Two-factor authentication is one of the most important ways to protect your accounts. However, recently some authentication methods like SMS have come under fire for being vulnerable to hackers, which defeats the point of “something you know and something you have”. We decided to look at the most common methods and rank them by how secure they really are. While we talk about two-factor authentication (or 2FA) as though it were a single feature, it actually comes in a variety of flavours including SMS codes, email codes, authenticator apps for your phone or even a hardware key. If you use SMS right now, don’t panic. Any form of 2FA is better than having none. Don’t disable 2FA just to avoid using SMS.
However, the US National Institute of Standards and Technology released research pointing out that SMS is an old protocol with a lot of potential security vulnerabilities and should be replaced by more secure methods. Companies aren’t compelled to follow NIST’s recommendations, but you can expect many to move away from SMS over time. If you have the option, consider switching to something else now.
Authenticator Apps Like Authy and Google Authenticator Are More Difficult to Set Up, but a Lot Safer
The core idea behind 2FA is to use something you know (your password) and something you have (your phone, for example). Authentication apps — like our favourite, Authy — turn your phone into the “something you have” without involving anyone else along the way.
Here’s how it works: When you first set it up, your account creates a secure “seed” key that it shares with your phone via a QR code. That seed is then encrypted on both ends using the current time to generate a new code every 30 seconds or so. Only you and the server know the seed, so an attacker can’t predict what your next authentication code will be.
This has a number of advantages over SMS and email. For starters, you’re the only one aside from the server itself that ever has the ability to generate your codes. There’s no email provider, no mobile carrier or any other middle-man. The codes are generated on your device and you only transmit them during that brief, 30-second window that they’re valid. Even if a hacker could intercept the message, it would be useless before they could do anything with it.
Most major services like Dropbox, Amazon, Evernote and LastPass all support these authentication apps, which is encouraging. Still, these apps pose a few minor risks. Third-party apps like Authy allow you to sync your seed tokens across multiple devices, potentially opening up an attacker to swipe a device you’re not watching, or lose control of. There’s also the possibility that an attacker could hack the authentication service itself and gain access to user’s seed keys, though if they break in, they’re more likely to go after more useful data. All in all, technically authenticators are the most secure right now, and the least prone to being compromised when you lose a device, walk away from your desk or forget a password.
Security Rating: 4/5: Authentication apps are the most secure option, barring user-created risks
One-Button Authentication Is Simpler, but Most Services Don’t Support It Yet
The newest two-factor method on the block is “one-button authentication”. It works much like the authentication app above, except you don’t need to manually copy a six-digit code from your phone to a text box. Just tap “Yes, that’s me” and you’re good to go. Currently Google and Blizzard are the two biggest names working on this method.
The key difference between one-button authentication and authenticator apps is that the codes are handled automatically, without you having to enter them. Blizzard will show you a code on your phone and ask if it matches the one on your computer. Google doesn’t show you any code at all, but you can assume that if you get this prompt when you’re not trying to log into your account, you should probably turn it down.
On its face, this method seems exactly as secure as generated codes in authentication apps, but it’s still relatively new. Most services don’t even offer the option, so this may be wishful thinking for anything besides your Google account (or your Battle.net account) for a while. Still, if you’d prefer to make your logins a little simpler, you can trust in it. It’s the same tech as authenticator apps you probably use already, just simplified.
Security Rating: 4/5: More secure than SMS and email, but new and largely unsupported.
Emailed Codes Are Slightly Safer than SMS, but They Can’t Be Controlled
Some services allow you to confirm your login by emailing a code to you. This is a bit safer than SMS codes, but they still suffer from some weaknesses. For starters, your email provider becomes a weak link. If someone can gain access to your email account, they can get your 2FA codes directly. While some companies like Google are good about protecting your security (especially if your email account itself is locked behind 2FA,) this still adds another potential break in the chain.
Email also suffers from many of the same user-generated problems that SMS codes do. For example, how many devices and apps currently have access to your email account? For most, this probably includes a phone, a laptop or desktop and maybe a tablet. You might also use third-party services that have access to your emails. An attacker who swipes your tablet or breaks into an old contacts app or calendar organiser that has access to your inbox might be able to log in to your accounts before you realise what’s happened.
Email is slightly more secure than SMS, but only just. Most major email providers encrypt your messages while in transit, and you can’t “clone” your email account the way you can with a SIM. However, attackers can still gain access to your email by attacking your email provider, third-parties with access to your email or by swiping one of the many devices you have logged in. Any service you use on multiple devices probably isn’t going to be the best way to get secure authentication codes that only you should receive. If you can use something else, you’re probably better off.
Security Rating: 2/5: Better than SMS if you have no other choice, but still not ideal.
SMS Codes Are Ubiquitous, but Easy to Break
Sending SMS codes to your phone to prove your identity is easy, but it’s the least secure method of two-factor authentication. Put simply, 2FA assumes that you get the codes on a device that only you control. SMS as a protocol simply can’t guarantee this. A hacker can potentially intercept text messages on their way to your device, or they can clone your phone’s SIM and masquerade as you to get access to all of your accounts. Since carriers are also involved, there’s even the possibility that someone could convince them to transfer your number to another device they control before you even realise what’s happened. All of these methods are difficult, but they’re easier than breaking other 2FA methods.
Those are just the risks inherent to SMS. In practice, many of us use apps to read our SMS messages. Google Voice and MightyText organise and send texts to other computers. Some carriers still support sending and receiving SMS from your email account. Pushbullet and even Windows 10 can mirror your messages to another computer. Those tools aren’t insecure, but they do offer more attack vectors to someone who really wants your authentication codes. Many of us (myself included) accept this trade-off, but it does undermine the key principle of 2FA messages: That you and only you have that code. If a service only supports SMS-based 2FA, it’s better than nothing, but you should use something else when you can.
Security Rating: 1/5: Only use if no other 2FA method is available.
These aren’t the only methods available. We didn’t touch on automated phone calls, which suffer from many of the same shortcomings as SMS, or hardware keys, which most people won’t use, but these are the most popular options available for the most services. Remember, there’s no perfect solution when it comes to security, but some methods are better than others. We’re still trying to get most sites to enable two-factor authentication at all, much less to use the best method. If you do have a choice, though, pick the best, most secure option from what you have available.