SMS or authenticator app – which is better for two-factor authentication?

shutterstock_84466996

In the comments of one of our recent two-factor authentication (2FA) articles, we received a question about whether it was better to use an SMS (text message) code as your second factor of authentication, or to use a dedicated authenticator app to generate the code.

We thought this was an interesting question, so let’s explore it a bit. In many cases, the choice between SMS and an authenticator app comes down to using whichever one is more convenient for you. But if you’re curious about the pros and cons of each, read on and let us know in the comments which option you prefer and why.

(Not all 2FA-enabled services offer both options, but for the sake of this exercise, we’re going to assume you get to choose between them.)

The pros and cons of SMS-based codes

Pros

  • SMS codes are convenient. There’s no fussing with downloading an app and going through set up for each account. It may be the only option if you don’t have a smartphone.
  • SMS authentication can be a canary in the coal mine. If someone’s trying to break in to your account, the 2FA messages on your phone are warning that it’s time to investigate (and to change your password).

Cons

  • A crook can hijack your SMSes with a SIM swap scam. If they can convince a mobile phone shop that they are you, they can get them to issue a replacement SIM encoded with your phone number. Your phone will go dead and theirs will start receiving your calls and messages, including 2FA codes.
  • NIST has declared that the age of SMS-based 2FA is done.

Pros and cons of authenticator app codes

Pros

  • SIM swapping won’t hijack your 2FA codes if you’re using an authenticator app. The codes depend on the app itself, not on your SIM card.
  • Authenticator apps work even when you don’t have mobile coverage.

Cons

  • Authenticator apps depend on a shared secret that both the app and the server need to store. This “seed” is combined with the time to generate the 2FA code. If a crook can crack the app or the server and recover the secret, they can clone your 2FA codes indefinitely. SMS codes are just random values sent by the server, so there is no “seed” by which a crook could predict the next one in sequence.
  • When you access online services from your smartphone, you’ll usually be running the authenticator app on the same device. This means the crooks have a common point of compromise for both factors of your 2FA. A second, lightweight “feature phone” used for SMS codes makes it easier to keep the two factors apart.

So what do you prefer? If you’re not already using 2FA for your online accounts, can we persuade you to start? Let us know your thoughts in the comments below.