In terms of security, TOTP (Time-based One-Time Password) is generally considered more secure than SMS-based 2FA (Two-Factor Authentication). Here's a technical breakdown of why:
Vulnerability to Interception
SMS-based 2FA can be intercepted through various means such as SIM swapping, where an attacker convinces a mobile carrier to switch a phone number to a new SIM card, effectively hijacking SMS messages. Additionally, SMS messages can be intercepted through SS7 (Signaling System No. 7) vulnerabilities in the mobile phone network. TOTP, on the other hand, does not rely on SMS and is generated on the user's device, making it less susceptible to these types of attacks.
Reliance on External Networks
SMS-based 2FA relies on mobile networks and can be affected by network outages or lack of mobile coverage. TOTP does not require a network connection as it uses a software-based token generator, which typically runs on a smartphone or other devices
Time-Sensitivity and Uniqueness
TOTP tokens are only valid for a short period (usually 30 seconds), after which a new token is generated. This makes them less susceptible to replay attacks, where an intercepted code could be used by an attacker. While SMS codes are also typically time-sensitive, the window of opportunity for interception and misuse is potentially larger, especially if the SMS is delayed
Phishing Resistance
TOTPs are more resistant to phishing attacks. Phishing attempts that trick users into revealing their SMS codes can be more effective, as users might perceive SMS as inherently secure. In contrast, TOTPs generated by an app like Google Authenticator or Authy are not as easily phished
Standardization and Control
TOTP is based on a well-defined standard (RFC 6238) and its implementation can be controlled and audited. With SMS, you rely on the security protocols of mobile carriers, which can vary and are not typically transparent to end users or service providers.
However, it's important to note that while TOTP is more secure, it requires users to have a smartphone or a device capable of generating TOTPs, which might not be feasible for all users. In such cases, SMS-based 2FA, despite its weaknesses, still provides a significant security upgrade over basic username/password authentication.
For a technology firm dealing with digital signatures, recommending or implementing TOTP over SMS for 2FA would align with a higher security standard, which is crucial in the context of digital identity and signature verification.