Virtual Phone Numbers and SMS 2FA - A Structural Analysis

Executive Summary

It is effectively impossible to reliably use virtual phone numbers (VoIP) for SMS-based two-factor authentication (2FA) with most financial institutions, healthcare providers, and government services. This is not a technical limitation but a policy choice embedded in a system involving multiple actors—carriers, banks, regulators, SMS aggregators, and database providers—whose interests converge on maintaining SMS 2FA tied to physical SIM cards despite NIST guidance deprecating this approach since 2016.

Part 1: The Technical Infrastructure

1.1 How Number Type Detection Works

When a service sends an SMS 2FA code, the message passes through SMS aggregators (Twilio, Plivo, Bandwidth, etc.) who query carrier databases to determine the “line type” of the destination number. [1] The key data sources are:

NPAC (Number Portability Administration Center): The authoritative database for U.S. telephone numbers, managed by iconectiv since 2018. Contains routing and carrier data for over 1 billion numbers. [2]
Carrier APIs: Direct queries to telecommunications backbones that return whether a number is classified as “wireless,” “landline,” or “VoIP.” [3]
Third-party lookup services: Companies like IPQS, Data247, and NumLookup aggregate data from multiple sources. [4]

These databases classify numbers into three primary categories:

Mobile/Wireless (“Is Wireless: y”)
Landline/Fixed
VoIP/Fixed-line VoIP (e.g., Bandwidth.com, Level 3 Communications)

When a number is ported to a VoIP provider, the carrier database updates to reflect the new classification. A number that was originally “wireless” becomes “fixed-line” or “VoIP” once ported to Google Voice, voip.ms, or similar services. [5]

1.2 Short Codes and VoIP Incompatibility

Banks and other services often send 2FA messages from short codes—5 or 6-digit numbers (e.g., “20736”) rather than standard 10-digit numbers. The routing infrastructure for short codes is fundamentally different from long codes, and VoIP services have inconsistent support for receiving short code messages. [6]

As one forum user discovered: “Google Voice numbers are not true mobile phone numbers; they are fixed-VoIP landline numbers with text messaging spliced on, via a third-party system.” [7]

Part 2: The Security Model and Its Origins

2.1 NIST Special Publication 800-63B

The definitive U.S. government guidance on authentication is NIST SP 800-63B. The critical passage states:

“Methods that do not prove possession of a specific device, such as voice-over-IP (VOIP) or email, SHALL NOT be used for out-of-band authentication.” [8]

NIST’s rationale, explained in their 2016 blog post:

“That’s why we’re proposing that federal agencies first verify that the phone number is truly attached to mobile phone. If not (and the user happens to protect her or his VoIP account with a password), the user might now be protecting sensitive personal information with two passwords—that’s two of one factor type (two of ‘something you know’) rather than two different factors.” [9]

The assumption is that a physical SIM card proves possession of a device, while a VoIP number—accessible from any internet-connected device—does not. This is the foundational assumption of the security model.

2.2 The Possession Assumption Is Flawed

The NIST model assumes that SMS to a mobile number proves device possession. However:

SIM swap attacks allow attackers to hijack phone numbers without physical access. The FBI reported nearly $26 million lost to SIM swap attacks in 2024 alone. [10]
SS7 protocol vulnerabilities enable mass interception of SMS messages. Metro Bank (UK) became the first major bank to suffer an SS7-based attack targeting SMS 2FA codes. [11]
Carrier employee complicity has been documented in numerous cases. A T-Mobile arbitration in 2025 awarded $33 million to a victim whose cryptocurrency was stolen after a SIM swap. [12]

The irony: VoIP accounts protected by strong passwords and TOTP may be more secure than mobile numbers vulnerable to SIM swaps, yet VoIP is blocked while SMS to mobile numbers is permitted.

2.3 Why NIST Didn’t Fully Deprecate SMS

NIST initially proposed full deprecation of SMS for 2FA in 2016 but walked it back in the final 2017 publication. Industry pressure was a factor. TeleSign, an SMS verification company, filed formal comments arguing:

“While SMS OTP vulnerabilities exist, we believe they are difficult to achieve ’en masse’. The threat types cited in the documentation apply broadly against all smartphone based security methods… SMS alone should not be singled out for deprecation.” [13]

The final SP 800-63B Rev 4 (2024) classifies SMS as a “restricted authenticator”—still allowed but with additional requirements and migration planning expectations. [14]

Part 3: The Actors and Their Incentives

3.1 Wireless Carriers

Incentive: Retain subscribers; maintain revenue from monthly plans; avoid liability for fraud.

Actions:

Lobbied for extensions to FCC SIM-swap prevention rules. CTIA (the wireless industry trade group), Verizon, AT&T, T-Mobile, and others petitioned for a 12-month delay beyond the July 2024 compliance deadline. [15]
Argue in Terms of Service that “no security measures are perfect” to disclaim liability. Courts have sometimes accepted this defense. [16]

Structural position: Carriers benefit from SMS 2FA because it keeps customers dependent on maintaining active mobile plans. A customer who could receive 2FA via VoIP has one fewer reason to maintain carrier service.

3.2 Banks and Financial Institutions

Incentive: Minimize fraud losses while minimizing customer friction; shift liability away from themselves.

Actions:

Block VoIP numbers for 2FA based on carrier database lookups. [17]
Rarely offer TOTP or hardware key alternatives, even though these are more secure.
When SIM swap fraud occurs, banks often deny reimbursement claims, arguing the transaction was “authorized” because correct 2FA codes were entered. [18]

Structural position: SMS 2FA allows banks to claim they implemented “multi-factor authentication” while externalizing the security infrastructure (the phone number system) to carriers. If fraud occurs, banks can point to carrier failures rather than their own authentication design choices.

3.3 SMS Aggregators (Twilio, Bandwidth, etc.)

Incentive: Maximize message volume; maintain carrier relationships; avoid delivering to high-fraud-risk numbers.

Actions:

Provide carrier lookup APIs that identify VoIP numbers. [19]
Offer verification services that filter out VoIP numbers. [20]
Position themselves as fraud prevention partners to enterprises.

Structural position: SMS aggregators are the plumbing of the 2FA ecosystem. They profit from every verification message sent. Their business model depends on SMS remaining the dominant 2FA channel.

3.4 NPAC/iconectiv (Database Administrator)

Incentive: Maintain authoritative position in telecom infrastructure; expand data licensing revenue.

Actions:

Provide number portability data to carriers and authorized third parties. [21]
Offer fraud mitigation data products derived from porting history. [22]

Structural position: iconectiv is the neutral infrastructure provider whose database classifications determine whether a number is “acceptable” for 2FA. Their classifications propagate throughout the system.

3.5 Regulators (FCC, NIST)

Incentive: Balance consumer protection against industry compliance costs; respond to lobbying pressure.

Actions:

FCC adopted SIM-swap prevention rules in November 2023 with a July 2024 compliance date, then partially granted industry requests for delay. [23]
NIST maintains guidance deprecating VoIP for authentication while allowing SMS to mobile numbers.

Structural position: Regulators set the framework but leave implementation details to industry. The FCC explicitly stated it was “wary of setting rigid requirements that would impose significant burdens” on carriers. [24]

Part 4: The Emergent Lock-In Effect

No single actor mandated that citizens must own smartphones to access essential services. Rather, the combination of:

Banks choosing SMS 2FA as the path of least resistance
Banks blocking VoIP to reduce fraud liability
NIST guidance treating VoIP as inferior to SMS
Carriers profiting from mandatory mobile subscriptions
SMS aggregators profiting from message volume
Lack of regulatory requirement for TOTP/hardware key alternatives

…creates a de facto mandate that participation in modern financial and healthcare systems requires:

A smartphone capable of eSIM/Wi-Fi calling (to receive SMS)
An active wireless carrier relationship
Submission to whichever data collection the chosen platform (iOS/Android) performs

This is the “surveillance state” lock-in you identified: not a top-down mandate but an emergent outcome of uncoordinated institutional decisions that align to force consumers into specific technology relationships.

Part 5: What Would Be Required to Change This

5.1 Regulatory Intervention

FCC: Could require that services accepting SMS for 2FA also offer non-SMS alternatives (TOTP, hardware keys, email).
CFPB: Could rule that banks cannot deny fraud claims solely because “correct 2FA codes were entered” when the compromise occurred at the carrier level.
Congress: Could mandate that essential services (banking, healthcare, government benefits) provide authentication alternatives not dependent on mobile carriers.

5.2 Industry Self-Regulation (Unlikely)

Banks could voluntarily offer TOTP and hardware key support. Some do (Fidelity, Schwab, Vanguard support Symantec VIP or YubiKey). [25] But the majority do not, and there is no market pressure forcing them to change.

5.3 Consumer Workarounds (Limited)

The only reliable workaround is to maintain a real mobile number (not VoIP) via the cheapest possible carrier plan:

Tello: $5/month, supports eSIM and Wi-Fi calling, shows as “wireless” in carrier databases, reports of successful bank 2FA. [26]
US Mobile: $4/month minimum, similar characteristics. [27]
Google Fi: Treated as mobile (not VoIP) by most services despite being technically VoIP-based, because it uses T-Mobile SIM authentication. [28]

However, all of these still require a device running the eSIM with Wi-Fi calling enabled. There is no browser-based or device-independent solution that banks will accept.

Bibliography

[1] IPQS. “Free Carrier Lookup.” https://www.ipqualityscore.com/free-carrier-lookup [Verified]

[2] Wikipedia. “Number Portability Administration Center.” https://en.wikipedia.org/wiki/Number_Portability_Administration_Center [Verified]

[3] Data247. “Carrier Lookup Service.” https://www.data247.com/services/carrier-lookup [Verified]

[4] NumLookup. “Free Phone Carrier Lookup.” https://www.numlookup.com/phone-carrier-lookup [Verified]

[5] Bogleheads Forum. “Why are various financial entities blocking google voice?” https://www.bogleheads.org/forum/viewtopic.php?t=337461 [Snippet]

[6] Bogleheads Forum. “2FA while overseas (Google Voice doesn’t support short-SMS codes?).” https://www.bogleheads.org/forum/viewtopic.php?t=328878 [Snippet]

[7] Google Voice Support Thread, quoted in Bogleheads Forum. “Porting a cell phone number to google voice?” https://www.bogleheads.org/forum/viewtopic.php?t=312482 [Snippet]

[8] NIST Special Publication 800-63B. https://pages.nist.gov/800-63-3/sp800-63b.html [Verified]

[9] NIST Cybersecurity Insights Blog. “Questions…and buzz surrounding draft NIST Special Publication 800-63-3.” https://www.nist.gov/blogs/cybersecurity-insights/questionsand-buzz-surrounding-draft-nist-special-publication-800-63-3 [Verified]

[10] Norton. “What is SIM swapping and how to prevent it.” February 2026. https://us.norton.com/blog/id-theft/what-is-sim-swapping [Snippet]

[11] Intercede. “Why are financial services adopting SMS MFA when the industry recommends against it?” https://www.intercede.com/financial-services-adopting-sms-mfa/ [Snippet]

[12] Keepnet Labs. “SIM Swap Fraud 2025: Stats, Legal Risks & 360° Defenses.” https://keepnetlabs.com/blog/what-is-sim-swap-fraud [Snippet]

[13] GitHub usnistgov/800-63-3 Issue #351. TeleSign comments on SMS deprecation. https://github.com/usnistgov/800-63-3/issues/351 [Verified]

[14] TypingDNA Blog. “NIST SP 800-63B Rev 4: SMS OTP is Now a Restricted Authenticator.” https://blog.typingdna.com/nist-sp-800-63b-rev-4-sms-otp-is-now-a-restricted-authenticator-but-we-have-the-fix/ [Snippet]

[15] Light Reading. “Wireless companies want another year for SIM swap compliance.” May 2024. https://www.lightreading.com/security/wireless-companies-want-another-year-for-sim-swap-compliance [Verified]

[16] EPIC. “In re: Protecting Consumers from SIM-Swap and Port-Out Fraud (FNPRM).” https://epic.org/documents/in-re-protecting-consumers-from-sim-swap-and-port-out-fraud-fnprm/ [Verified]

[17] RedFlagDeals Forums. “List of services that reject voip based SMS for 2FA.” https://forums.redflagdeals.com/list-services-reject-voip-based-sms-2fa-2616239/ [Snippet]

[18] Efani. “SIM Swap Fraud Claims: How Banks Decide And How To Get Reimbursed.” https://www.efani.com/blog/how-banks-handle-sim-swap-fraud-claims [Snippet]

[19] Twilio. “Verify SMS overview.” https://www.twilio.com/docs/verify/sms [Verified]

[20] Twilio. “Verification and two-factor authentication best practices.” https://www.twilio.com/docs/verify/developer-best-practices [Verified]

[21] iconectiv. “Number Portability Administration Center | NPAC.” https://iconectiv.com/NPAC [Verified]

[22] iconectiv. Same source, regarding PortData fraud mitigation products.

[23] FCC. “FCC Announces Effective Compliance Date for SIM Swapping Item.” https://www.fcc.gov/consumer-governmental-affairs/fcc-announces-effective-compliance-date-sim-swapping-item [Verified]

[24] Federal Register. “Protecting Consumers from SIM-Swap and Port-Out Fraud.” December 8, 2023. https://www.federalregister.gov/documents/2023/12/08/2023-26338/protecting-consumers-from-sim-swap-and-port-out-fraud [Verified]

[25] Bogleheads Forum. “What banks and brokerages offer non-SMS 2FA?” https://www.bogleheads.org/forum/viewtopic.php?t=414908 [Snippet]

[26] Buenos Aires Expats Community. “Getting a non-VOIP US phone number from Tello for 2FA.” https://baexpats.org/threads/getting-a-non-voip-us-phone-number-from-tello-for-2fa.46924/ [Snippet]

[27] JustAnswer. “Keep U.S. Number Active Abroad: Expert Q&A & Best Solutions.” https://www.justanswer.com/software/te6bw-us-2fa-codes-receiving-eu-relocation.html [Snippet]

[28] The Finance Buff. “How to Keep a Google Voice Number Permanent for 2FA.” https://thefinancebuff.com/google-voice-number-permanent-2fa.html [Snippet]