{"id":46176,"date":"2020-05-17T15:00:00","date_gmt":"2020-05-17T21:00:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=46176"},"modified":"2022-09-13T12:43:14","modified_gmt":"2022-09-13T16:43:14","slug":"totp-sms-2fa","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa","title":{"rendered":"Is TOTP Really Better Than SMS? &#8211; Two-Factor Authentication (2FA)"},"content":{"rendered":"\n<p>SMS is a common delivery method for two-factor authentication (2FA) \u2013\u2013 or multi-factor authentication (MFA). It\u2019s quick, easy to access, doesn\u2019t burden systems or other resources, and keeps user accounts more secure than those without any form of 2FA in place.&nbsp;<\/p>\n\n\n\n<p>However, SMS 2FA has steadily fallen out of favor in the IT world. In its place, <a href=\"https:\/\/jumpcloud.com\/blog\/totp-mfa\/\">time-based, one-time passwords (TOTPs)<\/a> generated by an app on a user\u2019s device are preferred for their superior security and equal simplicity. Here, we\u2019ll further discuss the reasons behind this transition and whether TOTP 2FA really is more secure than SMS 2FA.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How TOTP 2FA Trumps SMS 2FA<\/h2>\n\n\n\n<p>Both SMS and TOTP add a second factor to the authentication process, keeping user accounts secure against automated <a href=\"https:\/\/jumpcloud.com\/blog\/prevent-rdp-brute-force\/\">brute force attacks<\/a> \u2013\u2013 a form of cyberattack where bots try to leverage stolen credentials to authenticate to an IT resource. However, SMS 2FA uses a static code that either expires after it\u2019s been used, or if it hasn\u2019t been used in some time period \u2014 say, 10 minutes after being sent. If a bad actor were to obtain that code before a user submits it, they could easily access the account in question.&nbsp;<\/p>\n\n\n\n<p>Meanwhile, TOTP authenticator apps automatically generate codes that constantly refresh. A good practice for organizations is to set the codes to refresh every 30 to 60 seconds, making the codes harder to use if stolen. If a bad actor were to obtain a TOTP code, for example, they would need to act in real time to use it before it expires.<\/p>\n\n\n\n<p>TOTP codes are more difficult to intercept than SMS to begin with. The most basic way to intercept SMS codes is by either swapping out the victim\u2019s SIM card or impersonating the victim and ordering a copy of their SIM card to be sent to a different address. Or, a hacker may be able to target a specific user\u2019s phone and steal it. TOTP codes are generated by an app installed on the user\u2019s device, so any bad actor looking to steal their code would need to either steal their phone or somehow break into the app first, which requires more technical skill.<\/p>\n\n\n\n<p>It should be noted that the National Institute of Standards and Technology (NIST) doesn\u2019t recommend using SMS, as <a href=\"https:\/\/techcrunch.com\/2016\/07\/25\/nist-declares-the-age-of-sms-based-2-factor-authentication-over\/\">SMS 2FA is too easy to compromise<\/a>. However, if SMS 2FA is the only option, NIST supports its use over the alternative, which is no 2FA at all.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Potential TOTP 2FA Risks<\/h2>\n\n\n\n<p>Although TOTP is more secure than SMS 2FA, it has some shortcomings in its design. For instance, TOTP codes rely on a shared secret, or \u201cseed,\u201d stored by both the app and the server it\u2019s connected to. If a bad actor manages to recover the shared secret, they can generate new codes at will. Because of this, provided they have compromised a user\u2019s credentials along with their \u201cseed,\u201d they can access the user\u2019s IT resources.<\/p>\n\n\n\n<p>There\u2019s also potential for design flaws in the app. For example, in 2017, a programmer from <a href=\"https:\/\/hackernoon.com\/lastpass-authenticator-app-is-not-secure-77b9743c3007\">Hackernoon<\/a> was able to access the shared secret of LastPass\u2019s MFA authentication mobile app simply by accessing the app\u2019s activity log and going to \u201csettings.\u201d LastPass issued a patch shortly after the programmer made their bypass process public, but the fact remains that there can be exploitable oversights in an authentication app\u2019s design. Knowing this, admins seeking to implement TOTP 2FA for their organization should research various authenticator apps before settling on one.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Should Admins Require TOTP 2FA?<\/h2>\n\n\n\n<p>Despite its potential weaknesses, TOTP 2FA is more secure than SMS, while also being just as lightweight and easy to access. For organizations looking to step up their cybersecurity, they should require TOTP instead of SMS on all their IT resources, including systems, file servers, web applications, and on-prem applications.<\/p>\n\n\n\n<p>A service admins can leverage to accomplish this is&nbsp; <a href=\"https:\/\/jumpcloud.com\/platform\">JumpCloud<sup>\u00ae<\/sup> Directory-as-a-Service<sup>\u00ae<\/sup><\/a> (DaaS), which offers TOTP 2FA via an authenticator app for macOS<sup>\u00ae<\/sup>, Linux<sup>\u00ae<\/sup>, and Windows<sup>\u00ae<\/sup> systems, and protects the login portal to all your IT resources.<\/p>\n\n\n\n<p>If you\u2019re interested in learning more about using DaaS to require 2FA for your organization, <a href=\"https:\/\/jumpcloud.com\/contact\/\">reach out<\/a> to us.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>TOTP has taken precedence over SMS for two-factor authentication (2FA), but is TOTP really better than SMS? Find out here.<\/p>\n","protected":false},"author":92,"featured_media":46177,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"categories":[2781],"tags":[],"collection":[2775],"platform":[],"funnel_stage":[3016],"coauthors":[2578],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.9 (Yoast SEO v22.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Two-Factor Authentication: Is TOTP Really Better Than SMS? - JumpCloud<\/title>\n<meta name=\"description\" content=\"TOTP has taken precedence over SMS for two-factor authentication (2FA), but is TOTP really better than SMS? Find out here.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Is TOTP Really Better Than SMS? - Two-Factor Authentication (2FA)\" \/>\n<meta property=\"og:description\" content=\"TOTP has taken precedence over SMS for two-factor authentication (2FA), but is TOTP really better than SMS? Find out here.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa\" \/>\n<meta property=\"og:site_name\" content=\"JumpCloud\" \/>\n<meta property=\"article:published_time\" content=\"2020-05-17T21:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-09-13T16:43:14+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/05\/TOTP-SMS-2FA.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"780\" \/>\n\t<meta property=\"og:image:height\" content=\"520\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Megan Anderson\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Megan Anderson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa#article\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa\"},\"author\":{\"name\":\"Megan Anderson\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/7d2acfcb7b5720fb45432d3c88dfb677\"},\"headline\":\"Is TOTP Really Better Than SMS? &#8211; Two-Factor Authentication (2FA)\",\"datePublished\":\"2020-05-17T21:00:00+00:00\",\"dateModified\":\"2022-09-13T16:43:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa\"},\"wordCount\":708,\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/05\/TOTP-SMS-2FA.jpeg\",\"articleSection\":[\"How-To\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa\",\"url\":\"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa\",\"name\":\"Two-Factor Authentication: Is TOTP Really Better Than SMS? - JumpCloud\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/05\/TOTP-SMS-2FA.jpeg\",\"datePublished\":\"2020-05-17T21:00:00+00:00\",\"dateModified\":\"2022-09-13T16:43:14+00:00\",\"description\":\"TOTP has taken precedence over SMS for two-factor authentication (2FA), but is TOTP really better than SMS? Find out here.\",\"breadcrumb\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa#primaryimage\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/05\/TOTP-SMS-2FA.jpeg\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/05\/TOTP-SMS-2FA.jpeg\",\"width\":780,\"height\":520},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jumpcloud.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Is TOTP Really Better Than SMS? &#8211; Two-Factor Authentication (2FA)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jumpcloud.com\/#website\",\"url\":\"https:\/\/jumpcloud.com\/\",\"name\":\"JumpCloud\",\"description\":\"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.\",\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jumpcloud.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jumpcloud.com\/#organization\",\"name\":\"JumpCloud\",\"url\":\"https:\/\/jumpcloud.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"width\":598,\"height\":101,\"caption\":\"JumpCloud\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/7d2acfcb7b5720fb45432d3c88dfb677\",\"name\":\"Megan Anderson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/image\/1137c152b014919b03c19ac2c8377ede\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d1793fee47c43b6992aa8aa580f8b843?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d1793fee47c43b6992aa8aa580f8b843?s=96&d=mm&r=g\",\"caption\":\"Megan Anderson\"},\"description\":\"Megan is a content writer at JumpCloud with a B.A. in English from MSU Denver. Colorado-born and raised, she enjoys hiking, skiing, and all manner of dogs.\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Two-Factor Authentication: Is TOTP Really Better Than SMS? - JumpCloud","description":"TOTP has taken precedence over SMS for two-factor authentication (2FA), but is TOTP really better than SMS? Find out here.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa","og_locale":"en_US","og_type":"article","og_title":"Is TOTP Really Better Than SMS? - Two-Factor Authentication (2FA)","og_description":"TOTP has taken precedence over SMS for two-factor authentication (2FA), but is TOTP really better than SMS? Find out here.","og_url":"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa","og_site_name":"JumpCloud","article_published_time":"2020-05-17T21:00:00+00:00","article_modified_time":"2022-09-13T16:43:14+00:00","og_image":[{"width":780,"height":520,"url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/05\/TOTP-SMS-2FA.jpeg","type":"image\/jpeg"}],"author":"Megan Anderson","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Megan Anderson","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa#article","isPartOf":{"@id":"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa"},"author":{"name":"Megan Anderson","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/7d2acfcb7b5720fb45432d3c88dfb677"},"headline":"Is TOTP Really Better Than SMS? &#8211; Two-Factor Authentication (2FA)","datePublished":"2020-05-17T21:00:00+00:00","dateModified":"2022-09-13T16:43:14+00:00","mainEntityOfPage":{"@id":"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa"},"wordCount":708,"publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"image":{"@id":"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/05\/TOTP-SMS-2FA.jpeg","articleSection":["How-To"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa","url":"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa","name":"Two-Factor Authentication: Is TOTP Really Better Than SMS? - JumpCloud","isPartOf":{"@id":"https:\/\/jumpcloud.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa#primaryimage"},"image":{"@id":"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/05\/TOTP-SMS-2FA.jpeg","datePublished":"2020-05-17T21:00:00+00:00","dateModified":"2022-09-13T16:43:14+00:00","description":"TOTP has taken precedence over SMS for two-factor authentication (2FA), but is TOTP really better than SMS? Find out here.","breadcrumb":{"@id":"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jumpcloud.com\/blog\/totp-sms-2fa"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa#primaryimage","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/05\/TOTP-SMS-2FA.jpeg","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/05\/TOTP-SMS-2FA.jpeg","width":780,"height":520},{"@type":"BreadcrumbList","@id":"https:\/\/jumpcloud.com\/blog\/totp-sms-2fa#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jumpcloud.com\/"},{"@type":"ListItem","position":2,"name":"Is TOTP Really Better Than SMS? &#8211; Two-Factor Authentication (2FA)"}]},{"@type":"WebSite","@id":"https:\/\/jumpcloud.com\/#website","url":"https:\/\/jumpcloud.com\/","name":"JumpCloud","description":"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.","publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jumpcloud.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jumpcloud.com\/#organization","name":"JumpCloud","url":"https:\/\/jumpcloud.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","width":598,"height":101,"caption":"JumpCloud"},"image":{"@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/7d2acfcb7b5720fb45432d3c88dfb677","name":"Megan Anderson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/image\/1137c152b014919b03c19ac2c8377ede","url":"https:\/\/secure.gravatar.com\/avatar\/d1793fee47c43b6992aa8aa580f8b843?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d1793fee47c43b6992aa8aa580f8b843?s=96&d=mm&r=g","caption":"Megan Anderson"},"description":"Megan is a content writer at JumpCloud with a B.A. in English from MSU Denver. Colorado-born and raised, she enjoys hiking, skiing, and all manner of dogs."}]}},"_links":{"self":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/46176"}],"collection":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/users\/92"}],"replies":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/comments?post=46176"}],"version-history":[{"count":3,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/46176\/revisions"}],"predecessor-version":[{"id":68918,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/46176\/revisions\/68918"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media\/46177"}],"wp:attachment":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media?parent=46176"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/categories?post=46176"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/tags?post=46176"},{"taxonomy":"collection","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/collection?post=46176"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/platform?post=46176"},{"taxonomy":"funnel_stage","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/funnel_stage?post=46176"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/coauthors?post=46176"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}