Multi-Factor Authentication - SMS or Authenticator App?

tedjames

Which do you prefer to use, and which is safer? I've used both. SMS is easy and doesn't require any app installation. Authenticator apps are supposedly more secure, but getting the app to work can sometimes be a pain.

roninkai

I prefer neither. I use YubiKey. I like the physical element to it. SMS and Auth apps can be spoofed. Not easy, but I've read about it in the news.

LonerVamp

Depends on what scares you the most, I suppose. Are you interesting or important enough that someone will target you for a SIM-swap and thus intercept your SMS? If not, SMS is perfectly fine. There are also questions about how much you possibly trust your local entities (corp, gov...) who control your access.

Maybe what scares you isn't so much that you need an authenticator, but you fear those horror stories where people lose their phones and thus lose their authenticator mechanism. Play through how important or difficult that may be to replace or recover.

SteveLavoie

NIST has emitted a warning with SMS authentification in the case of a VOIP provider.  Otherwise SMS is fine.  In my case, I prefer an Auth application or a Yubikey. 

DZA_

The internal advisory team here advises that SMS is no longer a safe channel for communication/authentication and that the authentication should move towards application authentication. I would totally agree with this statement. You would have to have a robust and fairly non painful way of getting that training material out to the end users. 

NetworkNewb

With SMS not being encrypted they can be seen very easily which make them insecure.    Not saying it is likely someone would get hacked because of using this method as it still would be difficult to read the code being sent and use it in time before the intended person does but it isn't secure as the app.   

I find the app easier for people to use as well too. 

shochan

I recall reading about the successor of SMS, and wonder if you could even implement this now...Rich Communication Services (RCS) which you can read more about here or there

DZA_

shochan said:

I recall reading about the successor of SMS, and wonder if you could even implement this now...Rich Communication Services (RCS) which you can read more about here or there

We spoke to soon about RCS; apparently it has security vulnerabilities in it. I'm not sure if anything has progressed since the time of the article. 

https://www.wired.com/story/rcs-texting-security/

shochan

hahaha, oh wow!  

LordQarlyn

If you use SMS, keep your phone number almost as private as your SSN. Phone number hijacking is still a vulnerability and all it takes sometimes is just the hacker to call the phone company and they can transfer your number to their phone, intercepting your 2FA SMS messages. Yubikey sounds like a good solution since it's not very well known yet and probably not a big target for hackers.

Really though, everything has vulnerabilities. Use common sense and always be vigilant.

tedjames

Thanks for all of the great input. We're enabling MFA on the enterprise level and pushing authenticator app over SMS. Seems that most people feel that using an app is superior. However, anything is better than nothing. Honestly, it has not been fun rolling this out, but it'll be worth it in the end.