In the comments of one of our recent two-factor authentication (2FA) articles, we received a question about whether it was better to use an SMS (text message) code as your second factor of authentication, or to use a dedicated authenticator app to generate the code.
We thought this was an interesting question, so let’s explore it a bit. In many cases, the choice between SMS and an authenticator app comes down to using whichever one is more convenient for you. But if you’re curious about the pros and cons of each, read on and let us know in the comments which option you prefer and why.
(Not all 2FA-enabled services offer both options, but for the sake of this exercise, we’re going to assume you get to choose between them.)
The pros and cons of SMS-based codes
Pros
- SMS codes are convenient. There’s no fussing with downloading an app and going through set up for each account. It may be the only option if you don’t have a smartphone.
- SMS authentication can be a canary in the coal mine. If someone’s trying to break in to your account, the 2FA messages on your phone are warning that it’s time to investigate (and to change your password).
Cons
- A crook can hijack your SMSes with a SIM swap scam. If they can convince a mobile phone shop that they are you, they can get them to issue a replacement SIM encoded with your phone number. Your phone will go dead and theirs will start receiving your calls and messages, including 2FA codes.
- NIST has declared that the age of SMS-based 2FA is done.
Pros and cons of authenticator app codes
Pros
- SIM swapping won’t hijack your 2FA codes if you’re using an authenticator app. The codes depend on the app itself, not on your SIM card.
- Authenticator apps work even when you don’t have mobile coverage.
Cons
- Authenticator apps depend on a shared secret that both the app and the server need to store. This “seed” is combined with the time to generate the 2FA code. If a crook can crack the app or the server and recover the secret, they can clone your 2FA codes indefinitely. SMS codes are just random values sent by the server, so there is no “seed” by which a crook could predict the next one in sequence.
- When you access online services from your smartphone, you’ll usually be running the authenticator app on the same device. This means the crooks have a common point of compromise for both factors of your 2FA. A second, lightweight “feature phone” used for SMS codes makes it easier to keep the two factors apart.
So what do you prefer? If you’re not already using 2FA for your online accounts, can we persuade you to start? Let us know your thoughts in the comments below.
Anonymous
I firmly believe in authenticator apps all the way. However, I am just curious when the six digit code is going to be deprecated and we have to move to eight or ten digit codes?
And I read the whitepaper from NIST. I think I need to get twitter to stop texting me those codes!
boecht
Huge contra SMS: Any app has – more or less without you knowing – access to your text messages. So if you accidentally install a malicious app it can intercept those codes. It can not read codes generated from another app.
So it is standard app access rights to SMS vs app isolation. I’d only trust the latter, given the device has not been rooted.
Simon Thorpe
Actually this isn’t true for iOS apps, they do not have the ability to programmatically access your SMS data.
http://stackoverflow.com/questions/24034417/can-i-access-to-sms-inbox-in-new-version-of-ios
delayedthoughtengineering
Between companies not spending enough attention on the security of their apps, networking failures, and the general insecurity and inconvenience of Yet Another App, I think SMS is sufficient.
All too often, we see companies who “roll their own” security get it wrong, leading to zero-day attacks. While mobile devices may be powerful enough to generate sufficient entropy and encryption, mobile websites are typically given second-tier attention, so they may not be as secure as the user hopes. Anything that requires more security than what SMS can provide probably should not be accessed through a mobile device for now.
In a few rare cases, the need for the second factor will take place in a location without Wifi access, requiring the use of mobile data, so in those few cases, the pro of an app not requiring mobile data to function is rendered moot. So that means that in those cases, the SIM swap scam is equally effective at defeating apps as it is SMS messages.
If we must move away from SMS as the second factor messenger, then there needs to be a centralized app (the authenticator version of OpenID) that can be used by any company. After all, the average person has about 7 important accounts. The requirement to install and maintain seven separate authenticator apps strikes me as absurd. At some point before all authenticator apps are installed for all important accounts, the average user is going to opt for single factor authentication, instead of installing one more app, and that decision will be a defeat for security.
Paul Ducklin
You can run Authenticator apps (the ones that combine a locally-stored seed with the time of day, at least) in aeroplane mode. In fact, you can do the needed calculations on your laptop if you have the seed handy.
https://tools.ietf.org/html/rfc6238
Bruce
“The requirement to install and maintain seven separate authenticator apps strikes me as absurd.”
Yes it is. But you only require one authenticator app for most 2FA sites. The only exception I know of is Steam which requires their app.
Pat
Really, both are insecure as are smart phones in general, it’s only the last few years these devices have been given serious considerations around security. Having said that, I prefer neither, I kind of like the idea of the YubiKey, what about that as an alternative to both?
Wilbur
I agree with the Yubikey solution, but it isn’t popular with providers because it doesn’t have the potential to generate advertising revenue through smart phone tracking. I believe that is the real motivation driving the push for SMS authentication. You will not convince me Yahoo wants my mobile number solely to provide me extra benefits. What does Google Authenticator do with the data it collects? I don’t believe Google does anything for free.
Bob
My big worry with authenticator apps is that my phone gets lost, stolen, or wiped, and I’m locked out. With SMS, I just get a new phone and I’m back to getting the SMS codes.
Bruce
When you set up a site with an authenticator app, the site will give you up to 10 “any-time, single-use” codes. So if your phone is lost or stolen, you can still gain access to those accounts. You just need to figure out how you are going to securely store them.
Joe
I would prefer an authenticator app, since I can have two devices capable of generating codes and stay in business if one fails. If a phone is lost, fails, or has a dead battery, I’m locked out until I can fix it / charge it / replace it. I view it as a similar concept to data backup. Redundancy is a good thing. When everyone starts supporting one authenticator (such as the one from Google) it will become an attractive option for some but not all accounts. I won’t use it for accounts where the cost of compromise is relatively low compared to the inconvenience of having to enter the code. Automatic entry from a secure application on the same computer as the accessing app would be more of a motivator. That would mean on master password on the device is all I need.
Paul Ducklin
Most 2FA systems, SMS and app based, ought to allow you to print out backup codes for secure storage just in case.
thejoshpit
A huge con against SMS based auth is that SMS codes can be intercepted via rogue base station attacks. SMS’s are rarely encrypted by a cellular carrier, so if someone has an SDR and openBTS up and running they can view your codes.
Mr XYZ
This is another reason to always use a VPN when using insecure networks and accessing vital accounts. Personal VPN services usually provide apps that run on smartphones. Some can be configured to run automatically whenever the smartphone is turned on. I always use a VPN on my home network.
Paul Ducklin
Using a VPN when browsing from your home network just redirects your traffic so it comes from the VPN provider’s network instead of your local ISP’s network.
For this to improve your online safety and security you have to be certain that you can trust the VPN provider more than your local ISP; that your legal protections are stronger in the jurisdiction where the VPN provider’s servers are located (which might be several different countries); that the VPN provider’s app contains no security bugs; and that the VPN provider’s network is at least as safely run as your ISP’s.
Essentially, you are trading mistrust in your ISP and your own government for mistrust elsewhere. Ironically, even in a surveillance-loving country like the UK you might be better off with a local service on the grounds of “better the devil you know..”, where your rights or lack of them are at least reasonably easy to figure out.
Paolo
Authenticator app > SMS
Besides the standard security issues: phishing, SIM swapping, MITM and SS7 vulnerabilities… SMS never provides a 100% delivery rate of the OTP code. Many services rely on SMS aggregators that do not utilize direct connections to the carriers and send traffic over multiple hops or even worse: SIM farms.
TOTP also does not rely on cell phone coverage and roaming. If you’re traveling abroad chances are you’ll ever receive your SMS. You might even experience multiple delivery issues where you’ll receive the same txt 5-6 times.
Andrew
TOTP using a yubikey to store your seeds (this has the added bonus of being able to use the authenticator app on multiple devices without compromising your seeds)
TonyG
SMS on Android phones ends up in my email account as well. SMS is all very well also if you have a signal. I spent 20 days walking the Pennine Way and for a stretch of 7 days there was only one night where I had a mobile phone signal. An authenticator app is definitely better under these circumstances.
Smithy
Not sure why you would need an authenticator app when walking the Pennine way when you have no signal to access any online accounts. Just an observation.
Anonymous
If you have no mobile signal at all then I wonder what you need 2 FA for? You won’t get any new data anyway. Give an example pls.
Angelo
I actually prefer SMS as they aren’t tied to any seed, even if it would be great if all sites has a 2FA like the one of Google – a prompt pops up as soon as you unlock the phone asking to confirm your identity with the tap of a button. I believe that it relies to random generation of codes too, only they can be much longer (thus more secure) without the user noticing.
Badre
I believe app-based authentication should be the default one. SMS based authentication maybe good at server side, generating random values, but has so much cons. Sometimes, in Sri Lanka, couple of years back, I used to receive the authentication SMS the next day. When I tried multiple times to sign in, it worked sometimes. SMS always have delays. As someone has mentioned above, if SMS gets relayed via multiple servers or so, and even mobile network sends it unencrypted, as SS7 is obsolete, has multiple design issues and no more developed, should be the time to go for app-based or Yubikey based authentication. It’s like, you use a traditional wire phone to authenticate something no matter what, ignoring every good thing the newer technologies made. I mean, SMS could get delayed, insecure and relies on technology no more developed. If we need secure authentications, we need to move to move to better authentications definitely.
Greybeard
Seems like an authenticator app with an SMS followup/acknowledgment that the authenticator was used would provide a good balance of usability and notification. Or, of course, require both…
TDC
Hello! Can i use both of these 2fa for my email logging ?, when my phone ‘s signal off i can switch to GAuthenticator just incase ? is that possible ?
costello
Only around 30% of the public is using any 2FA. SMS 2FA is better than none at all so it should persist for some time. More secure options will take time to be adopted by users en masse.
Jerry
A related question, I have Google authenticator on my Bittrex account. If I also use it for my binance account is it a separate number that i get on my phone. i.e. is it two accounts in google authenticator or just one?
Paul Ducklin
Each account in your Authenticator should produce a different numeric sequence, because each one should start from a different “secret seed”.
MikeB
Work uses MS Authenticator for 2FA. Nearly every place else I go uses text or phone or even email (or nothing). Basically, you have no choice: must use whatever the site feels like using and suck it up if they’re not with the program. And I do worry that if I get a new phone the new authenticator app won’t work causing a runaround with IT support.
Drachma Girl's Blog
I’m a noob so my question is this: Can I use Authy on my phone to get the code and then enter it on my laptop to login, let’s say, into Amazon or Facebook? Does using 2 different devices make it harder for hackers to crack it?
Paul Ducklin
If the crooks can trick you into thinking you are in the middle of a transaction, then they can theoretically trick you into handing over both your password (stolen as you type it in) and the 2FA code (stolen when you type it in). So the system is not perfect – but it is more secure than a password alone, because the 2FA code *is different every time*. They can’t just get hold of your password today and then use it over and over at their leisure.
J K Birks
SMS is too easy to be redirected and this is probably the primary reason it is no longer approved by NIST. There is also the issue that it simply doesn’t work where there is no mobile signal (or of course if your mobile has a flat battery). Probably the simplest alternative is to either use an authenticator app (such as google authenticator or safeid authenticator) or a hardware token/fido key.