SMS-based two-factor authentication is not safe — consider these alternative 2FA methods instead

October 16, 2018

In the past couple of years, the concept of two-factor authentication (2FA), long the preserve of geeks, has found its way into the mainstream. However, the talk is still largely confined to using 2FA for one-time passwords over SMS. Sad to say, this is not the most reliable option. Here’s why:

  • It’s easy to sneak a peek at passwords sent by SMS if lock-screen notifications are enabled.
  • Even if notifications are turned off, a SIM card can be removed and installed in another smartphone, giving access to SMS messages with passwords.
  • Password-bearing SMS messages can be intercepted by a Trojan lurking inside the smartphone.
  • Using various underhanded tactics (persuasion, bribery, etc.), criminals can get hold of a new SIM card with the victim’s number from a mobile phone store. SMS messages will then go to this card, and the victim’s phone will be disconnected from the network.
  • SMS messages with passwords can be intercepted through a basic flaw in the SS7 protocol used to transmit the messages.

Note that even the most high-tech and labor-intensive of the above SMS password-stealing methods (SS7 exploitation) has already been used in practice. The rest is daily routine for bad guys. With that said, we’re dealing not with hypotheticals, but a live threat.

On the whole, SMS passwords are not very secure, and sometimes they are very insecure. So it makes sense to scan the horizon for alternatives when it comes to 2FA, which is today’s topic.What to choose for 2-factor authentication

One-time codes in a file or on paper

The simplest way to replace SMS-based one-time passwords is to use, yes, one-time passwords, but prepared in advance. It is not the worst option, especially for services that you log into infrequently. Even for good ol’ Facebook, this method may well do, especially as a backup plan.

It’s quite straightforward: On request, the service generates and displays a dozen or so one-time-use codes that can later be used to authenticate a login. These codes can be printed off or scribbled down and put in a safe. Or, even simpler, they can be saved in encrypted notes in a password manager.

It’s not all that important whether the codes are kept in physical or digital format — what matters is that they (1) do not get lost and (2) cannot be stolen.

There’s an app for that, too: Authenticator apps

Besides all the “ones” in this sentence, a one-time generated set of one-time codes has one drawback: Sooner or later it will come to an end, and you might be left codeless at the most inopportune moment. Fortunately, there is a better way: One-time codes can be generated on the fly using a small and (usually) very simple authenticator app.

How authenticator apps work

It’s very easy to use 2FA apps. Here’s what you need to do:

  • Install the authenticator app on your smartphone,
  • Go to the security settings of the service that you want to use the app with,
  • Select 2FA (assuming the option exists); the service will show you a QR code that can be scanned directly into the 2FA app,
  • Scan the code with the app — it will start generating a new one-time code every 30 seconds.
How to enable an authenticator app in Facebook

The codes are created on the basis of a key (known only to you and the server) and the current time, rounded to 30 seconds. Both components are the same for you and the service, so the codes are generated synchronously. This algorithm is called OATH TOTP (Time-based One-Time Password), and it is by far the most commonly used.

There exists an alternative, known as OATH HOTP (HMAC-based One-Time Password). Instead of the current time, this algorithm uses a counter that increases by 1 for each newly created code. But it is rarely encountered in real life, because its use complicates the synchronous generation of codes on the app and service side. Put simply, there is a not-insubstantial risk that the counter will go haywire at just the wrong time, and your one-time password will not work.

So, OATH TOTP can be considered the de facto standard (although officially it is not even a standard, as the creators insist in the specification).

2FA app and service compatibility

The vast majority of 2FA apps use the same algorithm, so any can be used for services that support authenticators; take your pick.

Of course, as with any rule of thumb, there are exceptions. For reasons known only to them, some services prefer to make their own 2FA apps that work only for them. What’s more, the services themselves do not work with any other apps except their own.

This is especially common among major video game publishers: for example, Blizzard Authenticator, Steam Mobile with built-in Steam Guard, Wargaming Auth, and others are all incompatible with third-party apps and services. Only these custom-built apps can be used with the relevant gaming platforms.

This strange path was also taken by Adobe with its Adobe Authenticator, which works only with AdobeID accounts. However, you can use other authenticators to authenticate in AdobeID, so it isn’t clear at all why a separate app was needed.

In any case, most normal IT companies do not restrict users in their choice of 2FA apps. And even if a company suddenly decides to create its own app, most of the time it can be used to protect not only its own accounts, but those of other services as well.

Just choose the authenticator app you like best in terms of additional features — it will work with most services that generally support 2FA apps.

Best apps for two-factor authentication

The choice of 2FA apps is surprisingly wide. Search for “authenticator” in Google Play or the App Store, and you’ll see dozens of options. We do not recommend installing the first app you set eyes on; it may not be the most secure. Remember that you are about to entrust it with the keys to your accounts (it won’t know your passwords, of course, but you’re adding 2FA because passwords have a tendency to leak). In general, it is worth opting for an app made by a major and trustworthy developer.

Although the basic function of all of these apps is the same — creating one-time codes using one and the same algorithm, some authenticators have extra functions or interface features that might appeal. Here are some of the most interesting options.

1. Google Authenticator

Supported platforms: Android, iOS

Google Authenticator app

As noted by all tech media, Google Authenticator is the easiest to use of all the many 2FA apps out there. It doesn’t even have any settings. All it lets you do is add a new token (the name given to the code generator for an individual account) or delete an existing one. To copy a code all you have to do is tap it. That’s it!

However, such simplicity has a drawback: If you don’t like something about the interface or you want more features, you’ll have to install another authenticator app.

+ Very easy to use.
 

2. Duo Mobile

Supported platforms: Android, iOS

Duo Mobile authenticator app

Duo Mobile is also extremely user-friendly, minimalist, and free of additional settings. It has one advantage over Google Authenticator: Duo Mobile keeps codes hidden by default — to see them, the user must tap the specific token. If you, like me, do not enjoy having a bunch of codes for all your accounts on public display every time you open the authenticator, then this feature of Duo Mobile is for you.

+ Hides codes by default.
 

3. Microsoft Authenticator

Supported platforms: Android, iOS

Microsoft Authenticator app

Microsoft also chose the no-frills approach with its minimalist authenticator. That said, Microsoft Authenticator is noticeably more feature-rich than Google Authenticator. For a start, although all codes are shown by default, each token can be separately configured to be hidden.

Second, Microsoft Authenticator simplifies signing into Microsoft accounts. After entering your password, all you need do is tap the button in the app to confirm login — and that’s it, no need even to enter a one-time code.

+ Can be configured to hide codes.
+ Extra features for signing into Microsoft accounts.
 

4. FreeOTP

Supported platforms: Android, iOS

FreeOTP by Red Hat authenticator app

There are four reasons you might pick this baby from Red Hat. First, the software is open source. Second, it is the lightest app in our list — the iOS version is only 750KB. (By comparison, the minimalistic Google Authenticator requires almost 14MB, and the Authy app, discussed below, is a whopping 44MB.)

Third, the app hides codes by default, displaying them only if the token is tapped. Fourth but not least, FreeOTP lets you configure tokens very flexibly and manually, should you want to. Naturally, the usual token creation method, by scanning a QR code, is also supported.

+ Hides codes by default.
+ Takes up only 750KB.
+ Open source.
+ Maximum settings when creating a token manually.
 

5. Authy

Supported platforms: Android, iOS, Windows, macOS, Chrome

Twilio Authy authenticator app

Authy is the fanciest of the 2FA apps, with the main advantage being that all tokens are stored in the cloud. This makes it possible to access tokens from any of your devices. At the same time, it simplifies the migration to new devices. There is no need to reactivate 2FA in each service, so you can continue using existing tokens.

Tokens in the cloud are encrypted with a key based on a user-defined password, meaning that data is stored securely and not at all easy to steal. You can also set a login PIN for the app or protect it with a fingerprint if your smartphone is equipped with the right scanner.

The main disadvantage of Authy is that it requires you to set up an account linked to a mobile phone number — otherwise it won’t work at all.

+ Tokens are stored in the cloud, allowing them to be used on all of your devices.
+ Migration to other devices is very easy for that same reason.
+ App login protected by PIN or fingerprint.
+ Only the code for the last used token is shown on screen.
+ Unlike other apps, it supports not only Android and iOS, but also Windows, macOS, and Chrome.

Does not work without an Authy account linked to a phone number.
 

6. Yandex.Key

Supported platforms: Android, iOS

Yandex.Key authenticator app

In my opinion, the concept behind Yandex.Key makes it the best app for 2FA. For one thing, it does not require immediate registration — you can start using it just as easily as Google Authenticator. For another, it has several additional features available to those who are not settings-shy.

First, Yandex.Key can be locked with a PIN or fingerprint. Second, it allows you to create a password-protected backup copy of tokens in the Yandex cloud (this stage does require a phone number) and restore it on any device you use. Similarly, it is possible to transfer tokens to a new device when you need to migrate.

Yandex.Key manages to combine the simplicity of Google Authenticator with the extended functionality of Authy, depending on what you prefer. The app’s only drawback is that the interface is not that easy to use with a large number of tokens.

+ Minimalism at the start, extended functionality available through the settings.
+ Backup copies of tokens can be created in the cloud for use on multiple devices and migration to new ones.
+ Login to the app is protected by PIN or fingerprint.
+ Only the code for the last used token is shown on screen.
+ Replaces your permanent Yandex account password.

With many tokens, not so easy to find the one needed.

FIDO U2F hardware authenticators: YubiKey and others

If an app generating one-time codes seems a too-flimsy and intangible way to protect your accounts, and you want something more solid and reliable that locks your account with a key that literally goes in your pocket, then look no further than hardware tokens based on the U2F (Universal 2nd Factor) standard, created by the FIDO Alliance.

How FIDO U2F tokens work

U2F hardware tokens are the darling of security specialists, primarily because, from a user perspective, they work very simply. To get started, simply connect the U2F token to your device and register it in a compatible service. The whole process takes just a couple of clicks.

After that, to confirm login to the service, you will need to connect the U2F token to the device from which you are logging in and tap the token button (some devices require a PIN or fingerprint scan, but that’s an extra feature). That’s it — no complex settings, entering long sequences of random characters, or other mumbo-jumbo often associated with the word cryptography.

How to authenticate in Facebook using YubiKey

Insert the key and press the button — and that’s really it

At the same time, under the hood things are smart and cryptographically sound: When registering a token on a service, a pair of cryptographic keys is created — private and public. The public key is stored on the server, and the private one is stored in a Secure Element chip, which is the heart of the U2F token, and never leaves the device.

The private key is used to encrypt the login confirmation, which is passed to the server and can be decrypted using the public key. If someone pretending to be you tries to transfer a login confirmation encrypted with the wrong private key, then decrypting it with the public key will produce gibberish, and the service will not grant access to the account.

What sorts of U2F devices are there

The most famous and common example of U2F is YubiKey, made by Yubico. The company essentially spearheaded this standard but chose to make it open, for which purpose the FIDO Alliance was created. And because the standard is open, your choice is not restricted: U2F-compatible devices are produced and sold by various companies, and online stores offer a range of different models.

Yubico YubiKey — the most popular U2F token

YubiKey — perhaps the most popular U2F token

For example, Google recently introduced a suite of authenticators under the banner Google Titan Security Keys. In fact, they are keys produced by Feitian Technologies (the second most popular manufacturer of U2F tokens, after Yubico) for which Google developed its own firmware.

Of course, all hardware authenticators compatible with the U2F standard will work equally well with any service that is also compatible with this standard. However, there are differences, the most important being interfaces supported by the key. This directly determines which devices it can work with:

USB: for connecting to PCs (it doesn’t matter whether they run Windows, Mac, or Linux; the keys work without installing any drivers). In addition to the usual USB-A, there are keys for USB-C.

NFC: required for use with Android smartphones and tablets.

Bluetooth: required on mobile devices that do not have NFC. For example, iPhone owners still need a Bluetooth-based authenticator. Although iOS now allows apps to use NFC (before this year, only Apple Pay was permitted), most U2F-compatible app developers have yet to take advantage of the feature. Bluetooth authenticators have a couple of drawbacks: first, they need to be charged; second, they take much longer to connect.

Basic models of U2F tokens usually support U2F only and cost $10–$20. Other, more expensive devices ($20–$50) can also operate as a smart card, generate one-time passwords (including OATH TOTP and HOTP), generate and store PGP encryption keys, and be used to log into Windows, macOS, Linux, and so on.

What to choose: SMS, app, or YubiKey?

So, what to choose for two-factor authentication? There is no universal answer to this question. Various 2FA versions and combinations can be used for different services. For example, top-priority accounts (a mailbox linked to other accounts, etc.) should be protected to the hilt — that is, locked with a hardware U2F token with all other 2FA options blocked. That way you can be sure that no one will ever gain access to your account without this token.

A good option is to link two keys to your account, as with car keys: one is always in your pocket, the other is in a safe place in case the first gets lost. What’s more, you can use different types of keys: For example, an authenticator app on your smartphone as the primary one, and a U2F token or a slip of paper with one-time passwords in your safe as a backup.

In any case, the main piece of advice is to avoid using SMS-based one-time passwords whenever possible. True, it’s not always possible. Financial services, for example, are notoriously conservative and rarely offer authentication through anything but SMS.