If you are used to receiving a six-digit code by text message when you log in, you might wonder why Cloudbeds encourages switching to a different method. Here is a plain-language explanation.
What is changing right now
- New users can no longer select SMS or Email as their MFA method. These options are no longer available during account setup.
- Existing users on SMS or Email MFA are being moved to more secure methods in batches. If your account is part of an active migration batch, you will be prompted to set up a new method when you next log in.
This is an active, ongoing change - not a future recommendation. If you have not yet switched, your migration may already be scheduled.
The postcard problem
Imagine you need to send someone a secret code. You write it on a postcard and drop it in the mailbox. It will probably arrive safely - but because it is a postcard, anyone who handles it along the way can read it: the postal worker, a neighbor who picks up the mail, or someone sorting at the post office.
That is essentially how SMS text message codes work. The code travels through the phone network as readable data, passing through multiple providers along the way.
How attackers exploit SMS
There is a specific attack called SIM swapping. In plain terms, it works like this:
- An attacker calls your phone carrier, claims to be you, and says they have a new phone.
- The carrier transfers your phone number to a SIM card the attacker controls.
- Your phone stops receiving calls and texts.
- The attacker now receives your verification codes and can use them to log into your accounts.
SMS is also vulnerable to real-time phishing attacks, where an attacker captures your code the moment you enter it on a fake login page and immediately uses it on the real platform - before it expires. Passkeys and Hardware Security Keys are the only methods that are immune to this type of attack.
What to use instead
| If you... | Switch to this |
| Have an iPhone, iPad, or Mac | Sign in with Apple |
| Use Gmail or Google Workspace | Sign in with Google |
| Want the highest security | Passkey |
| Prefer a mobile app | Okta Verify or Google Authenticator |
| Don't use a smartphone | Security Key (YubiKey) or Desktop Passkey |
The switch takes about 5 minutes. See: Reset Multi-Factor Authentication to choose your new method.
What if I haven't been migrated yet?
Your account will be migrated as part of an ongoing rollout. We recommend switching proactively rather than waiting - this avoids any disruption to your login during a busy shift. See: Choose the Best Login & MFA Method for You to get started now.
What makes the alternatives safer?
The methods Cloudbeds recommends use a completely different approach:
- Passkeys and Social Login (Apple/Google): Your login credential is stored directly on your device and protected by your fingerprint, face scan, or device PIN. It never travels over a network. An attacker cannot steal what never leaves your device.
- Authenticator Apps: The code is generated locally on your device using a shared mathematical key. Even if someone intercepted the code (which is extremely difficult), it is only valid for 30 seconds and cannot be reused.
Comments
Please sign in to leave a comment.