Time-based vs SMS based two-factor authentication


Freethought supports both SMS and Time-based One-Time Password (TOTP) tokens for Two-Factor Authentication (2FA), but we recommend against using SMS wherever possible because it is inherently less secure.

2FA works by requesting an additional one-time security credential provided by alternative means, either sent to the user via SMS or generated from a secret code and based on time, often using an app such as Authy. We recommend using time-based tokens through an app like Authy over SMS for the following reasons:

  • SMS is not encrypted; it is a 30 year old technology and it can be read by anyone or anything in-between our server and your device. This leaves it vulnerable to attack at multiple stages along the transmission path, which means that it would be possible for someone with your password to login and then intercept your 2FA code being sent via SMS. In 2020 it was reported that malware had been installed deep into mobile network systems to do precisely this.
  • Users could be tricked into installing malware on their devices to send SMS messages back to a bad actor (AKA hacker). Again, they can then use the code in combination with the password for your account that they have already stolen or broken, potentially via the same malware.
  • A mobile network operator could be tricked into sending a replacement SIM card to someone wanting to steal your 2FA codes. This would mean that someone else would have full control over your mobile phone number for as long as it took you to notice and could then also have access to all your two factor SMS based logins. Note that many services uses SMS based systems, including the likes of banks, PayPal, and social networks.

Microsoft estimate over a million of their customer accounts are compromised each month, and they calculate that 99% of those would be stopped by two-factor authentication, whereas SMS based authentication experts at Forrester estimate would stop only 76% of those attacks. 

So, enable 2FA today, but steer clear of SMS based authentication wherever possible.