Living an expat lifestyle means that, increasingly, our lives are lived as much online as they are in the physical world. Unfortunately, living online in your passport country and in your host country can create challenges to the normal way things are done in either country. Banks that send text-message-based passwords to your phone number are one such challenge, since they won’t send them to international numbers. Being unable to get these codes, though, means expats can’t use two-factor authentication, which leaves their online accounts quite unsafe.

But never fear, The Prepared Expat is here¹ and will show you how you can use these codes for secure online banking and services, anywhere in the world.

Articles on The Prepared Expat may contain affiliate links that help support this site at no cost to you. The Prepared Expat articles do not constitute legal, medical, or financial advice and should not replace consultation with a qualified professional. See full disclosures & disclaimers.

What is 2FA?

Two-factor authentication (2FA) (also known as Multi-Factor Authentication, or MFA) makes online logins far more secure by requiring that you know something and have something in order to access an account. What you know is your password, but since people often use bad passwords, reuse passwords, and many passwords are hacked, that’s not a very secure method of logging in anymore.

To counter this trend, many businesses and most banks have moved towards 2FA, which requires that you not only know a password but also receive a time-sensitive code sent to your email, texted to your phone, generated by an app, or provided via a 2FA device that plugs into your computer or displays a number.

2FA provides a far more secure login method than just a password, as a criminal would have to both know your password and gain access to your email, phone, app, or device.² By requiring multiple factors to log in, your security is improved dramatically. You can read more about 2FA and how it protects you here.

2FA: The expat’s bane

Increasingly, banks and other services are requiring 2FA in order to login online, but this proves to be a particular challenge for expats since most services deliver the 2FA code via text message and do not support international numbers. That means that, as an expat, you’re stuck; you have to get a text message to log in, but you can’t get one on your host country’s phone number.

You could ask to use the phone number of a friend in your passport country, but since 2FA codes are time-sensitive and expire within a couple of minutes, your friend would have to be awake and forward you a code every single time you want to log in. That’s not a workable long-term solution. There are good workarounds and The Prepared Expat is here to help with several different solutions.

Avoid SMS-based 2FA

The first solution to the 2FA-via-SMS problem is, try to follow this: don’t use SMS-based 2FA. I know, mind-boggling right? But many businesses will allow you to receive a 2FA code via email, which is easier to receive than a SMS-based option. Alternatively, you can also often get a 2FA code from an app (e.g. Google Authenticator, Authy) or via a device like Yubikey.

In addition to working anywhere in the world, these non-SMS-based methods are actually far more secure than SMS-based codes since they’re resistant to increasingly prevalent SIM spoofing or SIM swapping schemes. SMS-based codes are really quite insecure. Email is better since it’s less susceptible to spoofing or swapping, but since the code is transmitted via the internet, there is still some risk of interception. An app-generated code is better, since it is never transmitted and thus can’t be intercepted, but the best of all is a device like Yubikey, since this device itself verifies the identity of the website and thus can’t be phished.

So, whenever possible, set up 2FA using these alternatives and avoid receiving a code via SMS. Even if you happen to be in your passport country when you sign up for a service, try to avoid SMS-based codes because they won’t work if you leave your passport country. These other alternatives are far more secure and work no matter where you are in the world.

Set up SMS that works for expats

Unfortunately, many websites still require an SMS-based 2FA code—and, for some bizarre reason, banks seem to always require that a code be sent via SMS. This is quite a common problem for expats, but there are good two good options that I’ve used. Neither is perfect, but both are viable solutions for expats who need to get a SMS-based code.

Option 1: Google Voice

Google Voice is a hidden treasure for expats, allowing you to have a phone number in your passport country, which you can then link to a number in your host country. Theoretically, this means that phone calls and text messages to your passport country phone number get forwarded to your local phone number.

Unfortunately, in reality I’ve found international forwarding extremely hit or miss—with far more misses than hits. In some countries, where Google services are blocked, it’s entirely a miss. However, you can still use Google Voice by doing either of these things:

First, even if you’re unable to forward a text message or call to your local phone number, you can still access those messages and calls in the Google Voice app. Provided you have a way to access Google services in your country, you can receive a 2FA code in the app and use it to login to your website.

Second, you can set up Google Voice to forward text messages to your Gmail email address. Provided you’re able to access Gmail, then, you can receive the code. Google Voice will only send it to your Gmail address, though, so that may not help you much if Gmail is blocked in your host country. However, you can set up Gmail to automatically forward messages to an email account that you can access in your host country, which solves that problem.

Pros

• Free. That’s awesome.
• Generally reliable. If the 2FA code isn’t forwarded to your local phone, you can get it in the app or forwarded via email. The multiple methods of receiving an 2FA code mean that you can typically get a code, even if one of the delivery methods fail.

Cons

• Attack vector. If hackers were to compromise your Google account, all of your 2FA codes would be compromised, with little method of recourse. Google’s security is robust, but people have been targeted or hacked through sophisticated attacks, social engineering, or just sloppy security practices by individuals.
• Signing up is a pain. You have to have a passport-country phone number that can receive text messages in order to sign up. This creates a bit of a catch-22 since you need to receive a text message to set up Google Voice so that you can receive text messages. However, if you have a friend in your passport country who has never linked their phone number to Google Voice, they can help you get it set up. Once it’s set up, they won’t need to be awake or forward a code to you again. However, they won’t be able to use their number with Google Voice in the future, because that phone number has been linked to your Google Voice account.
• Slow. Google Voice receives your number in your passport country and then forwards it to your local phone, sends it to the app, or forwards it to your Gmail (which may then be forwarded to a local email). Sometimes this is near-instant, but it often takes 1-2 minutes, which is annoying and also quite awkward if you’re on the phone with a bank. You can almost hear their suspicions rise when it takes two minutes to get a code (and you don’t dare ask them to resend the code because that would take just as long while invalidating the previous code sent).
• Not 100% reliable. Sometimes, despite having multiple ways to get the 2FA code, it just never shows up.
• No calls. In my experience I’ve never gotten a phone call via Google Voice except when I was in my passport country. This means that if a bank calls you to give you a 2FA code, you can’t receive it. Fortunately, not many banks require a phone call, but some do, and Google Voice has never worked for me in that situation. Worse for expats, some require that you be able to receive a phone call if they suspect your account of fraud, and your inability to receive a call is “proof” that your account is compromised. This may mean your account gets frozen and you’re in a difficult situation verifying your identity.³
• No identity verification. Increasingly, businesses (and often banks) check what name is registered with a phone number in order to verify your identity. Google Voice numbers are not linked to your name and so can’t be used this way.
• Inconvenient. If a bank sends you a passcode, you have to open your email, wait for the code to arrive, copy the number, and enter it in the site. This is dramatically less convenient than a text message where, at least for Apple devices, your phone recognizes the code in the text message and automatically populates it in the website. Google Voice is better than nothing, but it is quite tedious compared to alternatives.
• Doesn’t work everywhere. Google Voice gives you a real phone number, but it’s technically an internet phone number (Voice over Internet Protocol number). This means it’s not a “real” phone number and some banks won’t let you use it for 2FA codes. This means you can’t use Google Voice with all banks or businesses. In my experience, about 80% of services I’ve tried to use will accept Google Voice and 20% just won’t.

For me, after 5 years of using Google Voice, I finally became fed up with the inconvenience, slowness, lack of identity verification, and the 20% of services that didn’t support it, so I moved to option 2.

Option 2: Wi-Fi calling

The last time I was in my passport country, I switched over to a low-cost carrier (Mint Mobile) and set up that account to work for 2FA code texts overseas. I don’t know all carriers of the world, but this method should work with any carrier that supports WiFi Calling. If you’re overseas already and unable to get a physical SIM card shipped to you, you’ll also need to find a carrier that supports eSIM. You’ll also need a phone that supports WiFi Calling, but most do (all iPhones and most Androids support it).⁴

• Sign up for a plan. You probably only need the lowest-cost plan available.
• Receive the physical SIM card—or else receive the eSIM via email.
• Load the SIM or eSIM onto your phone following your carrier’s instructions.
• Enable WiFi Calling on a WiFi-Calling-enabled phone (How to on iPhone or Android).⁵

That’s it. Now, when you receive a 2FA code via SMS, it will appear on your phone just like a normal text message. The reason this works is that a phone carrier which supports WiFi Calling is able to send a code to your phone over the internet and not just via their cell network. That means that, so long as you have WiFi, your phone will act the same way that it would if it were in your passport country.

Pros

• Fast and convenient. 2FA codes appear near instantly on your device and, at least on Apple devices, are recognized and suggested on the website. One tap on the suggested number, and you’re logged in.
• Highly reliable. There are times when codes haven’t appeared for me, but this method has been more reliable for me than Google Voice ever was.
• Works everywhere. It’s a real phone number from a real telecom. I’ve never faced a problem with a bank or service accepting it.
• Easy sign-up. You can have an eSIM delivered to your email, scan the QR code on your phone, and you’re good to go. Or, slightly more inconvenient, you can have the SIM card shipped to you.
• Make and receive calls. As long as you’re on WiFi, people can call or text you and you can call and text just as if you’re in your passport country—and it’s all considered local. This is particularly nice calling into services that will identify and partially verify you by your phone number.
• Identify verification. Services that use a registered phone number to identify you will be able to do so with a service like Mint Mobile.
• Bonus: Easy international calls. Because you now have a real phone calling plan, it’s easy to call your passport country as if it were a local call. So long as you have WiFi, you can call anyone in your passport country as easily as if you were there. This means I don’t have to rely on Skype anymore, saving me that cost and getting me better quality calls at the same time.

If you’re keeping track, each disadvantage of Google Voice is addressed by using a service like this. While I can only speak to using Mint Mobile in my host country, there’s no reason this option wouldn’t work for any eSIM-based carrier that supports WiFi Calling.

Cons

• Cost. You will pay for a carrier service, just as you would in your passport country. I’ve chosen Mint Mobile because it only costs me $15/month. There are other options that may cost you less (see note below).
• WiFi only. This only works on WiFi; when you move onto a cellular network, the eSIM switches over to wanting to receive text messages via its network…and you’re not on its network. You could enable roaming, but then you’ll end up paying international roaming charges, which are ridiculous. For me, receiving codes on WiFi is never an issue because, even if I’m not at home, I’m usually in a place that has WiFi.
• Occasionally unreliable. While Mint Mobile has been far more reliable than Google Voice, there are times when I haven’t received a 2FA code. If you are using a VPN, you may need to turn it off to receive a code. I’ve occasionally needed to restart my device to receive a code.

Overall, I’ve been incredibly happy with Mint Mobile and would recommend it to any expat in my situation. Another expat recommended Tello and, while I haven’t used it personally, it is cheaper than Mint Mobile and may be worth considering.

Option 3: International calling plan

I won’t dwell on this because it’s such a horrendously expensive solution for most expats, but you can contact your carrier to enable an international calling/texting plan that will allow you to receive and make calls internationally. These plans are oriented toward short-term business and leisure travelers and can cost $70+ a month, making them unsuitable solutions for most long-term expats.

An option to avoid

If you pay for a Skype number, you might think you can get 2FA text messages via Skype, but for some reason, these simply don’t work. Whereas 80% of the time banks would let me use Google Voice (and 20% not), the reverse was true with Skype—80% of the time, banks would not accept a Skype number. I have no idea why that’s different, but Skype is, unfortunately, not a solution in this case.

Conclusion

And there you have it, prepared expats! You’ve now set up 2FA to work anywhere in the world, making your accounts that much more secure. If you’re relying on passwords alone to secure your accounts, it’s only a matter of time before that data is compromised. Fortunately, by following the options outlined in this article, you can set up 2FA, even as an expat, to keep your accounts safe. Just another step you can take to survive and thrive as an expat.

Last, here’s a related article that you may appreciate: Banking on Backup: Financial Redundancy for Expats

Stay tuned for more and get a free chapter of my book!

Sign up for my twice-weekly email newsletter and you’ll not only hear when I publish more tips on The Prepared Expat, but I’ll pass along some fantastic free resources to make your expat life easier, including a chapter of my book!

• Email
• Threads
• Bluesky
• X
• Facebook
• Instagram
• Pinterest
• LinkedIn
• Telegram
• Tumblr
• WordPress
• RSS Feed

Footnotes

1. I sincerely apologize. That is corny even by my own standards. Why am I leaving it in? ↩︎
2. Criminals have been able to use a technique called SIM spoofing or SIM swapping to gain access to texted 2FA codes. Others use social engineering to convince targets to give their 2FA codes to the criminals. ↩︎
3. Yet another reason to develop bank redundancy. ↩︎
4. After publication, I’ve learned from expats in China that China-purchased iPhones do NOT support WiFi calling. So before you buy a SIM card, check to ensure your specific model of Android or iPhone can support WiFi Calling ↩︎
5. See footnote 4, above. ↩︎