Just how safe is that two-factor login code?

An investigation into the complexity of the global telecom system has revealed weaknesses in the transmission of secret codes sent via text messages.

When companies generate verification code messages, they usually outsource the job, passing the codes through a thicket of intermediaries. Bethany Rae

Ryan Gallagher, Crofton Black and Gabriel Geiger

Updated Jul 1, 2025 – 9.37am, first published at Jun 30, 2025 – 5.00am

Email LinkedIn Twitter Facebook

Subscribe to gift this article

Gift 5 articles to anyone you choose each month when you subscribe.

Subscribe now

Already a subscriber?

Every day, millions of people sign in to their email, banking app or social media accounts with both their password and a one-time login code they receive by text message. The codes often arrive with a warning: “Do not share this with anyone.” The recipients of those warnings, though, have no way of knowing who saw it before it got to them.

When companies generate messages with one of these so-called two-factor authentication codes, they almost never send them directly. Instead, they outsource the job, passing the codes through a thicket of intermediaries before they arrive at their destinations. Because of inherent weaknesses in SMS – the decades-old technology standard used for text messages – it is possible for entities that handle such messages to see their content. But the complexity of the system means neither the sender nor the recipient can be sure exactly who’s handled them along the way.

Bloomberg Businessweek