Security experts have been nearly unanimous in their dislike of unencrypted SMS authentication for over a decade, but business executives — and customers — love its convenience. Cost-cutting may finally do it in for enterprise SMS usage.

CSO Online offers insights into cybersecurity, risk management, and IT leadership, providing articles, reports, and expert analysis to help security professionals navigate the evolving threat landscape and protect their organizations from cyber attacks. By exploring CSO Online's curated content, CISOs, security managers, and IT executives can learn about threat intelligence, security frameworks, and incident response strategies for building resilient cybersecurity programs. Whether you're defending against ransomware, phishing attacks, or insider threats, CSO Online offers resources to strengthen your security posture and safeguard your digital assets.

CSO Online

PayPal has begun notifying customers that it will phase out SMS-based MFA for login starting March 2026, though with no firm end date and with SMS remaining available for fraud-detection checks. Security experts have long criticized SMS authentication for vulnerabilities like SIM swapping and man-in-the-middle attacks, and major companies like Google, Microsoft, and Cisco have already moved away from it. PayPal's shift appears driven by both security alignment and cost reduction — with 25 billion annual transactions, even fractional SMS costs add up, and attackers can trigger millions of fraudulent SMS sends. The rollout has been criticized for mixed messaging: the customer email contained incorrect USB instructions for security keys and linked to a settings page that didn't yet support the change. Experts recommend FIDO2 keys as the most secure alternative, though adoption is hampered by cost and complexity, while authenticator apps are seen as only marginally better than SMS.

PayPal launches latest struggle to get rid of SMS for MFA