In 2025 SIM swapping attacks cost Americans over $26 million in direct losses. That number does not tell the full story. In the UK alone unauthorized SIM swap cases surged by 1,055% in a single year. One California case saw a single victim lose their entire cryptocurrency wallet after a T-Mobile SIM swap, forcing the carrier to pay $33 million in damages.
Here is what that means for you. If a hacker calls your cell carrier, pretends to be you and convinces them to port your number to a new SIM card. Every account tied to SMS two factor authentication becomes theirs. Your bank sends the login code to their phone. Your email recovery code goes to their phone. Your crypto exchange confirmation code goes to their phone.
If your 2FA code goes to your text messages, your bank account belongs to the hacker. This is not theoretical. It is happening right now to founders, executives and high net worth individuals at scale.
The good news is simple. You can cut off this attack vector completely by switching to a physical security key that cannot be ported, spoofed or remotely compromised. I deleted SMS 2FA from every critical account I own. Here is how you can do the same.
Table of Contents
The Skeleton Key Solution: YubiKey 5C NFC
After testing multiple hardware keys over the past two years. I use the YubiKey 5C NFC as my primary security key. This is not a product review. This is the tool I trust to protect my business accounts, financial systems and cloud infrastructure.
The YubiKey 5C NFC is a small USB-C device with NFC built in. That last part matters more than most people realize. NFC lets you tap the key against your iPhone or Android phone to authenticate on mobile. Without NFC, you are stuck plugging a USB key into your laptop every time. Which makes mobile logins painful or impossible.
This is why I chose the 5 Series over the Bio Series. The YubiKey Bio has a fingerprint reader. Which sounds cool until you realize it does not support NFC. For a founder who needs to approve a bank transfer from a phone, log into AWS from a tablet or authenticate a Coinbase withdrawal on the go losing NFC is a dealbreaker.
The YubiKey 5C NFC works with:
- Gmail and Google Workspace
- GitHub and GitLab
- AWS, Azure, and Google Cloud
- 1Password, Bitwarden, and Dashlane
- Coinbase, Kraken, and most major crypto exchanges
- Dropbox, Slack, and nearly every SaaS platform you use
One key. Hundreds of accounts. Zero SMS codes.
FIDO2 Decoded: Why It Is Un-Hackable
The reason hardware keys work is not just that they are physical. It is the protocol they use: FIDO2.
Let me break this down without the jargon.
Old way with SMS or app based codes: You tell the website the secret code. The website checks if the code is correct. If a hacker intercepts that code or tricks you into typing it on a fake site. They now have what they need to log in as you.
New way with FIDO2: The website asks a question. Your YubiKey answers it using cryptography. You never share the secret. The secret never leaves the key. Even if you are on a fake login page. The YubiKey knows the domain is wrong and refuses to respond.
This makes FIDO2 phishing proof. Even if you fall for a perfect clone of the Google login page. Your YubiKey will not work because it checks the actual web address, not just what the page looks like. The attacker gets nothing.
That is why federal agencies, banks, and security conscious companies are now requiring FIDO2 keys for high risk accounts. It is not just better than SMS. It is a different category of security entirely.
The Google Advanced Protection Setup
If you run a business, manage sensitive data or hold any crypto. Turn on Google Advanced Protection Program right now. This is a free service from Google that locks your account behind physical keys only. No SMS fallback. No backup codes you can lose or have stolen. Just keys.
Here is how to set it up:
First, buy two YubiKey 5C NFC keys. Not one. Two. One goes on your keychain. The other goes in a safe, a lockbox, or a fireproof bag in a trusted location. If you lose your only key, you are locked out forever. Google will not help you. That is the point.
Second, go to g.co/advancedprotection and follow the enrollment steps. You will register both keys during setup.
Third, once enrolled, Google will require a physical key tap for every login. You cannot use SMS. You cannot use an authenticator app. You cannot call support and sweet talk your way in.
Fourth test it. Log out and log back in on your phone using NFC. Log in on your laptop using USB-C. Make sure both keys work before you walk away.
I keep my backup key in a fireproof document bag in my home office. Some people keep theirs in a bank safe deposit box. The key is to put it somewhere you can access if your primary key is lost. But not somewhere a thief would easily find.
YubiKey vs. The Rest
Google Titan Security Key
Google makes its own FIDO2 key called the Titan. It costs around $30. Which is cheaper than the YubiKey 5C NFC that usually runs $55 to $70. It works fine for most use cases, but it feels less durable in hand and supports fewer passkeys stored directly on the device. If you are on a tight budget or just getting started, Titan is a solid entry point. But if you are protecting business accounts or crypto, spend the extra money on YubiKey.
YubiKey Bio
The YubiKey Bio series adds a fingerprint reader. Which is genuinely useful for passwordless logins. But here is the tradeoff: no NFC. That means you cannot tap it on your phone. You need a USB connection every time. For someone who works across devices and needs mobile flexibility, that is a nonstarter. The fingerprint is cool. But losing NFC costs you too much convenience in real world use.
If you want the best of both, some people buy a YubiKey 5C NFC as their primary and a YubiKey Bio as a backup. That way you get NFC for everyday use and biometric convenience when you are at a desk. But for most founders, just buy two YubiKey 5C NFC keys and call it done.
The Threat Is Real. The Fix Is Simple.
SIM swapping is not slowing down. In fact, with AI voice cloning and deepfake tools getting cheaper, social engineering attacks on telecom support lines are getting easier, not harder. A hacker can now call your carrier, play a convincing clone of your voice, answer a few security questions scraped from your LinkedIn, and port your number in under 10 minutes.
Once they have your number, SMS 2FA becomes a highway into your accounts. Your email, your bank, your cloud infrastructure, your crypto wallets. All of it is one customer service call away from being compromised.
The fix is this. Delete SMS 2FA from every account that supports hardware keys. Start with:
- Your primary email like Gmail, Outlook, or ProtonMail
- Your password manager like 1Password or Bitwarden
- Your financial accounts including banks, brokerages, and crypto exchanges
- Your cloud platforms like AWS, Google Cloud, or Azure
- Your code repositories like GitHub or GitLab
It takes about two hours to set up properly. That two hours could save you millions.
The Action Plan
Here is what I did, and what I recommend you do today.
First, order two YubiKey 5C NFC keys. Do not wait. Do not cheap out. This is not the place to save $20.
Second, set up Google Advanced Protection if you use Gmail or Google Workspace. This alone stops most account takeover attempts cold.
Third, go through your password manager and enable hardware key authentication for every service that supports it. Most major platforms do.
Fourth, remove SMS as a 2FA option wherever possible. If a service forces you to keep SMS as a backup and some banks still do this. At least add the hardware key as the primary method.
Fifth, store your backup key somewhere safe and accessible. Tell one trusted person where it is in case of emergency.
SMS 2FA is not just weak. It is a liability. The telecom system was never designed to be a security layer and treating it like one is a gamble you will eventually lose.
Now that your accounts are locked down with physical keys, the next step is automating your security workflows. In my Vibe Coding Starter Kit, I include a script that monitors YubiKey authentication events and sends you alerts when a key is used from a new device or location. It is one more layer of visibility that helps you catch problems before they become disasters.
Your business is only as secure as your weakest authentication method. Make sure that method is not a text message.
Securing your login with a YubiKey is only step one. Step two is stopping hackers from finding your email and phone number in the first place. I recently explained how I use an AI agent to scrub my personal info from the web in my guide: How I Hired an AI Agent to Delete My Data Incogni Review
