Last updated on March 27, 2024
SMS 2FA and TOTP 2FA are two popular ways to verify user identity in the second step of Multi-Factor Authentication (MFA) and Two-Factor Authentication (2FA). While both of these options use one-time passwords, there are many differences between SMS vs. TOTP. If you have ever wondered which one of the two is a better choice, here’s the definite answer.
TOTP vs. SMS: What Is the Difference?
SMS 2FA (also called Text Message 2FA) is a type of Two-Factor Authentication in which a user receives a short one-time password (OTP) via text message and enters the OTP next to the password to gain access to their account.
TOTP 2FA is a type of Two-Factor Authentication whereby to gain access to their account, a user enters their password and a one-time password (OTP) generated by the app on their phone or a dedicated hardware key fob.
Thanks to its intuitiveness and low learning curve, SMS 2FA is widely used in bank account security and online account protection. Nearly everyone owns a phone with a SIM card, and the ability to authenticate offline is one of the greatest strengths of SMS 2FA. In addition to that, SMS 2FA is very simple to use and requires no initial setup except for entering your phone number, which should be simple enough for anybody.
Still, with all its advantages, SMS 2FA is slowly but steadily being pushed out by an equally simple authentication method: Time-Based One-Time Passwords (TOTP). TOTP 2FA is also reasonably simple and allows offline authentication, which makes it a great alternative to SMS 2FA. But is TOTP really better than SMS? Let’s take a closer look.
TOTP vs. SMS: Why Is TOTP More Secure Than SMS?
| SMS 2FA | TOTP 2FA |
| Works Offline | Works Offline |
| Intuitive and easy to use | Intuitive and easy to use |
| Requires only a SIM card (and a phone) | Requires a smartphone and an authenticator app (Soft Token) or a hardware key fob (Hard Token) |
| OTP is valid for 5-15 minutes (usually 10 minutes) | OTP is valid for 30-60 seconds (usually 30 seconds) |
| OTP may appear on a phone’s preview screen even when locked | OTP does not appear on a phone’s preview screen if implemented correctly |
| No additional out-of-the-box security controls | Some authenticators (e.g., Rublon Authenticator) allow additional security controls, for example, PIN and Fingerprint Lock |
| Easy to intercept and vulnerable to many SIM card attacks | Harder to intercept |
Both SMS 2FA and TOTP 2FA use one-time passwords to secure user accounts against unauthorized access. In SMS 2FA, the server generates a code and sends it to the user’s phone. Each code expires after it has been used. However, an unused code remains valid for about 10 minutes after being sent. This gives enough time for a potential attacker to intercept the code and break into a user’s account.
Conversely, TOTP Tokens generate a new code every 30 to 60 seconds, significantly narrowing the potential attack’s time frame. When a new TOTP code is generated, the previous code instantly becomes invalid. As a result, even if the bad guy obtains the code, they have very little time to act before a new code is generated. Hackers cannot use previous codes to determine the value of future codes, so an expired code is unusable to the attacker. TOTP 2FA is more secure thanks to the shorter lifespan of its one-time passwords.
Moreover, SMS codes may appear on a phone’s preview screen even when locked. This is not the case if you are using an authenticator app. For example. Rublon Authenticator requires you to open the app to see the TOTP codes. You can also secure the app with a PIN or biometric lock (Fingerprint or FaceID) to ensure no unauthorized party can look up your codes.
Unfortunately, SMS 2FA is easier to compromise than TOTP 2FA. Since, in fact, text messages are sent to the SIM card and not the phone itself, the attacker may try and intercept SMS messages in one of many ways: SIM swapping, SIM hacking, and SS7 attacks are some of the known methods hackers have been using to break SMS 2FA. For example, in a SIM swapping attack, a malicious actor contacts your mobile carrier and impersonates you to get a copy of a SIM card sent to their address. Once they manage to assign your phone number to the new SIM card, they can receive your SMS 2FA passcodes and access your account at will.
Meanwhile, TOTP codes are harder to intercept than SMS codes because they are generated on an app installed on the user’s mobile phone or a physical OTP token owned by the user. Since TOTP codes are only valid for 30 seconds, a single code is of little use to an attacker if they cannot use it fast enough to gain single-time access to the account. That is why attackers prefer to try and generate their own valid codes. However, to do that, an attacker must get to know the value of the seed used to create consecutive codes. For that, the hacker needs to either steal the user’s TOTP Token or somehow break into the authenticator app on the user’s phone. Both of these options are possible, but they require much more technical skill, which makes them much harder to perform than most SMS 2FA attacks.
All in all, TOTP authentication is better than SMS authentication. But while TOTP 2FA is more secure than SMS 2FA, it is not perfect. TOTP MFA is still susceptible to some types of cyberattacks. All the same, the lifespan of one-time passwords in TOTP works to TOTP’s advantage.
When Is SMS 2FA Still Better Than TOTP 2FA?
TOTP 2FA trumps SMS 2FA in most situations.
However, if some of your users do not own a smartphone and WebAuthn/U2F Security Key are too costly for you, SMS 2FA is still an acceptable second factor in Two-Factor Authentication.
On the flip side, if your users have smartphones, we recommend the Mobile Push authentication method for maximum security. Rublon’s implementation of TOTP 2FA – Mobile Passcode is secure and good to use, too. It’s up to you which authentication method you want.
Rublon Believes in Choice
Here at Rublon, we believe in giving users a choice. We offer several authentication methods and allow company administrators to decide which authentication methods will be available to their users. Thanks to Access Policies, administrators can define a separate set of available authentication methods for each application. There is no need to get rid of SMS 2FA. You can, for example, only disable it for high-risk applications. The choice is yours.
If your choice is to try Rublon, you can do this for free by starting the 30-Day Trial.
