Is OTP more secure than SMS code?

Paco IIPaco II
edited June 2016 in Lounge

I've lately been migrating as many of my two factor accounts to using OTP within 1P and away from SMS, mainly for convenience. But after reading about the Deray McKesson hack, I'm wondering if it is actually also way more secure than SMS codes?

Comments

  • brentybrenty

    Team Member

    @Paco II: Great question! OTP is almost certainly more secure than receiving a code via SMS, if only because of channel. SMS is not a secure method of transmission for any data, and while it is unlikely that someone will intercept the code before it expires, it's very possible. And an OTP code that's generated on a device you own gives you more control over its security.

    But I prefer OTP for a more practical reason: if I lose my phone, I'm out of luck. Keeping my TOTP secret in 1Password keeps it safe even if the devices is lost or stolen, and having my 1Password data on multiple devices means it's available to me even if I don't have access to my phone. :)

  • It is surprising that so many services only offer SMS as their two factor solution. I hope more start to offer OTP as well.

  • brentybrenty

    Team Member

    @Paco II: I'm not sure I'd call it "surprising", but I know what you mean. I think SMS is simply the lowest common denominator: (almost) everyone has a cell phone nowadays, and it doesn't even have to be one from this century to receive SMS messages. TOTP is more secure, but it definitely has a higher barrier to entry, since you'll have to set it up with another app or device. The little dongle thingies are easier to use, but they've gone out of fashion to a large degree because it's really a nuisance to have to carry them around with you...and if they're lost, that's bad news. That's why I'm really glad that 1Password supports TOTP. It isn't as easy as receiving a text message, but we're always working to make security more accessible to people. :)

  • My hope is if the McKesson hack really did involve hackers accessing his SMS that more companies will at least offer TOTP as an option.

  • brentybrenty

    Team Member

    My hope is if the McKesson hack really did involve hackers accessing his SMS that more companies will at least offer TOTP as an option.

    Or, as a more likely intermediate step, not have their customer service reps allow unauthorized parties to activate a new SIM on people's accounts. :dizzy:

  • TOTP is a lot safer.

    SMS can be viewed in plain text by:

    • message delivery service
    • your mobile service provider
    • anyone with a cheap GSM decoder standing in the same base station of you (unencrypted GSM only, but GSM SMS is still used widely even your SP have 4G/LTE network)

    Plus, some government authority may record everyone's SMS history.

    TOTP is much safer as it is stored only in your device.

  • brentybrenty

    Team Member

    You're absolutely right! On the plus side, if they don't have your login credentials it won't do them much good, but once they have those getting an SMS code may be a comparatively small obstacle.

  • I obviously prefer TOTP, but it should be noted that the risk associated with SMS is ultimately pretty low unless you are being specifically targeted. The two factor codes sent via SMS almost always last for just a few minutes. Someone gaining access to your Sms history at later date won't be able to do anything with those codes as they would have expired already most likely.

  • MeganMegan 1Password Alumni

    Hi @Paco II,

    That's also a good point. And I think it's important to mention here as well that two factor authentication, whether by SMS or TOTP, does add an extra layer of protection to your account, so it's a good idea to enable it for all the important services that you use. :)

  • BenBen AWS Team

    Team Member

    An example of someone who fell victim to a scam relating to SMS authentication:

    Linus got hacked!?!?!? - Honest Answers Episode 3 - YouTube

    Granted, he was targeted.

    Ben

This discussion has been closed.