For years, enabling multi-factor authentication (MFA) has been one of the best things a business could do to protect accounts and devices.

Most companies added MFA by sending a 6-digit code by text message to an employee’s phone. It’s simple, familiar, and easy for everyone to use.

Many Albuquerque businesses rely on it every day when logging into:

• Email accounts
• Accounting systems like QuickBooks
• Payroll platforms
• Bank portals
• Cloud storage and business software

But there’s a problem.

Text message authentication was never designed to be a security tool. SMS was created for convenience, not protection. It runs through cellular networks that have several known weaknesses.

Cybercriminals know many businesses still depend on SMS authentication. Because of that, attackers have developed ways to intercept those messages without ever touching your phone.

For local businesses that rely on online systems to serve customers and manage finances, this can create a serious risk.

SIM Swapping: It All Started with a Text Message

Picture this. It’s a normal Thursday morning at an Albuquerque business.

The team is busy logging into email, QuickBooks, and client portals.

One employee tries to log into Microsoft 365 and receives a six-digit verification code by text message.

They type the code in and continue working.

A few minutes later, the phone suddenly loses service.

No signal.

At first it seems like a normal carrier issue. Cell service can be spotty in some areas of Albuquerque.

But something else is happening.

Behind the scenes, a criminal has just convinced the mobile carrier to transfer that employee’s phone number to a new SIM card.

Now the attacker receives every text message meant for that phone.

Including:

• Multi-factor authentication codes
• Password reset links
• Banking alerts
• Email recovery messages

Within minutes, the attacker begins resetting passwords and taking over accounts.

For the business, what looked like a minor phone issue quickly turned into a major security incident.

And it all started with a six-digit text message.

The Real Problem With Text Message Codes

Text-message MFA still improves security compared to using a password alone, but modern attackers have learned how to get around it.

One common tactic to bypass MFA is phishing. Picture an employee receiving an email that looks like a login request for Microsoft 365 or another business tool.

The employee enters their password and then types in the SMS code they receive.

The problem is that they just entered that information into a fake website controlled by an attacker.

Within seconds, the attacker uses that code to log into the real account.

Phishing-Resistant Authentication

To stop modern attacks, businesses are starting to move toward phishing-resistant MFA.

Instead of sending a code that users type into a website, this method uses cryptography to verify the identity of the user and the website itself.

If someone tries to log in on a fake or look-alike website, the authentication simply fails.

Even if the employee clicks a phishing link, the login won’t work. The system recognizes that the website domain is not legitimate.

Listed below are three modern phishing resistant alternatives to 6-digit text MFA

1. Hardware Security Keys

One of the strongest authentication options available today is a hardware security key.

These are small physical devices that look similar to a USB drive.

Here’s how they work:

• The user inserts or taps the key when logging in
• The key verifies the identity of the real website
• If everything matches, access is granted

There are no codes to type and nothing for attackers to intercept.

Unless someone physically steals the key from the user, they cannot access the account.

For businesses handling sensitive data, such as accounting firms or financial offices, security keys provide extremely strong protection.

2. Authenticator Apps

Sometimes using a physical key isn’t practical for every employee.

In those cases, mobile authenticator apps are a strong alternative.

Apps like Microsoft Authenticator or Google Authenticator generate security codes directly on the phone instead of sending them through text messages.

Because the codes are created locally on the device, they aren’t vulnerable to SIM swapping attacks.

However, attackers have tried new tricks.

One example is notification fatigue attacks, where a user receives repeated login approval requests until they eventually tap “approve” just to make the alerts stop.

Modern authenticator apps now address this by using number matching.

Instead of simply approving a request, the user must enter a number displayed on their login screen. This confirms they are the person actually trying to log in.

3. Passkeys: The Future of Login Security

Many modern systems are also beginning to replace passwords entirely with passkeys.

A passkey is a secure credential stored on your device and unlocked with biometrics, such as a fingerprint or facial recognition.

Passkeys are phishing-resistant and tied to the device being used.

They can also sync across devices within the same ecosystem, such as Apple, Microsoft, or Google accounts.

For IT teams, passkeys offer another major benefit.

There are no passwords to reset or store, which reduces help desk requests and improves overall security.

Helping Employees Adapt to Stronger Security

Moving away from SMS authentication requires change, and change can cause push back.

Employees are used to receiving text codes. It feels quick and familiar.

That’s why education is important.

When employees understand how SIM swapping and phishing attacks work, they’re far more willing to adopt stronger security methods.

For most organizations, a phased rollout works best.

General employees may transition gradually, while high-risk accounts, such as administrators or executives, should move immediately to phishing-resistant authentication.

Accounts with elevated access should never rely on SMS codes.

The Risk of Doing Nothing

Continuing to rely on SMS authentication creates a false sense of security.

It may appear to satisfy certain compliance requirements, but it still leaves systems vulnerable to modern attacks.

For many businesses, upgrading authentication provides one of the highest returns on investment in cybersecurity.

A single compromised account can lead to stolen financial data, ransomware attacks, or business disruption.

Preventing that risk is far easier than recovering from it.

Protecting Albuquerque Businesses

At Haider Consulting, we work with businesses throughout Albuquerque, Rio Rancho, and across central New Mexico to improve cybersecurity and reduce risk.

If your business is still using SMS-based authentication, we can help you transition to modern, phishing-resistant security methods that protect your data and your clients.

👉 Schedule your FREE Discovery Call below or give us a call at 505-821-6070

Book My 17-Minute Call

Because real security shouldn’t depend on a six-digit text message.