Why Your Two-Factor Codes Never Arrive — and How to Fix It
Have you ever tried to access your bank account then sat and waited for a verification text message which never arrived?
You’re not alone. I just dealt with this multiple times this week.
And you’re not the problem.
Come along as I explain why this happens, how you can avoid it in the future, and what banks and other businesses should do to help customers access their accounts faster and more securely.
Where’s The Text?
Technology is too hard to use. One way that manifests itself is in unseen and little understood interdependent systems which impact one another in unknowable ways. SMS verification codes are a perfect example.
Banks, investment firms, and others, chose to rely on text message verification around 2005. SMS, which stands for Short Message Service, had begun being adopted by U.S. businesses in the early 2000s before the Federal Financial Institutions Examination Council, or FFIEC strongly recommended the implementation of measures to authenticate customers using their online systems in 2005.
The beauty of SMS is it works reliably wherever cell service exists, requires no internet access, and can be sent or received from any mobile phone. Put another way, they just work.
Usually.
Often when they don’t work, though, is when WiFi Calling is enabled.
Not Optimal
The heart of the problem is the way WiFi Calling works. Effectively, the system routes all phone calls and some messages over the internet instead of using a phone’s cell signal even if a signal is available.
But the types of SMS used for account verification are not sent from one phone number to another. Because these short code messages route through aggregators, phones with WiFi Calling turned on can fail to allow SMS to be delivered.
Although I could not find an official cell carrier document on this, a search of user forums shows this is not an isolated issue. For example, these two Verizon user forum threads — one from 2019 and another from 2024 — plus this Apple forum thread describe almost identical problems.
Don’t Take Their Word For It
This week, I needed to sign into multiple websites to download statements, check messages, etc. I signed in using usernames and passwords stored in Bitwarden, then requested a required secret code via SMS.
One text didn’t arrive. Then a second. And, maddeningly, a third text failed to arrive.
Flummoxed, I called Fidelity customer service for assistance. I reached a representative, and began to describe the problem as I dove into the Phone app settings on my iPhone 13. On a whim, I turned off the WiFi Calling setting.
Shazam.
The missing texts arrived in seconds. I told the Fidelity rep what had happened. He said something to the effect of, “Yeah, that’s where I was going to take you next.”
Because the representative knew what caused the issue less than a minute after we started talking, why doesn’t Fidelity suggest, on its site, a person could try disabling WiFi calling when signing in to the site?
How to Fix It
The simplest fix is to turn off WiFi Calling.
On an iPhone, you open Settings, then search for the Phone app, scroll down, and toggle off “WiFi Calling on this Phone.” Most Android phones also allow this setting to be turned off as well.
The most effective solution is to not rely on SMS authentication. I’ve already set my Fidelity account to use an authentication app — BitWarden for me — but other accounts don’t offer that flexibility.
If you must use SMS to authenticate, make sure you use unique usernames with strong passwords stored in a password manager with end-to-end encryption. I wrote about how to get started on that journey in an earlier post.
You could always suggest your financial institution allow you to use an authentication app on its site. I wish you the best of luck with that even though SMS is known to be prone to hacking.