SMS is a common delivery method for two-factor authentication (2FA) –– or multi-factor authentication (MFA). It’s quick, easy to access, doesn’t burden systems or other resources, and keeps user accounts more secure than those without any form of 2FA in place.
However, SMS 2FA has steadily fallen out of favor in the IT world. In its place, time-based, one-time passwords (TOTPs) generated by an app on a user’s device are preferred for their superior security and equal simplicity. Here, we’ll further discuss the reasons behind this transition and whether TOTP 2FA really is more secure than SMS 2FA.
How TOTP 2FA Trumps SMS 2FA
Both SMS and TOTP add a second factor to the authentication process, keeping user accounts secure against automated brute force attacks –– a form of cyberattack where bots try to leverage stolen credentials to authenticate to an IT resource. However, SMS 2FA uses a static code that either expires after it’s been used, or if it hasn’t been used in some time period — say, 10 minutes after being sent. If a bad actor were to obtain that code before a user submits it, they could easily access the account in question.
Meanwhile, TOTP authenticator apps automatically generate codes that constantly refresh. A good practice for organizations is to set the codes to refresh every 30 to 60 seconds, making the codes harder to use if stolen. If a bad actor were to obtain a TOTP code, for example, they would need to act in real time to use it before it expires.
TOTP codes are more difficult to intercept than SMS to begin with. The most basic way to intercept SMS codes is by either swapping out the victim’s SIM card or impersonating the victim and ordering a copy of their SIM card to be sent to a different address. Or, a hacker may be able to target a specific user’s phone and steal it. TOTP codes are generated by an app installed on the user’s device, so any bad actor looking to steal their code would need to either steal their phone or somehow break into the app first, which requires more technical skill.
It should be noted that the National Institute of Standards and Technology (NIST) doesn’t recommend using SMS, as SMS 2FA is too easy to compromise. However, if SMS 2FA is the only option, NIST supports its use over the alternative, which is no 2FA at all.
Potential TOTP 2FA Risks
Although TOTP is more secure than SMS 2FA, it has some shortcomings in its design. For instance, TOTP codes rely on a shared secret, or “seed,” stored by both the app and the server it’s connected to. If a bad actor manages to recover the shared secret, they can generate new codes at will. Because of this, provided they have compromised a user’s credentials along with their “seed,” they can access the user’s IT resources.
There’s also potential for design flaws in the app. For example, in 2017, a programmer from Hackernoon was able to access the shared secret of LastPass’s MFA authentication mobile app simply by accessing the app’s activity log and going to “settings.” LastPass issued a patch shortly after the programmer made their bypass process public, but the fact remains that there can be exploitable oversights in an authentication app’s design. Knowing this, admins seeking to implement TOTP 2FA for their organization should research various authenticator apps before settling on one.
Should Admins Require TOTP 2FA?
Despite its potential weaknesses, TOTP 2FA is more secure than SMS, while also being just as lightweight and easy to access. For organizations looking to step up their cybersecurity, they should require TOTP instead of SMS on all their IT resources, including systems, file servers, web applications, and on-prem applications.
A service admins can leverage to accomplish this is JumpCloud® Directory-as-a-Service® (DaaS), which offers TOTP 2FA via an authenticator app for macOS®, Linux®, and Windows® systems, and protects the login portal to all your IT resources.