It's not always easy juggling digital accounts when you're signed up to dozens of them—or perhaps even hundreds (you know who you are). While password managers can ease some of the strain, we're also big fans of two-factor authentication, which helps those services make sure you are who you say you are. That's where passcodes come in.
These codes might also be called verification codes, OTPs (one-time passcodes), security codes, or any combination of those words. Their function is the same regardless of name: The digital account in question knows what your phone number is, so in theory only you should be able to get at a code sent to that number.
It's a useful extra layer of security and means that if your usernames and passwords escape into the wild, they can't be used—there's another level of verification to get through. That said, you need to make sure that this additional step is well protected from bad actors too, whether that's making sure your registered mobile number is always up to date or making sure you're the only one with access to your cell phone. SMS-based verification codes aren't perfect and aren’t as effective as an authenticator app.
However, some services support only this option, and these passcodes are usually valid only for a short time, which limits the window of opportunity for anyone else but you to use them. Even so, it's still good practice to tidy up after yourself and make sure any codes you receive are wiped once they've been entered. Here's how to do it on Android and iOS.
If your handset is running Android, then you can get passcodes automatically deleted from your phone as long as you're using Google Messages to manage your text messages. Inside the app, tap on your Google account profile picture (top right), then choose Messages settings. Tap on Message organization and then enable Auto-delete OTPs after 24 hrs.
This feature has been disappearing and reappearing from Google Messages and isn't available in every region. If you don't see the menu option, those could be the reasons. If you want another text messaging app that does the same job, SMS Organizer from Microsoft works: Tap the three dots (top right), then Settings, Message rules, and Delete older OTP messages.
On the iPhone, this feature is available only if you've upgraded to iOS 17 or later. At the time of writing, the software is in its public beta stage—you can choose to enroll in the public beta or wait for the final version of the software to reach everyone. Once you have iOS 17 installed, the auto-delete OTP feature appears in both Messages and Mail.
The same toggle switch controls the behavior of the feature in both apps: From the main iOS Settings screen, head to Passwords, then tap Password Options and enable Clean Up Automatically. Once your passcodes have been copied over to the relevant app and used, Messages or Mail will take care of deleting the texts or emails that they came in.
Automatically deleting passcodes can certainly help. But there are other precautions you can take to make sure the risk of your accounts getting exposed is as small as possible. That starts with keeping your phone lock screen locked down—the harder it is for someone else to get on your phone, the harder it is for them to get at your passcodes.
You also need to think about the possibility of someone intercepting your text messages or emails. On which other devices and in which other apps can these passcode messages be accessed? Those avenues need to be well blocked off, whether that involves physical access to a particular computer or a third-party app that's connected to one of your accounts.
With the right know-how and equipment, SMS messages can be intercepted, although it's harder to do now than it has been. To guard against this, make sure your network provider has your up-to-date contact information, and take advantage of any security precautions available to you—such as security questions to verify your identity over the phone.
You might want to consider switching to an authenticator app for two-step verification, if the accounts you're using allow it. Apps such as Twilio Authy (Android, iOS) and Google Authenticator (Android, iOS) can produce passcodes directly on your phone, with no text messages or emails required. That limits the opportunity for someone else to intercept those communications.
