Two factor authentication, also known as 2FA, is absolutely one of the best ways to protect your online accounts from hackers. However, since there are three main authentication methods, many people are left wondering: is it best to use an app, email or SMS message as an authentication factor?
A Brief Rundown of Two Factor Authentication
Two factor authentication essentially requires that you have two sets of credentials to log into your accounts—usually your password, and a unique code generated and delivered to you via an app, email or SMS text message.
It adds one more layer of information that hackers would have to steal in order to access your account, effectively doubling your security.
For a more in-depth explanation of 2FA and its benefits, visit this blog we published a while back.
The 3 Main Types of 2FA
Generally speaking, 2FA apps are the safest method for generating a second authentication factor.
These apps rely on the creation of a key or “seed” that’s unique to your device, which is then stored by the app and scrambled. Then, the app automatically generates login codes for your specific seed that will allow you to log into your account.
Usually, authentication apps produce a new code every 30 seconds or so. Since the code is constantly changing, it’s extremely difficult for hackers to guess both the code and your password, unless they also had access to the seed.
The only real downside to using 2FA apps is that most of them allow you to sync your seed across several devices. So, if a hacker had access to one device and you synced the seed to it, they would then have the seed, and would be able to see your authentication codes. This is highly unlikely, but not impossible.
Many services will prompt you to verify your login by emailing you a unique code. This is not entirely unsafe, but there are a lot of ways a hacker can gain access to your email inbox, such as:
- Sending spoof emails
- Attacking your email provider directly
- Cracking your password if it’s not strong enough
- Infecting your computer with other forms of malware
If a hacker gains access to your email address, they can directly get any code you receive through email.
Some services will only provide an authentication factor through email, which is not the end of the world. However, whenever possible, use an app instead.
3. SMS Messages
Receiving codes via text message straight to your phone may be the most convenient method, but it’s also the least secure.
It’s shockingly easy for hackers to intercept the messages as they’re sent to your device, or even replicate your phone’s SIM, stealing your identity and, of course, your authentication codes. Also, some phone carriers still support sending and receiving text messages from your email, giving hackers an additional pathway to exploit.
SMS for authentication is better than nothing, but it should only be used when no other options are available.
Any time you use a website or service that has enabled two factor authentication, make sure you take full advantage of it. It will keep your login information exponentially safer in the long run.