SMS is a common delivery method for two-factor authentication (2FA) 鈥撯 or multi-factor authentication (MFA). It鈥檚 quick, easy to access, doesn鈥檛 burden systems or other resources, and keeps user accounts more secure than those without any form of 2FA in place.
However, SMS 2FA has steadily fallen out of favor in the IT world. In its place, time-based, one-time passwords (TOTPs) generated by an app on a user鈥檚 device are preferred for their superior security and equal simplicity. Here, we鈥檒l further discuss the reasons behind this transition and whether TOTP 2FA really is more secure than SMS 2FA.
How TOTP 2FA Trumps SMS 2FA
Both SMS and TOTP add a second factor to the authentication process, keeping user accounts secure against automated brute force attacks 鈥撯 a form of cyberattack where bots try to leverage stolen credentials to authenticate to an IT resource. However, SMS 2FA uses a static code that either expires after it鈥檚 been used, or if it hasn鈥檛 been used in some time period 鈥 say, 10 minutes after being sent. If a bad actor were to obtain that code before a user submits it, they could easily access the account in question.
Meanwhile, TOTP authenticator apps automatically generate codes that constantly refresh. A good practice for organizations is to set the codes to refresh every 30 to 60 seconds, making the codes harder to use if stolen. If a bad actor were to obtain a TOTP code, for example, they would need to act in real time to use it before it expires.
TOTP codes are more difficult to intercept than SMS to begin with. The most basic way to intercept SMS codes is by either swapping out the victim鈥檚 SIM card or impersonating the victim and ordering a copy of their SIM card to be sent to a different address. Or, a hacker may be able to target a specific user鈥檚 phone and steal it. TOTP codes are generated by an app installed on the user鈥檚 device, so any bad actor looking to steal their code would need to either steal their phone or somehow break into the app first, which requires more technical skill.
It should be noted that the National Institute of Standards and Technology (NIST) doesn鈥檛 recommend using SMS, as . However, if SMS 2FA is the only option, NIST supports its use over the alternative, which is no 2FA at all.
Potential TOTP 2FA Risks
Although TOTP is more secure than SMS 2FA, it has some shortcomings in its design. For instance, TOTP codes rely on a shared secret, or 鈥渟eed,鈥 stored by both the app and the server it鈥檚 connected to. If a bad actor manages to recover the shared secret, they can generate new codes at will. Because of this, provided they have compromised a user鈥檚 credentials along with their 鈥渟eed,鈥 they can access the user鈥檚 IT resources.
There鈥檚 also potential for design flaws in the app. For example, in 2017, a programmer from was able to access the shared secret of LastPass鈥檚 MFA authentication mobile app simply by accessing the app鈥檚 activity log and going to 鈥渟ettings.鈥 LastPass issued a patch shortly after the programmer made their bypass process public, but the fact remains that there can be exploitable oversights in an authentication app鈥檚 design. Knowing this, admins seeking to implement TOTP 2FA for their organization should research various authenticator apps before settling on one.
Should Admins Require TOTP 2FA?
Despite its potential weaknesses, TOTP 2FA is more secure than SMS, while also being just as lightweight and easy to access. For organizations looking to step up their cybersecurity, they should require TOTP instead of SMS on all their IT resources, including systems, file servers, web applications, and on-prem applications.
A service admins can leverage to accomplish this is 探花大神庐 Directory-as-a-Service庐 (DaaS), which offers TOTP 2FA via an authenticator app for macOS庐, Linux庐, and Windows庐 systems, and protects the login portal to all your IT resources.
If you鈥檙e interested in learning more about using DaaS to require 2FA for your organization, reach out to us.
