Which Is Better – SMS or App-based TFA?

google-authenticatorI am a firm believer in, and user of two-factor authentication (TFA or 2FA).  Heck, if there was three-factor authentication I would probably sign up.  The two most popular authenticator apps are Authy and Google Authenticator.  I primarily use Google Authenticator wherever I can.  I use SMS when Authenticator isn’t an option, or won’t work.  I had trouble, for instance, getting Facebook to work and so I settled for SMS when logging into Facebook.

In researching this story, I did

The Good, the Bad, and the Ugly of authenticator app codes

Good

  • Authenticator apps are encrypted, which keeps them from falling victim to phone or SIM card cloning attacks.
  • Authenticator apps can work even when you don’t have mobile coverage, you can create an save a list of one-time passcodes for those times.
  • The Authenticator can also generate codes for third-party applications, such as password managers, file hosting services, and other applications such as g-Syncit for MS Outlook.

Bad

  • Getting to the code can be inconvenient.  In my particular case, first I enter my user name and password into a protected site, then a one-time passcode box opens.  Turning to my phone, I first unlock the screen with my 5 digit screen lock passcode.  Then I flip to the Authenticator app, and open it.  Then I enter the 6-digit code into the passcode box.  This does take time, but most websites will leave you logged in, even for a few days.  Maybe that’s bad that I do that

Ugly

  • Authenticator apps use a shared secret that both the app and the server need to store. This is called a “seed.” Using fancy math, the seed is combined with the time of day to generate the TFA code. If the app or the server is breached and the seed stolen, the bad guys can clone your TFA codes indefinitely. On the other hand, SMS codes are random values sent by the server, so there is no way to predict the next one in sequence.
  • If you are using online services from the same smartphone that has the authenticator app, an attacker could conceivably access both your password and TFA at the same time.

The Good, the Bad, and the Ugly of SMS codes

Good

  • SMS codes are convenient. There’s no app to install and configure for every account you want to include.
  • SMS authentication can warn you if someone’s trying to break in to your account. The TFA messages on your phone from a website you are not accessing is a clue that your password has been compromised and needs to change.

Bad

  • If you don’t have a smartphone, this is the only option.
  • NIST has declared that SMS-based TFA is insecure, and can no longer be used except in very particular cases using tightly defined methods.

Ugly

  • An attacker can hijack your SMS codes if they can clone or swap your SIM card. If they can convince the mobile phone provider that they are you, they can get a replacement SIM with your phone number.

So there you have it.  On Friday we are going to look at the problem that NIST has with SMS two-factor, so you will probably want to check that out, too.

0

About the Author:

Cybersecurity analyst, pen-tester, trainer, and speaker. Serving small business owners in the St Paul, Minneapolis, and western Wisconsin area since 2001. Cybersecurity and hacking have been a passion of mine since I entered the computer and networking business in 2000. I hold several cybersecurity certifications including Certified Information Systems Security Professional (CISSP), Certified Advanced Security Pratitioner (CASP), and Certified Ethical Hacker (CEH). Other computer industry certifications include A+, Network+ and Microsoft Certified System Engineer (MCSE). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of security on their computers, networks, and websites. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. We also provide Cybersecurity Awareness Training for clients and their employees. I am a frequent speakers at cybersecurity conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference, the (ISC)2 World Congress, and the ISSA International Conference, and many local community organizations, Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2008.

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.