries.
Why is my phone number exposed?	Metadata exposure occurs because SMS requires your real phone number to be transmitted to telecom infrastructure. This happens at the network layer, before encryption can apply, regardless of VPN usage.
What's the difference between SMS 2FA and app-based 2FA?	App-based authentication (like Google Authenticator or Authy) generates codes locally on your device and can be encrypted through your VPN. SMS 2FA relies on unencrypted cellular transmission, making it inherently less secure.
Can attackers intercept SMS codes through my VPN?	Not through the VPN itself, but attackers can intercept SMS via SIM swapping, SS7 vulnerabilities, or carrier compromise—threats your VPN cannot prevent because they operate at the cellular network level.
What authentication methods work best with VPNs?	Time-based one-time passwords (TOTP), hardware security keys (FIDO2), and biometric authentication are superior alternatives that function securely within your encrypted VPN tunnel.
Should I stop using a VPN if I use SMS 2FA?	No. VPNs protect your browsing activity and IP address. SMS 2FA's limitations are separate. Use both, but upgrade to stronger 2FA methods for accounts containing sensitive data.
How do I verify if my phone number has been compromised?	Check Have I Been Pwned and your carrier's account activity logs. Enable carrier authentication features and request fraud alerts from your telecom provider.

1. Understanding the Fundamental Difference Between VPN Encryption and Cellular Networks

A VPN creates an encrypted tunnel for your internet traffic, routing data through a secure server that masks your IP address and encrypts the content of your communications. However, this encryption applies only to data traveling through the internet layer—specifically, your web browsing, email, messaging apps, and other IP-based services. When you send an SMS message, it never enters this encrypted tunnel. Instead, it travels through your mobile carrier's cellular network using the Short Message Service (SMS) protocol, which was designed in the 1990s without modern security considerations.

The critical distinction lies in network layers. Your VPN operates at the application and transport layers (Layers 4-7 of the OSI model), while SMS operates at the link and physical layers (Layers 1-2). This means SMS traffic bypasses your VPN entirely—it's routed through your carrier's infrastructure before your device even processes the message. Your phone number, the recipient's number, the timestamp, and the message content all travel through unencrypted or minimally encrypted channels controlled by telecommunications companies.

How VPN Encryption Actually Works (And Its Limits)

When you connect to a reputable VPN provider, your device establishes a secure connection using protocols like OpenVPN, WireGuard, or IKEv2. These protocols create an encrypted tunnel where your traffic is scrambled using military-grade encryption (typically AES-256). From the perspective of your internet service provider, websites you visit, or network observers, your actual IP address is hidden, and your traffic appears as encrypted gibberish. This protects against eavesdropping on your browsing habits, location tracking via IP geolocation, and throttling based on content type.

However, VPN encryption has explicit boundaries. It protects data that passes through the internet. SMS messages do not. When your phone sends an SMS, the cellular modem handles the transmission independently of your VPN connection. Your carrier sees your phone number, the recipient's number, and (in many cases) the message content. Even if your VPN is active, even if it's from a top-tier provider like NordVPN or ExpressVPN, the SMS protocol operates outside the encrypted tunnel. This is a physical and logical limitation, not a flaw in VPN technology—it's simply how different network systems are designed.

Metadata vs. Content Encryption: Why Your Phone Number Leaks Regardless

Security experts distinguish between content encryption (protecting what you communicate) and metadata protection (protecting information about your communication). A VPN excels at content encryption but cannot protect metadata that exists outside its scope. Your phone number is metadata—it's not the content of your message, but rather identifying information about the sender and recipient.

Even if SMS messages were encrypted end-to-end (which they largely are not), your phone number would still be exposed to your carrier, the recipient's carrier, and any intermediate network nodes. This is because the routing infrastructure needs your phone number to deliver the message. It's analogous to sending a letter in a sealed envelope—the encryption (sealed envelope) protects the letter's content, but your address remains visible on the outside. Telecommunications networks require this routing metadata to function. Your VPN cannot intercept or encrypt data that never passes through it.

Did You Know? The GSM Association reports that over 8.6 billion SMS messages are sent daily worldwide, yet SMS security standards have remained largely unchanged since their introduction in 1992. Most carrier networks still transmit SMS with minimal encryption.

Source: GSMA Intelligence

2. How SMS 2FA Works and Why It's Fundamentally Vulnerable

Two-factor authentication via SMS works by having a service (like your email provider, bank, or social media platform) send a one-time code to your registered phone number. You receive this code as a text message and enter it to verify your identity. The logic is sound: if someone gains your password, they still cannot access your account without physical possession of your phone. However, this security model depends entirely on the assumption that your phone number is secure and that SMS messages cannot be intercepted. Both assumptions are increasingly violated in practice.

When you initiate SMS 2FA, the process follows these steps: (1) You enter your username and password on a website or app, (2) The service's server generates a random code and sends it to your phone number via SMS, (3) Your carrier routes the message through its network, (4) Your phone receives the message and displays the code, (5) You manually enter the code into the service's website or app, (6) The service verifies the code matches what it sent. At multiple points in this chain, your phone number is exposed and the message is transmitted through unencrypted or inadequately encrypted channels.

The Carrier Network Exposure Problem

Your mobile carrier has access to every SMS message you send and receive. This is not a security flaw—it's how the cellular system is architected. Carriers maintain detailed logs of phone numbers, timestamps, and message content (or at minimum, message metadata). In most countries, carriers are required by law to retain these records for government access. More problematically, carriers sometimes sell anonymized data to third parties, and their security practices vary widely. A breach of your carrier's systems exposes not just your 2FA codes, but also your phone number, your location history (inferred from cell tower data), and your communication patterns.

In practice, we've observed cases where carrier employees have been bribed to provide access to customer records, or where carrier systems have been compromised by sophisticated attackers. In 2023, several major carriers experienced breaches that exposed customer phone numbers and metadata. A VPN cannot protect you from these threats because the carrier has your real phone number regardless of your VPN status. The vulnerability exists at the carrier level, not the internet level.

The Recipient Service's Visibility

When a service sends you an SMS 2FA code, that service knows your phone number. It must—otherwise it cannot send the code. This means every service that offers SMS 2FA has a record of your phone number in its database. If that service is breached, attackers gain access to a list of phone numbers. This has happened repeatedly: breaches of major services have exposed millions of phone numbers. Attackers can then use these phone numbers to attempt account takeovers via SIM swapping or to target you with phishing attacks that reference your real phone number, increasing credibility.

3. The SIM Swap Attack: How Attackers Exploit SMS 2FA

SIM swapping is a sophisticated attack where an attacker convinces your mobile carrier to transfer your phone number to a new SIM card controlled by the attacker. Once they have your phone number on their device, they receive all your SMS messages, including 2FA codes. The attack typically begins with the attacker obtaining your phone number (often from a data breach or public source) and researching your accounts. They then contact your carrier, impersonating you, and request a SIM swap. Carriers vary in how rigorously they verify identity, and many attacks succeed by exploiting weak verification procedures.

The devastating part: even if you're using a VPN, even if you have a strong password, even if you think you're secure, a successful SIM swap attack grants the attacker complete access to any account protected by SMS 2FA. They receive your 2FA codes in real-time and can lock you out of your own accounts. This has happened to high-profile individuals, cryptocurrency holders, and ordinary users. Your VPN provides zero protection against SIM swap attacks because the attack operates at the carrier level, not the internet level.

Real-World SIM Swap Scenarios

Scenario 1: A cryptocurrency investor uses SMS 2FA to protect their exchange account. An attacker researches the investor's phone number from public sources, calls the carrier impersonating the investor, and requests a SIM swap. The carrier transfers the phone number to the attacker's SIM card. The attacker logs into the exchange, triggers the 2FA, receives the SMS code on their device, completes the login, and transfers all cryptocurrency to their wallet. The investor loses hundreds of thousands of dollars. A VPN was irrelevant to this attack.

Scenario 2: A business executive has SMS 2FA enabled on their email account. An attacker performs a SIM swap and gains access to the email. From there, they reset passwords on the executive's bank account, cryptocurrency accounts, and social media. They may also access sensitive company emails. The attack takes minutes once the SIM swap is complete. Again, VPN usage does not prevent this because the attacker's access comes through the legitimate SMS channel after hijacking the phone number.

Why Carriers Struggle to Prevent SIM Swaps

Mobile carriers use various verification methods to confirm your identity before allowing a SIM swap: knowledge-based questions (security questions), account PIN verification, or in-person verification at a retail store. However, these methods have weaknesses. Security questions often use information that's publicly available or easily researched. Account PINs can be discovered through social engineering. In-person verification can be bypassed with fake identification. Carriers also face pressure to process SIM swap requests quickly to maintain customer service ratings, which incentivizes faster (less rigorous) verification. The result is that motivated attackers can often succeed.

A visual guide to how SIM swap attacks bypass SMS 2FA and the typical attack sequence.

4. SS7 Vulnerabilities and Network-Level SMS Interception

SS7 (Signaling System 7) is the underlying protocol that telecommunications networks use to route calls and SMS messages. It was designed in the 1970s and has been extended multiple times, but it contains fundamental security flaws. Specifically, SS7 lacks strong authentication between network operators. This means that an attacker with access to telecom infrastructure—or who can impersonate a telecom operator—can intercept SMS messages intended for other users.

SS7 vulnerabilities have been documented by security researchers for over a decade. In practice, attackers with sufficient resources (typically criminal organizations or state-sponsored actors) can intercept SMS 2FA codes by exploiting these vulnerabilities. This requires more technical sophistication than a SIM swap, but it's feasible for well-funded attackers. The attack is completely invisible to the victim—they may never know their SMS was intercepted. Your VPN provides zero protection against SS7 attacks because they operate at the cellular network level, outside the VPN's scope entirely.

How SS7 Interception Works in Practice

An attacker with SS7 access can send what's called a "Locate Request" to the telecom network, asking for the location of a specific phone number. They can also send an "SMS Routing Query" that causes SMS messages intended for a target phone to be rerouted to the attacker's device. This is possible because SS7 doesn't require the requesting party to prove they have authorization—it assumes that anyone on the telecom network is legitimate. Once an attacker intercepts an SMS 2FA code, they can use it to access the victim's account in real-time, before the victim even sees the message.

In 2016, security researchers demonstrated SS7 attacks against major banks and cryptocurrency exchanges. They were able to intercept SMS 2FA codes and gain unauthorized access to accounts. The attacks were not theoretical—they worked against live systems. Since then, awareness has increased, but the underlying vulnerability remains because fixing SS7 would require massive coordination across all telecommunications networks worldwide, which hasn't happened.

Why Your VPN Cannot Protect Against SS7 Attacks

A VPN encrypts traffic that passes through the internet. SS7 attacks operate at the cellular network level, which is separate from the internet. Your VPN is not involved in the SMS transmission process. Therefore, no matter how strong your VPN encryption is, it cannot prevent SS7 interception. This is a hard technical boundary: your VPN protects internet-layer communication, but SMS is a cellular-layer communication that bypasses the internet entirely.

Did You Know? The U.S. National Institute of Standards and Technology (NIST) officially discouraged SMS-based 2FA in 2016, citing vulnerabilities like SS7 interception and SIM swapping. Yet SMS 2FA remains widely used because many services have not migrated to stronger alternatives.

Source: NIST Digital Identity Guidelines

5. Data Breaches Exposing Phone Numbers: The Upstream Problem

Even if SMS itself were perfectly secure (which it is not), your phone number is exposed through a different vector: data breaches at services that store your number. Every service you use that offers SMS 2FA maintains a database containing your phone number. If that service is breached, attackers obtain your phone number. This happens regularly. In 2023 alone, major breaches exposed billions of phone numbers. Once attackers have your phone number, they can use it to:

• Attempt account takeovers by calling your carrier and requesting a SIM swap
• Perform targeted phishing attacks that reference your real phone number, increasing credibility
• Purchase additional data about you from data brokers who correlate phone numbers with other personal information
• Conduct SIM swaps preemptively before you even realize your number has been breached
• Target you with SMS-based attacks like smishing (SMS phishing) that use your phone number for social engineering

A VPN cannot protect you from breaches because the breach occurs at the service provider's servers, not on the internet path that your VPN would protect. The service provider has your phone number in plaintext (or poorly encrypted) in their database. If their database is compromised, your phone number is compromised. This is a separate vulnerability from VPN encryption.

The Phone Number as a Master Key

Your phone number is increasingly used as a master identifier across the internet. Password reset flows often use SMS. Account recovery uses SMS. Two-factor authentication uses SMS. If an attacker obtains your phone number and can perform a SIM swap, they can potentially reset passwords on multiple accounts using the SMS recovery process. Your phone number becomes a skeleton key that unlocks multiple accounts. This is why phone number exposure is so serious—it's not just about SMS 2FA, but about all the account recovery mechanisms that depend on SMS.

Minimizing Phone Number Exposure

While you cannot prevent breaches (they're beyond your control), you can minimize the exposure of your phone number by: (1) Using a secondary phone number or virtual phone number for less-critical services, (2) Avoiding putting your real phone number on public profiles, (3) Being cautious about services you share your number with, (4) Regularly checking Have I Been Pwned to see if your phone number has been exposed in known breaches, and (5) Enabling fraud alerts with your carrier.

6. Comparing SMS 2FA with App-Based and Hardware Authentication Methods

The security community has largely moved away from SMS 2FA toward stronger alternatives. Understanding the differences helps you make informed decisions about which authentication methods to use for your most critical accounts. The primary alternatives are time-based one-time passwords (TOTP), hardware security keys (FIDO2), and biometric authentication. Each has different security properties and trade-offs.

Authentication Methods Comparison

Method	Security Level	Phishing Resistant	VPN Compatible	Recovery Risk
SMS 2FA	Low-Medium	No	No (operates outside VPN)	High (SIM swap, SS7)
TOTP (Google Authenticator, Authy)	Medium-High	No	Yes (fully compatible)	Medium (backup codes needed)
Hardware Keys (YubiKey, Titan)	Very High	Yes	Yes (USB/NFC)	Low (physical backup key)
Biometric (Face ID, Fingerprint)	Medium-High	Partially	Yes (device-based)	Medium (varies by device)
Push Notifications (Duo, Okta)	Medium-High	Partially	Yes (app-based)	Medium (depends on app)

Time-Based One-Time Passwords (TOTP)

TOTP is an open standard (RFC 6238) that generates time-based codes on your device without requiring a network connection. Apps like Google Authenticator, Authy, and Microsoft Authenticator implement TOTP. When you enable TOTP 2FA, the service provides you with a secret key (usually displayed as a QR code). You scan this QR code with your authenticator app, and the app begins generating 6-digit codes that change every 30 seconds. You enter these codes to authenticate. The codes are generated locally on your device using the secret key—they never travel through SMS or any network. This means your VPN status is irrelevant; TOTP works perfectly whether you're using a VPN or not.

TOTP is significantly more secure than SMS 2FA because: (1) Codes are generated locally, not transmitted over cellular networks, (2) Attackers cannot intercept codes because they're not sent anywhere, (3) Your phone number is not exposed (the service stores only the secret key, not your phone number), and (4) SIM swaps and SS7 attacks are irrelevant. The main limitation of TOTP is recovery: if you lose your device, you cannot generate new codes. To mitigate this, services typically provide backup codes (10-20 single-use codes) that you can save in a secure location. If you lose both your device and your backup codes, account recovery can be difficult.

Hardware Security Keys (FIDO2/WebAuthn)

Hardware security keys are physical devices (like YubiKey, Google Titan, or Ledger) that generate cryptographic proofs of your identity. When you authenticate using a hardware key, you insert the key into your computer (via USB) or tap it against your phone (via NFC), and the key performs a cryptographic operation that proves you possess the key. The key never sends your password or any code that could be intercepted—it only sends a cryptographic proof. This makes hardware keys immune to phishing, SIM swapping, SS7 attacks, and all the vulnerabilities we've discussed.

Hardware keys are the most secure form of 2FA available today. They're phishing resistant because the cryptographic proof is tied to the specific website's domain—a phishing site cannot use the same proof. They work perfectly with VPNs because they communicate via USB/NFC, which is not affected by VPN status. The main drawbacks are: (1) Cost ($30-100 per key), (2) You need physical possession of the key to authenticate, (3) Some older services don't support hardware keys yet, and (4) You need a backup key in case you lose the primary key. For your most critical accounts (email, cryptocurrency, banking), hardware keys are worth the investment.

A visual comparison of how different authentication methods protect against common attack vectors, demonstrating why SMS 2FA is the weakest option.

7. How to Upgrade From SMS 2FA: Step-by-Step Implementation Guide

If you're currently using SMS 2FA, upgrading to stronger authentication methods is one of the highest-impact security improvements you can make. The process is straightforward and typically takes 15-30 minutes per account. Here's a comprehensive guide to transitioning away from SMS 2FA.

Step 1: Audit Your Accounts and Prioritize

First, identify which accounts are protected by SMS 2FA. Make a list of your most critical accounts—these are accounts that would cause the most damage if compromised. Typically, this includes: (1) Email accounts (primary and secondary), (2) Cryptocurrency/financial accounts, (3) Banking apps, (4) Password managers, (5) Cloud storage accounts, and (6) Social media accounts with sensitive information. Prioritize upgrading 2FA on these accounts first. Less critical accounts (online shopping, forums, etc.) can be upgraded later.

For each account, check what 2FA methods are available. Log into the account's security settings (usually under "Account," "Security," or "Privacy & Security"), navigate to the two-factor authentication section, and note which methods are offered. Most major services now offer TOTP and many offer hardware key support. Create a spreadsheet documenting each account and its available 2FA methods.

Step 2: Choose Your Authentication Method

Decide which authentication method(s) to use. For most users, a combination approach is ideal: (1) TOTP (Google Authenticator or Authy) for most accounts, as it's free, secure, and widely supported, and (2) Hardware keys (YubiKey or Google Titan) for your most critical accounts (email, password manager, cryptocurrency). If you choose TOTP, select an authenticator app. Google Authenticator is simple but offers limited features. Authy is more feature-rich and allows backup of codes. Microsoft Authenticator integrates with Microsoft accounts. Choose based on your preferences and which services you use most.

If you choose hardware keys, purchase at least two keys (one primary, one backup). This prevents being locked out if you lose your primary key. Popular options include: YubiKey 5 Series ($45-60), Google Titan Security Key ($30-50), or Ledger Nano S Plus ($79). Test the keys with a non-critical account first to familiarize yourself with the process.

Step 3: Disable SMS 2FA and Enable TOTP

For each account you're upgrading, follow these steps: (1) Log into the account, (2) Navigate to Security or Two-Factor Authentication settings, (3) Find the option to disable SMS 2FA (you may need to verify your identity first), (4) Select the option to enable TOTP or authenticator app, (5) Your account will display a QR code and a secret key, (6) Open your authenticator app and scan the QR code (or manually enter the secret key if scanning fails), (7) The app will begin generating 6-digit codes, (8) Enter the current code into the website to verify setup, (9) Save the backup codes provided by the service in a secure location (password manager or encrypted file), and (10) Confirm that SMS 2FA is disabled.

Important: Save the backup codes immediately after enabling TOTP. These codes are your recovery mechanism if you lose your device. Store them in your password manager (like Bitwarden or 1Password) or in an encrypted file. Do not store them in plaintext on your computer or in a cloud service without encryption.

Step 4: Set Up Hardware Keys for Critical Accounts

For your most critical accounts (email, cryptocurrency, password manager), add hardware key authentication. The process varies slightly by service, but generally follows this pattern: (1) Log into the account, (2) Navigate to Security settings, (3) Find the option to add a security key or hardware key, (4) Insert your hardware key into the USB port (or prepare to tap via NFC), (5) The website will prompt you to touch the key or confirm the action on the key, (6) Complete the action on the hardware key, (7) The website will confirm the key has been registered, (8) Repeat the process with your backup hardware key, and (9) Test the key by logging out and logging back in using the key.

After setting up hardware keys, you typically have the option to keep TOTP as a backup method or to require both hardware key and TOTP. For maximum security, require both. This means an attacker would need both your hardware key and your authenticator app to gain access, significantly raising the barrier.

Step 5: Test Your New Authentication Setup

Before considering the upgrade complete, test your new authentication method by logging out and logging back in. Verify that: (1) You can successfully authenticate using TOTP or hardware key, (2) The backup codes work if you need to use them, (3) You can still access your account if your primary authentication method is temporarily unavailable, and (4) SMS 2FA is truly disabled (check the security settings to confirm). This testing prevents surprises when you actually need to log in later.

Step 6: Document Your Setup and Create a Recovery Plan

Create a recovery plan for worst-case scenarios. Document: (1) Which accounts use which authentication methods, (2) Where your backup codes are stored, (3) Where your hardware keys are stored (physical location), (4) Contact information for account recovery if you lose access, and (5) Instructions for a trusted family member to follow if something happens to you. Store this documentation in a secure, encrypted location that a trusted person can access if needed.

8. The Role of VPNs in a Layered Security Strategy

While VPNs cannot protect SMS 2FA, they remain an essential component of a comprehensive security strategy. The key is understanding what VPNs actually protect and using them in combination with other security measures. A layered security approach means using multiple security tools that protect against different threats. VPNs protect against certain threats (ISP snooping, network eavesdropping, IP-based tracking), while strong 2FA protects against account takeovers. Together, they provide much better protection than either alone.

What VPNs Protect Against

VPNs are effective against: (1) ISP snooping—your internet service provider cannot see which websites you visit, (2) Network eavesdropping—attackers on public WiFi cannot intercept your passwords or data, (3) IP-based tracking—websites cannot determine your real location or identity from your IP address, (4) DNS leaks—your DNS queries are encrypted, preventing your ISP or network administrator from seeing which sites you access, and (5) Bandwidth throttling—your ISP cannot throttle specific types of traffic because they cannot see the content. These are legitimate and important protections that remain valuable even as SMS 2FA is phased out.

What VPNs Cannot Protect Against

VPNs are not effective against: (1) Weak passwords—a VPN doesn't strengthen your password, (2) Phishing attacks—a VPN doesn't prevent you from entering your credentials on a fake website, (3) Malware—a VPN doesn't protect your device from malicious software, (4) SIM swapping—a VPN operates at the internet layer, not the cellular layer, (5) SS7 attacks—these operate at the telecom level, outside the VPN's scope, and (6) Account-level compromises—if a service storing your account information is breached, a VPN doesn't prevent the breach. Understanding these limitations helps you avoid over-relying on VPNs for protection they cannot provide.

Recommended VPN Usage Alongside Stronger 2FA

Use a reputable VPN service for general internet privacy, especially on public WiFi networks or when accessing sensitive accounts. Simultaneously, upgrade to TOTP or hardware key 2FA for your critical accounts. This combination provides layered protection: the VPN protects your general browsing and prevents ISP snooping, while strong 2FA protects your accounts against the most common attacks (credential stuffing, phishing, SIM swapping). Neither tool makes the other obsolete—they protect against different threats.

Did You Know? According to Verizon's 2023 Data Breach Investigations Report, 74% of data breaches involved human interaction (phishing, social engineering, or credential compromise). Strong 2FA is more effective against these attack vectors than network-level protections like VPNs.

Source: Verizon DBIR

9. Carrier-Level Protections and Account Security Features

Beyond upgrading your 2FA method, you can take steps at the carrier level to reduce your vulnerability to SIM swaps and related attacks. Most major carriers (Verizon, AT&T, T-Mobile, etc.) offer security features designed to prevent unauthorized SIM swaps and account changes. These features add friction to the SIM swap process, making it harder for attackers to succeed.

Carrier Security Features to Enable

Contact your carrier and ask about: (1) Account PIN—set a strong, unique PIN that must be provided before any account changes, (2) Port Freeze—prevent your phone number from being transferred to another carrier, (3) SIM Lock—prevent SIM card changes on your account, (4) Name/Address Lock—prevent changes to your account holder information, and (5) Fraud Alert—request that your account be flagged to require extra verification for any changes. Not all carriers offer all features, but most offer at least some of these protections.

The most effective protection is a combination of a strong account PIN (not a simple 4-digit PIN, but an 8+ character alphanumeric PIN) and a Port Freeze. A Port Freeze prevents your phone number from being transferred to another carrier, which is a common step in SIM swap attacks. A strong account PIN makes it harder for attackers to request a SIM swap without the PIN. Together, these two measures significantly reduce your SIM swap risk.

Monitoring Your Carrier Account

Regularly review your carrier account for unauthorized changes. Check: (1) Your recent bill for unexpected charges, (2) Your account activity log for SIM changes or device changes you didn't authorize, (3) Your phone's settings to confirm you're still using the correct SIM card, and (4) Your account notifications to see if anyone has attempted to access your account. If you notice anything suspicious, contact your carrier immediately and request a detailed investigation.

10. Practical Security Checklist: Implementing a Post-SMS 2FA Strategy

Use this comprehensive checklist to systematically upgrade your security posture and reduce your reliance on SMS 2FA. Work through this checklist methodically, completing each step before moving to the next. This ensures you have a complete, layered defense against account takeover attacks.

• Audit Your Accounts: Create a spreadsheet listing all accounts with SMS 2FA enabled, prioritized by importance (email, crypto, banking, etc.)
• Choose Your Authenticator App: Download Google Authenticator, Authy, or Microsoft Authenticator on your primary device
• Purchase Hardware Keys: If upgrading critical accounts, purchase at least two hardware keys (YubiKey or Google Titan) and test them
• Enable TOTP on Priority Accounts: Starting with your most critical accounts, disable SMS 2FA and enable TOTP, saving backup codes securely
• Set Up Hardware Keys: For email and password manager accounts, register both primary and backup hardware keys
• Test Authentication Methods: Log out and log back into each upgraded account to verify the new authentication method works
• Enable Carrier Protections: Contact your carrier and enable account PIN, Port Freeze, and fraud alerts
• Check for Breaches: Visit Have I Been Pwned and search for your email address and phone number to see if they've been exposed in known breaches
• Review Account Recovery Options: For each account, verify that account recovery methods don't rely solely on SMS (use email recovery or hardware key recovery when available)
• Document Your Setup: Create a secure document listing your authentication methods, backup code locations, and recovery procedures
• Schedule Regular Reviews: Set a quarterly reminder to review your 2FA setup and check for new security features offered by your key accounts

11. Future of Authentication: Moving Beyond SMS and Passwords

The security industry is actively moving away from password-based authentication toward more secure models. Understanding these emerging trends helps you stay ahead of security best practices. The future of authentication is likely to involve passwordless authentication, where you authenticate using something you have (hardware key) or something you are (biometric), rather than something you know (password).

Major technology companies are investing in passwordless authentication. Google has announced plans to make passwordless sign-in the default for all Google accounts. Microsoft is pushing passwordless sign-in for Microsoft accounts. Apple's passkeys (based on WebAuthn/FIDO2) are being integrated into iOS, macOS, and web services. These developments suggest that within the next few years, passwords and SMS 2FA may become obsolete for mainstream services. By transitioning to TOTP and hardware keys now, you're aligning with the direction the industry is moving.

Passkeys and WebAuthn: The Next Generation

Passkeys are a new authentication method built on the WebAuthn standard. Unlike passwords, passkeys are cryptographic key pairs stored securely on your device. When you authenticate, your device proves it possesses the passkey without ever sending the key itself. Passkeys are phishing-resistant, cannot be reused across sites, and work seamlessly across devices through cloud synchronization. Services like Dropbox, GitHub, and Dashlane already support passkeys. As more services adopt passkeys, they will become the standard authentication method, completely replacing passwords and SMS 2FA.

Conclusion

Your phone number is exposed whenever you use SMS 2FA, regardless of whether you're using a VPN. This is not a flaw in VPN technology—it's a fundamental characteristic of how cellular networks and SMS operate. VPNs encrypt internet traffic, but SMS messages travel through cellular networks that operate outside the VPN's scope. Your phone number is metadata that must be transmitted to cellular infrastructure for SMS to work, and this transmission happens at the carrier level, beyond any encryption a VPN can provide. SIM swaps, SS7 attacks, carrier breaches, and service breaches all expose your phone number and undermine SMS 2FA's security, and VPNs cannot prevent any of these attacks.

The solution is to upgrade to stronger authentication methods: TOTP for most accounts and hardware security keys for your most critical accounts. These methods work perfectly with or without a VPN and are immune to SIM swaps, SS7 attacks, and most phishing attempts. Combined with carrier-level protections (account PIN, Port Freeze) and regular security monitoring, this approach provides substantially better protection than SMS 2FA. Visit Zero to VPN to learn more about how VPNs fit into a comprehensive security strategy, and understand what privacy and security tools actually protect against. Our independent testing methodology ensures you get honest, unbiased information about security tools and best practices.