Multi-Factor Authentication - SMS or Authenticator App?

tedjamestedjames Scruffy-looking nerfherdrMember Posts: 1,111 ■■■■■■■■□□
Which do you prefer to use, and which is safer? I've used both. SMS is easy and doesn't require any app installation. Authenticator apps are supposedly more secure, but getting the app to work can sometimes be a pain.

Comments

  • roninkaironinkai Senior Member San DiegoMember Posts: 305 ■■■■□□□□□□
    I prefer neither. I use YubiKey. I like the physical element to it. SMS and Auth apps can be spoofed. Not easy, but I've read about it in the news.
    浪人 MSISA:WGU
    ICP-FDO ▪ CISSP ▪ ECES ▪ CHFI ▪ CNDA ▪ CEH ▪ MCSA/MCITP ▪ MCTS ▪ S+
    2020 Level Up Goals: (1) DevSecOps Learning Path (2) OSCP
  • LonerVampLonerVamp OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS SAA, CCSK Member Posts: 462 ■■■■■■■□□□
    Depends on what scares you the most, I suppose. Are you interesting or important enough that someone will target you for a SIM-swap and thus intercept your SMS? If not, SMS is perfectly fine. There are also questions about how much you possibly trust your local entities (corp, gov...) who control your access.

    Maybe what scares you isn't so much that you need an authenticator, but you fear those horror stories where people lose their phones and thus lose their authenticator mechanism. Play through how important or difficult that may be to replace or recover.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, CCNA Cyber Ops, Sec+, Linux+, AWS SA-A, CCSK
    2020 goals: AWS Security Specialty, AWAE or SLAE, CISSP-ISSAP?
  • SteveLavoieSteveLavoie Member Posts: 731 ■■■■■■□□□□
    NIST has emitted a warning with SMS authentification in the case of a VOIP provider.  Otherwise SMS is fine.  In my case, I prefer an Auth application or a Yubikey. 
  • DZA_DZA_ Untitled. Member Posts: 414 ■■■■■□□□□□
    The internal advisory team here advises that SMS is no longer a safe channel for communication/authentication and that the authentication should move towards application authentication. I would totally agree with this statement. You would have to have a robust and fairly non painful way of getting that training material out to the end users. 
  • NetworkNewbNetworkNewb Member Posts: 3,294 ■■■■■■■■■□
    edited January 20
    With SMS not being encrypted they can be seen very easily which make them insecure.    Not saying it is likely someone would get hacked because of using this method as it still would be difficult to read the code being sent and use it in time before the intended person does but it isn't secure as the app.   

    I find the app easier for people to use as well too. 
  • shochanshochan Member Posts: 904 ■■■■■■□□□□
    I recall reading about the successor of SMS, and wonder if you could even implement this now...Rich Communication Services (RCS) which you can read more about here or there



    "It's not good when it's done, it's done when it's good" ~ Danny Carey
  • DZA_DZA_ Untitled. Member Posts: 414 ■■■■■□□□□□
    shochan said:
    I recall reading about the successor of SMS, and wonder if you could even implement this now...Rich Communication Services (RCS) which you can read more about here or there
    We spoke to soon about RCS; apparently it has security vulnerabilities in it. I'm not sure if anything has progressed since the time of the article. 

    https://www.wired.com/story/rcs-texting-security/
  • shochanshochan Member Posts: 904 ■■■■■■□□□□
    hahaha, oh wow!  



    "It's not good when it's done, it's done when it's good" ~ Danny Carey
  • LordQarlynLordQarlyn Member Posts: 634 ■■■■■□□□□□
    If you use SMS, keep your phone number almost as private as your SSN. Phone number hijacking is still a vulnerability and all it takes sometimes is just the hacker to call the phone company and they can transfer your number to their phone, intercepting your 2FA SMS messages. Yubikey sounds like a good solution since it's not very well known yet and probably not a big target for hackers.
    Really though, everything has vulnerabilities. Use common sense and always be vigilant.

  • tedjamestedjames Scruffy-looking nerfherdr Member Posts: 1,111 ■■■■■■■■□□
    Thanks for all of the great input. We're enabling MFA on the enterprise level and pushing authenticator app over SMS. Seems that most people feel that using an app is superior. However, anything is better than nothing. Honestly, it has not been fun rolling this out, but it'll be worth it in the end.
Sign In or Register to comment.