Are All Forms of Two-Factor Authentication as Secure? (SMS vs App Prompt vs Key)

Are All Forms of Two-Factor Authentication as Secure? (SMS vs App Prompt vs Key)

As information and business processes have moved to the cloud, the incidents of account compromise have risen. Hackers go where the data is, and since it has moved to platforms run by companies like Microsoft, Amazon, and Google, the easiest way in is through a legitimate user password.

Seventy-seven percent of cloud account data breaches are through hacked or stolen login credentials. Stolen logins are also often sold on the Dark Web to multiple buyers. This puts a new urgency on the need to protect account logins, and one of the best ways to do that is through two-factor authentication (2FA) (also known as multi-factor authentication).

When planning a cybersecurity strategy, you have a few different options in how you can implement 2FA. The process involves setting up a device to receive a special time-sensitive code at login. Then, the user must retrieve that code and enter it within typically 5-10 minutes to gain access to the account.

The way you receive the 2FA code is where companies have a choice. They can receive it via a text message (SMS) to a mobile number, through a prompt on a device app, or through a special two-factor authentication security key that’s roughly the size of a USB stick.

How do those different forms of 2FA compare when it comes to IT security?

It turns out that Google presented a study on two-factor authentication comparing the three methods against different types of phishing attacks.

Here’s how each form of 2FA compared.

Text Message (SMS)

Receiving a 2FA code via SMS is by far the most common method. This is usually the default when setting up two-factor authentication everywhere from Gmail to online banking.

The user sets up a mobile phone number and then will usually get a confirmation SMS during setup. Then, when logging in, the code will be sent to that specific mobile number via text.

While this method is fairly secure, it’s the least secure of the three methods because there is a way for hackers to clone sim cards, which then gives them the ability to get text messages sent to that mobile number. Smartphones can also be paired with computers so the user can get their text messages on their desktop or laptop. If the computer were hacked, this is another way someone could get access to the 2FA code.

Google Study Results for SMS Method:

  • Automated bot attack: blocked 100%
  • Bulk phishing attack: blocked 96%
  • Targeted attack: blocked 76%

2FA App – On-Device Prompt

Using 2FA within an application on your smart phone is another way that you can receive a code for completing login. An example of this would be the Google Authenticator app.

This method doesn’t involve the use of a phone number, so you don’t have the security problem if a sim card is duplicated. Because the code is shown through an on-device prompt, it’s also not going to show up on a computer that is sharing text messages with a paired smartphone.

This method could still allow an account compromise if the mobile device were lost or stolen. Once the app is set up, the user will need to pair the authentication app with each of their logins that use 2FA.

Google Study Results for On-Device Method:

  • Automated bot attack: blocked 100%
  • Bulk phishing attack: blocked 99%
  • Targeted attack: blocked 90%

Security Key

The third form of two-factor authentication is the use of a separate security key that the user inserts into a computer or mobile device when they need to use 2FA to log into a site or application. This is the most secure method of two-factor authentication.

One example of this type of security key is YubiKey from Yubico. According to the company, its form of 2FA results in “zero account takeovers” and “4x faster logins.”

Rather than having to retrieve a code from a mobile device when logging in, the key is simply inserted into the user’s device. Like the 2FA apps, security keys need to be set up with the accounts that use the two-factor authentication.

YubiKey security key image from Yubico 

The user purchases the security key, which can come in different shapes and sizes. If the key is lost, there are ways to get a duplicate or regain access to your accounts, but it could be a little time-consuming.

Google Study Results for Security Key Method:

  • Automated bot attack: blocked 100%
  • Bulk phishing attack: blocked 100%
  • Targeted attack: blocked 100%

Looking for Convenient Access Security Solutions?

GKM2 can help your Sydney area business with convenient and secure solutions for access security that improve user experience while preventing account compromise.

Contact us today to learn more. Call +61 2 9161 7171 or reach out online.