-1

I noticed some very advanced sites don't offer 2 factor authentication via phone/text. Example Salesforce's Heroku:

enter image description here

Is phone/text based 2 Factor Authentication generally weaker than using an authenticator app? I'm trying to work out why a major site would not offer 2 Factor Authentication via phone/text, but offer other methods (authenticator app) instead?

schroeder
  • 123,438
  • 55
  • 284
  • 319
stevec
  • 1,214
  • 1
  • 7
  • 16
  • Because the recommendation has been for a while to not use SMS for MFA: https://www.google.com/search?q=sms+2fa – schroeder May 05 '21 at 07:02
  • @schroeder none of the 4 links you provide actually answer my question. i.e. showing that a method is imperfect doesn't imply that an alternative is superior. An answer to this question should detail how gaining control of a mobile number is easier than getting control over the physical hardware and authenticating into that device. None of the 4 links say anything about that. – stevec May 05 '21 at 07:36
  • That's not what you asked. You ***asked*** which is stronger. If you have specific requirements for an answer, you should state them. And you have conveniently mis-characterised the links. They do not state that SMS is imperfect, but rather *that it should not be used*, which answers your question. – schroeder May 05 '21 at 07:38
  • 1
    @schroeder "You asked which is stronger." Correct. Please quote precisely which text from any of the answers in any of the 4 links you provide says which is stronger. – stevec May 05 '21 at 07:44
  • @schroeder that doesn't answer the question. When determining which of two techniques should be used, it makes logical sense to select the best. If one is weak, that doesn't imply the other is superior. – stevec May 05 '21 at 07:45
  • 2
    I see that you have not bothered to read them: https://security.stackexchange.com/a/158783/6253 And if you click on the 7-character google query I posted for you above, you have multiple media outlets explaining in great detail that you should not use SMS but use an authenticator app. – schroeder May 05 '21 at 08:09
  • @schroeder yeah, a random on the internet recommends it. Not rigorously researched at all. – stevec May 05 '21 at 08:10
  • 1
    Again, a mis-characterization. You have not bothered to read them. – schroeder May 05 '21 at 08:11
  • @schroeder ah your “research” strikes again: “cnet et al”. Oh boy... – stevec May 05 '21 at 08:11
  • And who are we but "randoms on the internet"? – schroeder May 05 '21 at 08:13
  • 2
    I'm sorry that you are grumpy that your question was closed, but the answers below echo, almost perfectly, the linked answers, and the linked answers provide a lot more detail for you to dig into. A 7-character google search provides multiple *security experts* over the past few years explaining an answer, so this question is legitimately closed. – schroeder May 05 '21 at 08:15

3 Answers3

5

As of now, it is way safer to enable MFA with an authenticator app compared to SMS, mainly because this specific network technology (SS7) is vulnerable for interception, but also to SIM swapping attacks.

raDiaSmO
  • 309
  • 1
  • 5
2

App-based 2FA is much stronger than SMS/Phone based 2FA.

The reason being that 2FA code sent to SMS and phone call can be intercepted by your mobile phone network provider. By design, because phone number assignments are controlled by your mobile network provider. What this means is that you're subject to any vulnerabilities in the phones network provider, which you have no control of. A government three letter agency can ask your phone provider to make copies of your text available to them, a hacker that managed to hack into your phone network provider or a rogue employee can snoop and read your text messages/phone conversations, a social engineering hacker can convince a customer support staff to do a SIM swap attack, etc.

On the other hand, app-based 2FA would only be subject to how well you manage your code generation device's security and some clever piece of mathematics. These are all factors that you can control.

However, SMS/Phone does have the benefit of being easier to use especially for non-technical users. The phone number being assigned by your mobile provider means that if you lose access to your phone, you can ask your mobile network provider to redirect your SMS/phone calls to a new phone to regain access to the 2FA code. This usability factor is why SMS/Phone 2FA are often provided as an alternative for products targeted for mass market consumption especially when security requirement isn't very high. For products targeted towards more sophisticated technical users or businesses, and when the security requirement are high, it can make sense to require higher level of security afforded by app-based 2FA.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93
1

Is phone/text based 2 Factor Authentication generally weaker than using an authenticator app?

Yes.

I'm trying to work out why a major site would not offer 2 Factor Authentication via phone/text, but offer other methods (authenticator app) instead?

Because of the reason explained tersely above.

Namely, using phone/text 2FA is less secure than using a good authenticator app, such as Google's Authenticator App or Microsoft's Authenticator App.

hft
  • 4,910
  • 17
  • 32