SMS or authenticator app – which is better for two-factor authentication?
The pros and cons of
SMS codes are convenient. There’s no fussing with downloading an
app and going through set up for each account. It may be the only option if you
don’t have a smartphone.
SMS authentication can be a canary in the coal mine. If
someone’s trying to break in to your account, the 2FA messages on your phone
are warning that it’s time to investigate (and to change your password).
A crook can hijack your SMSes with a SIM swap scam. If they
can convince a mobile phone shop that they are you, they can get them to issue
a replacement SIM encoded with your phone number. Your phone will go dead and
theirs will start receiving your calls and messages, including 2FA codes.
NIST has declared that the age of SMS-based 2FA is done.
Pros and cons of
authenticator app codes
SIM swapping won’t hijack your 2FA codes if you’re using an
authenticator app. The codes depend on the app itself, not on your SIM card.
Authenticator apps work even when you don’t have mobile
Authenticator apps depend on a shared secret that both the app
and the server need to store. This “seed” is combined with the time to generate
the 2FA code. If a crook can crack the app or the server and recover the
secret, they can clone your 2FA codes indefinitely. SMS codes are just random
values sent by the server, so there is no “seed” by which a crook could predict
the next one in sequence.
When you access online services from your smartphone, you’ll
usually be running the authenticator app on the same device. This means the
crooks have a common point of compromise for both factors of your 2FA. A
second, lightweight “feature phone” used for SMS codes makes it easier to keep
the two factors apart.