9

I understand that getting OTPs via email and SMS are the weakest forms of 2FA, but given a situation where these two are the only options for 2FA, is email any better than SMS?

(Assuming the email - rather, webmail - account is itself reasonably well-protected with strong passwords and 2FA.)

Related:

  • How hard is it to intercept SMS (two-factor authentication)?

  • Database leak exposes millions of two-factor codes and reset links sent by SMS - Ars Technica

    The database provided a portal that showed two-factor codes and resent links being sent in near real-time, making it potentially possible for attackers who accessed the server to obtain data that would help them hijack other people’s accounts.

muru
  • 364
  • 1
  • 3
  • 14
  • 1
    I think strictly speaking OTPs via email or SMS are _one_-factor authentication, maybe you should correct that. But that 1FA not as bad as it looks, because: the alternative of having a password, even with extra email/SMS check on login,also amounts to 1FA when one can reset a forgotten password! Since any attacker in possession of the one factor "email" can pretend to have forgotten the password and then take over. So, maybe better to have "honest" 1FA via OTPs than pretend 2FA. – Carsten Führmann Jun 25 '20 at 14:24

3 Answers3

6

The worry is that 2FA protects you in cases where your passwords get leaked. The 2FA is a mitigating control to prevent people from abusing that password. However people often re-use their password across multiple websites, including their email and most people do not protect it with 2FA.

This means that if your password leaks, there is a higher likelihood that someone will be able to get your OTP from your email address than from a text message.

Hardware tokens and OTP generators are still much more prefered over SMS or email.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • 2
    Hence the assumption in the question (though I should have said that the mail account's password wouldn't be reused). – muru Dec 17 '18 at 00:50
  • 2
    @muru bare in mind that these assumptions are very specific, when coming up with a threat profile they would not be taken into account because reality is that most people in the population would not set it up that way. If your question is, which is more secure? Email secured with 2FA and a non-reuse strong password versus SMS, I would probably choose email. – Lucas Kauffman Dec 17 '18 at 00:57
  • Why is email more secure than SMS? – theonlygusti Dec 31 '21 at 17:30
3

The risk of receiving an OTP via SMS is that an attacker could call the phone company and have the number the SMS will be sent to redirected to a phone the attacker controls. This assumes the attacker knows the phone number and provider of the victim's cell phone. This risk is difficult to mitigate as the sender of the OTP will not be informed about the phone change, and the victim may not be aware of the phone change immediately.

The risk of receiving an OTP via email is that the attacker may have access to the victim's email. Assuming the email account is well-protected and secure (stated in the question) will mitigate this risk.

ztk
  • 2,247
  • 13
  • 22
  • There's the additional risk - sites using poorly secured SMS gateways like the example in the site. – muru Dec 17 '18 at 22:14
-2

To answer this in a short way i would ask you to keep getting otp via your mobile phone as it is easy for your email to get hacked and it tough to tap on your mobile phone sms .Protect your mobile from installing apps from trusted resourse and never give your mobile to anyone moreover if the sms is not secure banks won't be using them till now. So,i recommend you to use sms. Hope this helps,thank you.

bj_dinesh
  • 35
  • 2
  • 4
    If my gmail account, with a strong password and 2FA auth, is easy to get hacked, then I might as well give up on the whole security idea. – muru Dec 17 '18 at 08:52
  • Every official security group advises to not use SMS for so many reasons. – schroeder Jan 27 '22 at 21:33