Salt Typhoon Aftermath: Why the FBI Says Quit SMS β€” A 2026 Migration Guide to Encrypted Messaging and Passkey 2FA

Salt Typhoon Aftermath: Why the FBI Says Quit SMS β€” A 2026 Migration Guide to Encrypted Messaging and Passkey 2FA

By Fanny Engriana Β· Β· 12 min read Β· 20 views

Educational disclaimer: This article summarizes public guidance from the FBI, CISA, and other authoritative sources following the Salt Typhoon telecom breach. It is intended for general consumer awareness and personal threat-model planning. It is not legal, compliance, or enterprise security advice. If you are a journalist, dissident, lawyer, healthcare provider, or hold a senior government or political position, follow the dedicated CISA Mobile Communications Best Practice Guidance and consult a qualified security professional before making changes to your communications stack.

Why the FBI is Telling Ordinary Americans to Stop Trusting SMS

Between late 2024 and early 2026, a China-linked espionage group tracked as Salt Typhoon achieved what the U.S. Senate Commerce Committee called "the worst telecommunications hack in U.S. history." By the FBI's August 2025 disclosure, the group had compromised at least 200 companies in 80 countries β€” including the U.S. carriers AT&T, Verizon, T-Mobile, and Lumen β€” and held persistent access to portions of the call-routing and lawful-intercept infrastructure that handles unencrypted phone calls and SMS for hundreds of millions of subscribers.

In December 2024, CISA and the FBI issued joint guidance recommending that highly targeted individuals stop sending unencrypted SMS and switch to end-to-end encrypted messaging. By March 2026, that guidance had broadened: in the public TechCrunch and Senate Commerce briefings, officials acknowledged that the carriers had not fully evicted the intruders and that any consumer who routinely uses SMS for sensitive communication should assume those messages may be readable.

I spent the second week of April 2026 migrating my own production stack β€” seven aggregator sites and the family/team contacts that touch their admin panels β€” off SMS-based two-factor authentication and onto a mix of Signal, passkeys, and FIDO2 hardware keys. This article is the playbook I wish I'd had two weeks earlier, written for a U.S. or international reader who is not a senior official but does want their messages and account recovery flows to survive a hostile telecom.

What Salt Typhoon Actually Sees (And What It Doesn't)

It's worth being precise about the threat model, because vague "Chinese hackers can read your texts" framing leads to bad decisions.

Based on public testimony from CISA Executive Assistant Director Jeff Greene and the technical briefings from Aviatrix, Proton, and SecureMac, Salt Typhoon's confirmed access lets the operators:

  • Read unencrypted SMS and MMS in transit across compromised carrier infrastructure.
  • Capture call metadata β€” who called whom, when, for how long, and from what cell tower β€” at industrial scale.
  • Intercept unencrypted voice calls for targets of interest.
  • Access portions of the lawful-intercept "wiretap" systems that U.S. carriers maintain for law enforcement.
  • Geolocate phones via tower data and signalling-system metadata in near real time.

What the public record does not support is the idea that Salt Typhoon can read end-to-end encrypted message contents from Signal, iMessage (between Apple devices), or WhatsApp. The cryptography in those apps is designed so that the carrier β€” and anyone who compromises the carrier β€” sees only opaque ciphertext. The metadata story is messier, and I'll come back to it.

The practical takeaway: treat every SMS, every plain phone call, and every SMS-delivered one-time code as a postcard written in pencil, readable by anyone who has a position on the network. That is the explicit threat model the FBI and CISA are now operating under.

My Migration Plan: Four Layers, In Order

When I rebuilt my own setup, I worked from the highest-blast-radius systems down. In my case those were the recovery email and DNS registrar accounts that gate seven production sites β€” for a typical reader, the equivalent is your primary email, your bank, and any account whose loss would cost you sleep.

The four layers, in the order I recommend tackling them:

  1. Day-to-day messaging β€” move conversations off SMS and unencrypted RCS to Signal (or, with a caveat, WhatsApp / iMessage).
  2. Account recovery β€” remove SMS as the recovery method on accounts that hold money, identity, or production access.
  3. Two-factor authentication β€” replace SMS codes with TOTP apps or, better, FIDO2 hardware keys / passkeys.
  4. Voice and metadata β€” for sensitive calls, use Signal voice or FaceTime instead of the dialer, and understand which metadata still leaks.

I worked through these in roughly the order above. Skipping ahead to hardware keys without first removing SMS recovery is a classic mistake: a single "Try another way" button on the login screen will let an attacker bypass your YubiKey using the SMS fallback you forgot to delete.

Layer 1: Pick a Messaging App and Actually Move People Onto It

The four realistic options in May 2026 are Signal, WhatsApp, iMessage, and RCS via Google Messages. Here is how I rank them after running each through my own threat model.

Signal

Signal is the answer the FBI's senior official Jeff Greene specifically named in the December 2024 press briefing, and it remains the most defensible recommendation for most readers. Three properties matter:

  • Open-source Signal Protocol, audited repeatedly, used as the cryptographic foundation by WhatsApp and Google Messages.
  • Near-zero retained metadata. When Signal complies with a U.S. grand jury subpoena, the disclosed data set is two fields: account creation date and last connection time. There is no contact graph to leak.
  • Funded by a nonprofit foundation rather than ad revenue, which structurally eliminates the incentive to harvest behavioral data.

The cost is convenience. Signal has no large business directory, message reactions arrived later than competitors, and onboarding family members who only know "the green bubble app" takes patience.

WhatsApp

WhatsApp messages and calls are end-to-end encrypted with the Signal Protocol. The cryptography is genuinely strong. What WhatsApp gives up β€” and Signal does not β€” is metadata: who you message, how often, when you're online, your phone's contact list, and behavioral signals shared with Meta. For a reader whose threat model is "I don't want China reading my texts," WhatsApp is a defensible choice. For a reader whose threat model includes "I don't want Meta building a social graph of me," it isn't.

iMessage

Apple-to-Apple iMessage is end-to-end encrypted, and if you enable Advanced Data Protection in iCloud settings, even your iMessage backups are encrypted with keys Apple does not hold. This is a meaningful upgrade and I have it on for my personal Apple ID. The trap: the moment your iMessage thread includes one Android user, iMessage falls back to SMS or RCS, and as of iOS 18 and 19 that RCS fallback is not end-to-end encrypted across platforms. The cross-platform encrypted RCS profile (GSMA Universal Profile 3.0, MLS-based) was promised in March 2025; Apple shipped it in an iOS 26.4 beta in February 2026, but it did not make the final release. Treat the green bubble as plaintext until that ships.

Google Messages and RCS

Google Messages applies end-to-end encryption (Signal Protocol) to one-to-one and group chats when all participants are on Google Messages with RCS enabled. Cross-platform chats with iPhone users in 2026 still fall back to unencrypted SMS or unencrypted carrier RCS. The lock icon in the message bar is the only reliable indicator; if it isn't there, treat the message as readable by Salt Typhoon.

My pick

I moved my team and immediate family to Signal as the default, kept WhatsApp installed for friends and vendors who refuse to switch, and turned on Advanced Data Protection on my personal Apple ID. For the seven-site admin group chat where we coordinate deploys, Signal was non-negotiable: those threads contain references to environment variables, IPs, and FTP hostnames I do not want indexed by a hostile carrier.

Layer 2: Strip SMS Out of Account Recovery

This is the layer most people skip, and it is the one that quietly destroys the value of every other layer. If your bank, your Google account, or your Apple ID still accepts an SMS code to reset the password, then an attacker with read access to your SMS β€” Salt Typhoon, a SIM swapper, or anyone with carrier insider access β€” can pivot directly into account takeover.

The work, account by account, is mechanical but tedious:

  1. Log into the account.
  2. Find "Security" or "Two-step verification."
  3. Look for any setting that says "Recovery phone," "Trusted phone number," "Backup SMS," or "Phone-based password reset."
  4. Replace it with: a secondary email on a different provider, a set of one-time backup codes printed and stored offline, and/or a FIDO2 security key registered as a recovery method.
  5. Re-test the recovery flow. If "Forgot password?" still ends with a text message, you are not done.

From 11+ years of managing access for client projects, the accounts that most often slip through this audit are: the email provider itself (Gmail / Outlook / iCloud), the password manager, the domain registrar, the GitHub or GitLab account, and the cloud-storage account that holds your backups. Those are the master keys; everything else is downstream of them.

Layer 3: Replace SMS Two-Factor With Something Real

SMS as a "second factor" never met the NIST definition of multi-factor authentication that a security professional would accept; NIST SP 800-63B has discouraged SMS as a restricted authenticator since 2017. Salt Typhoon turned that academic objection into an operational one.

The three realistic upgrades, in increasing order of resistance:

TOTP authenticator apps

Apps like Aegis (Android, open source), 2FAS (iOS and Android, open source), and the built-in TOTP support in modern password managers generate a six-digit code from a shared seed and the current time. The code never traverses the cellular network. It is dramatically better than SMS for almost no friction. The remaining weakness is phishing: a convincing fake login page can collect both your password and the live TOTP code in real time. Hardware-bound keys solve that; TOTP doesn't.

I use 2FAS as my daily driver and Aegis on a secondary Android device as backup, with the seed export stored offline on an encrypted USB. From 11+ years across roughly fifty client projects, the single most common 2FA failure I've seen is the user losing access to their phone with no backup seed. Plan for that.

Passkeys

A passkey is a FIDO2 credential synced through your platform vendor β€” iCloud Keychain, Google Password Manager, 1Password, Dashlane, Bitwarden. From the user's perspective it is "log in with Face ID." Cryptographically it is a public/private keypair where the private half never leaves the device or sync fabric and is bound to the specific domain it was created for, so phishing pages cannot collect it.

Passkeys are excellent for everyday accounts and meaningfully better than TOTP. Their weakness is that the security of the passkey is the security of the sync account: if your iCloud or Google account is compromised, every passkey it holds is reachable. That is why I do not store passkeys for my highest-blast-radius accounts (registrar, primary email, GitHub) in a synced credential at all.

FIDO2 hardware security keys

A hardware key β€” a YubiKey, a Google Titan, a Token2, a Nitrokey β€” holds the private key inside a secure element that is physically incapable of exporting it. Phishing fails because the key checks the domain. SMS interception fails because there are no SMS codes. SIM swapping fails because the attacker holds your phone number, not your physical key.

This is what I use for the registrar, the primary Google account, GitHub, and the cloud-storage account that holds my offsite backups. Two non-negotiable rules from my own setup:

  • Buy at least two keys. One stays on me, one stays in a fireproof safe. If you have one key and you lose it, you have locked yourself out of the accounts you most need to recover. The Yubico Security Key C NFC is around USD 30; the YubiKey 5C NFC is around USD 55. Buy two of whichever you pick.
  • Register both keys on every critical account before you remove SMS fallback. Otherwise the first time you try to log in with the backup key, you'll find out the account never knew about it.

Layer 4: Voice Calls and the Metadata You Can't Fully Hide

For voice, the upgrade path is straightforward: Signal voice calls between Signal users are end-to-end encrypted. WhatsApp voice and FaceTime audio are end-to-end encrypted. The dialer app on your phone is not.

If you and the person you're calling are both on the same encrypted app, prefer the in-app call to the regular phone line for anything sensitive.

What you cannot fully hide from a compromised carrier is that you made a call at all. Cellular networks need to know what tower your handset is attached to in order to ring it; that location metadata is part of normal operation, not a leak. Salt Typhoon's confirmed access to that metadata is the reason CISA's mobile guidance for high-value targets includes recommendations like enabling Lockdown Mode on iOS, disabling 2G fallback, and routing data over Wi-Fi where possible.

Common Mistakes I See Even Among Technical Users

Across the small audits I've run for friends and family in the past three weeks, the same five mistakes recur:

  1. Adding a hardware key but leaving SMS 2FA enabled as a fallback. The login flow's "Try another way" button bypasses your YubiKey in two clicks. Remove SMS from the 2FA methods list, don't just add the key.
  2. Using the same phone number as the recovery method on the recovery email. If your Gmail recovery is your phone, and your bank's recovery is your Gmail, then your bank's recovery is your phone. Map the graph before you congratulate yourself.
  3. Trusting "encryption" labels in apps that fall back silently. iMessage to an Android user is SMS or unencrypted RCS. Google Messages to an iPhone is SMS. WhatsApp is encrypted; WhatsApp Business broadcast messages are subject to different metadata handling. Read the lock icon, not the marketing.
  4. Storing the TOTP backup seeds in the same password manager whose 2FA they protect. If the manager is breached, both factors fall together.
  5. Forgetting that SIM swapping is still the dominant attack on SMS. Salt Typhoon is the headline; SIM swappers operating against retail carrier reps are the daily reality. The mitigation β€” remove SMS from 2FA and recovery β€” is the same.

A Realistic Migration Schedule

I tell friends to budget about six hours of actual work, spread over two weekends:

  • Weekend one, two hours: Install Signal. Move your three most-used group chats and your immediate family onto it. Turn on disappearing messages for anything sensitive. On iOS, turn on Advanced Data Protection.
  • Weekend one, two hours: Inventory your accounts. The fastest way is to dump your password manager and sort by importance. For the top ten, open each one and write down its current 2FA method and recovery method.
  • Weekend two, two hours: Buy two hardware keys. Register both on email, registrar, password manager, and bank. Replace SMS 2FA with TOTP or hardware key on the next twenty accounts down the list. Print backup codes and store them offline.

It is not glamorous work. It is the digital equivalent of changing the locks after a break-in. The reason to do it now rather than in a panic later is that the threat actor β€” by the FBI's own admission to the Senate β€” has not been fully evicted, and the next breach will not come with a press release.

Frequently Asked Questions

Q: If I'm not a senator or a journalist, do I actually need to do this?
The original December 2024 CISA guidance was scoped to "highly targeted individuals." The March 2026 updates broadened the recommendation to any account where SMS interception would cause meaningful harm β€” which, in practice, includes any account holding money, identity documents, or production credentials. If your bank logs you in with an SMS code, you are in scope.

Q: Is RCS finally encrypted between iPhone and Android in 2026?
Not in the shipping release as of May 2026. Apple included cross-platform encrypted RCS in an iOS 26.4 beta in February 2026 but did not include it in the final release. Until that ships and both sides update, treat green-bubble messages as readable.

Q: Is Telegram a safe alternative?
Telegram's default chats are not end-to-end encrypted β€” only its "Secret Chat" mode is, and Secret Chats are device-specific and unavailable in group form. For the threat model in this article, Telegram is closer to SMS than to Signal. The FBI's recommendation list does not include Telegram.

Q: I lost my phone with my TOTP app on it. Now what?
This is the failure mode that locks people out. Mitigations, set up in advance: export the TOTP seeds to an encrypted offline backup, register a second authenticator device, or use a TOTP app with encrypted cloud sync (Aegis with self-hosted sync, 1Password's TOTP feature). Set this up before you need it.

Q: My carrier offers a "port-out PIN" β€” does that fix SIM swapping?
Port-out PINs and account PINs raise the bar against SIM swapping but do not stop a determined attacker with insider access. Enable the PIN β€” it is a free improvement β€” but treat it as defense in depth, not a substitute for removing SMS from 2FA.

  • CISA, Mobile Communications Best Practice Guidance (December 2024, updated 2025).
  • FBI / CISA joint advisory on PRC-affiliated cyber actors compromising U.S. telecommunications (2024–2025).
  • NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management.
  • U.S. Senate Committee on Commerce, Science, & Transportation hearings on Salt Typhoon (2025–2026).
  • Signal Foundation, Government Information Requests transparency reporting.

Final note: Threat models are personal. The migration I described is conservative enough to meaningfully reduce risk for an ordinary U.S. consumer; it is not sufficient for a journalist working with sensitive sources, a domestic-abuse survivor, or anyone with a credible nation-state adversary. If that's you, the CISA mobile guidance linked above and a one-hour conversation with a qualified security professional is the right starting point, not a blog article.

Found this helpful?

Subscribe to our newsletter for more in-depth reviews and comparisons delivered to your inbox.

Related Articles