Which Is Better – SMS or App-based TFA?

google-authenticatorI am a firm believer in, and user of two-factor authentication (TFA or 2FA).  Heck, if there was three-factor authentication I would probably sign up.  The two most popular authenticator apps are Authy and Google Authenticator.  I primarily use Google Authenticator wherever I can.  I use SMS when Authenticator isn’t an option, or won’t work.  I had trouble, for instance, getting Facebook to work and so I settled for SMS when logging into Facebook.

In researching this story, I did

The Good, the Bad, and the Ugly of authenticator app codes

Good

  • Authenticator apps are encrypted, which keeps them from falling victim to phone or SIM card cloning attacks.
  • Authenticator apps can work even when you don’t have mobile coverage, you can create an save a list of one-time passcodes for those times.
  • The Authenticator can also generate codes for third-party applications, such as password managers, file hosting services, and other applications such as g-Syncit for MS Outlook.

Bad

  • Getting to the code can be inconvenient.  In my particular case, first I enter my user name and password into a protected site, then a one-time passcode box opens.  Turning to my phone, I first unlock the screen with my 5 digit screen lock passcode.  Then I flip to the Authenticator app, and open it.  Then I enter the 6-digit code into the passcode box.  This does take time, but most websites will leave you logged in, even for a few days.  Maybe that’s bad that I do that

Ugly

  • Authenticator apps use a shared secret that both the app and the server need to store. This is called a “seed.” Using fancy math, the seed is combined with the time of day to generate the TFA code. If the app or the server is breached and the seed stolen, the bad guys can clone your TFA codes indefinitely. On the other hand, SMS codes are random values sent by the server, so there is no way to predict the next one in sequence.
  • If you are using online services from the same smartphone that has the authenticator app, an attacker could conceivably access both your password and TFA at the same time.

The Good, the Bad, and the Ugly of SMS codes

Good

  • SMS codes are convenient. There’s no app to install and configure for every account you want to include.
  • SMS authentication can warn you if someone’s trying to break in to your account. The TFA messages on your phone from a website you are not accessing is a clue that your password has been compromised and needs to change.

Bad

  • If you don’t have a smartphone, this is the only option.
  • NIST has declared that SMS-based TFA is insecure, and can no longer be used except in very particular cases using tightly defined methods.

Ugly

  • An attacker can hijack your SMS codes if they can clone or swap your SIM card. If they can convince the mobile phone provider that they are you, they can get a replacement SIM with your phone number.

So there you have it.  On Friday we are going to look at the problem that NIST has with SMS two-factor, so you will probably want to check that out, too.

0

About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com

Add a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.