Which Is Better – SMS or App-based TFA?

google-authenticatorI am a firm believer in, and user of two-factor authentication (TFA or 2FA).  Heck, if there was three-factor authentication I would probably sign up.  The two most popular authenticator apps are Authy and Google Authenticator.  I primarily use Google Authenticator wherever I can.  I use SMS when Authenticator isn’t an option, or won’t work.  I had trouble, for instance, getting Facebook to work and so I settled for SMS when logging into Facebook.

In researching this story, I did

The Good, the Bad, and the Ugly of authenticator app codes


  • Authenticator apps are encrypted, which keeps them from falling victim to phone or SIM card cloning attacks.
  • Authenticator apps can work even when you don’t have mobile coverage, you can create an save a list of one-time passcodes for those times.
  • The Authenticator can also generate codes for third-party applications, such as password managers, file hosting services, and other applications such as g-Syncit for MS Outlook.


  • Getting to the code can be inconvenient.  In my particular case, first I enter my user name and password into a protected site, then a one-time passcode box opens.  Turning to my phone, I first unlock the screen with my 5 digit screen lock passcode.  Then I flip to the Authenticator app, and open it.  Then I enter the 6-digit code into the passcode box.  This does take time, but most websites will leave you logged in, even for a few days.  Maybe that’s bad that I do that


  • Authenticator apps use a shared secret that both the app and the server need to store. This is called a “seed.” Using fancy math, the seed is combined with the time of day to generate the TFA code. If the app or the server is breached and the seed stolen, the bad guys can clone your TFA codes indefinitely. On the other hand, SMS codes are random values sent by the server, so there is no way to predict the next one in sequence.
  • If you are using online services from the same smartphone that has the authenticator app, an attacker could conceivably access both your password and TFA at the same time.

The Good, the Bad, and the Ugly of SMS codes


  • SMS codes are convenient. There’s no app to install and configure for every account you want to include.
  • SMS authentication can warn you if someone’s trying to break in to your account. The TFA messages on your phone from a website you are not accessing is a clue that your password has been compromised and needs to change.


  • If you don’t have a smartphone, this is the only option.
  • NIST has declared that SMS-based TFA is insecure, and can no longer be used except in very particular cases using tightly defined methods.


  • An attacker can hijack your SMS codes if they can clone or swap your SIM card. If they can convince the mobile phone provider that they are you, they can get a replacement SIM with your phone number.

So there you have it.  On Friday we are going to look at the problem that NIST has with SMS two-factor, so you will probably want to check that out, too.


About the Author:

Cybersecurity guru to business owners in the St Paul, Minneapolis, and western Wisconsin area. Computer security and hacking have been a passion of mine since I entered the computer and networking business in 2000. In 2013 I completed a course of study and certification exam to become a Certified Ethical Hacker (CEH). In 2016 I was certified as a Certified Information Systems Security Professional (CISSP). As Cybersecurity Analyst at The WyzCo Group, I help our clients experience high levels of computer security, network security, and web site security. In addition to consulting on security products and services, we also conduct security audits, vulnerability assessments and full penetration tests. We also provide Cybersecurity Awareness Training for clients and their employees. We also work with companies and organizations that need to certify compliance with regulations such as PCI-DSS (credit card processing), HIPAA/HITECH (medical records), and GLBA. The views expressed on this Web site are mine alone and do not necessarily represent the views of my employer.

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.