Search

Security Advisory : Why Authenticator Apps Are Safer Than SMS for Login Security 

INTRODUCTION 

One of the best ways to add extra security to your accounts is through Multi-Factor Authentication (MFA) – this means you need more than just a user ID and password to log in. We strongly recommend using MFA for your important accounts. 

However, not all MFA methods are equally secure. Authenticator apps are a safer option than SMS authentication methods because they generate security codes directly on your device. SMS authentication codes, on the other hand, can be intercepted by hackers. 

WHAT IS MULTI-FACTOR AUTHENTICATION AND WHAT IS THE BENEFIT? 

MFA adds an extra step to logging in. Instead of just entering a user ID and password, you must also provide another piece of information, like a code from an app or a text message. This extra step makes it much harder for hackers to break into your account, even if they steal your password. 

MFA METHOD #1: WHAT IS AN AUTHENTICATOR APPLICATION? 

An authenticator app is a mobile app that generates security codes for logging in. These codes are called Time-Based One-Time Passwords (TOTP) and change every 30 to 60 seconds. 

When you set up an authenticator app for an account, you scan a QR code or enter a secret key. This links the authenticator app to your account and allows it to generate matching codes. 

To log in, you enter your username, password, and the current code displayed on your authenticator app. If the code matches the one your account server expects, you get access. 

Some popular authenticator applications include:  

  • Google Authenticator  
  • Microsoft Authenticator 
  • Authy  
  • Duo Mobile  

MFA METHOD#2: WHAT IS SMS AUTHENTICATION? 

SMS authentication is when a security code is sent to your phone via text message. You enter this code along with your user ID and password to log in. These codes are One-Time Passwords (OTP) which are generated for one-time use. OTPs can last for a specified amount of time – users will need to generate a new OTP if they exceed the time limit.  

Sometimes, websites may also send security codes via email instead of SMS, but the process is the same. 

WHY AUTHENTICATOR APPLICATIONS ARE PREFERRED OVER SMS AUTHENTICATION

Authenticator apps provide better security than SMS codes for several reasons: 

  • Less chance of being hacked: Authenticator apps generate codes directly on your device, while SMS codes are sent over the internet and can be stolen. 
  • No risk of SIM swapping: Hackers can trick your phone provider into transferring your number to a new SIM card, allowing them to receive your SMS codes. 
  • No risk of interception: SMS codes can be stolen using man-in-the-middle attacks, where hackers eavesdrop on internet traffic. 
  • Codes change frequently: Authenticator apps refresh their codes every 30 to 60 seconds, making them harder to steal and use. 

HOW HACKERS CAN STEAL SMS CODES 

Here are two common ways cybercriminals can steal SMS codes: 

  • Man-in-the-Middle Attacks – Hackers intercept your internet traffic when you connect to an unprotected Wi-Fi network (like public Wi-Fi at a coffee shop). This can let them steal SMS codes. 
  • SIM Swapping – A hacker contacts your mobile provider pretending to be you and tricks them into activating a new SIM card with your phone number. Now, they receive all your text messages, including your security codes. 

HOW TO KEEP YOUR ACCOUNTS SAFE

  • Use an authenticator app instead of SMS authentication whenever possible. 
  • Protect your phone with a strong PIN or password. 
  • Avoid using public Wi-Fi when entering security codes. 
  • Never share your security codes with anyone. 
  • Be cautious of phishing scams that try to trick you into revealing your codes.