SMS codes vs. authenticator apps: What’s more secure?

For most of us, it’s become a familiar routine. You’re about to sign into an online account on a new device. It could be one of your social media profiles, a banking website, your email or something else. You enter your username and password. Then, the application prompts you to check your phone for a short message service (SMS) PIN code. The temporary personal identification number helps provide an added level of security known as two-factor authentication (2FA).

But is it truly secure? While SMS codes provide a certain amount of protection, they are still vulnerable to specific exploits.

SMS codes vs. authenticator apps: What's more secure?

The trouble with SMS codes

SMS codes have a couple of distinct vulnerabilities, which means they aren’t a totally fail-safe security feature.

First of all, criminals may circumvent this 2FA option by executing a subscriber identity module (SIM) card swap attack. This is where the hacker hijacks access to your phone number by fooling your carrier into thinking they’re you. Then, if the only missing piece in their operation is to verify their identity, an SMS code delivered to the stolen phone number will be easy to obtain.

Additionally, malware can be used to intercept 2FA SMS codes from targeted devices, as was recently documented in a report from Check Point Research.

While using SMS codes is probably preferable to not employing 2FA on sensitive accounts at all, these key vulnerabilities demonstrate that the feature is not perfect.

The benefits of authenticator apps

After SMS codes, authenticator apps are probably one of the most popular forms of 2FA. When the app is installed on a trusted device, it can generate a code — or a prompt — to verify whether user activity from a new device is authentic.

Often, these apps will also reset the temporary passcode faster than would be expected over SMS. Because of this structure, it’s not vulnerable to the SIM swap attacks described above.

Authenticator apps may include dedicated services, such as Authy or Google Authenticator. Alternatively, a notification may be sent through an existing app like Gmail or Yahoo Sports to confirm a new login attempt made for your Google or Yahoo account.

Authenticator app vulnerabilities

At the same time, authenticator apps that rely on generating codes may be vulnerable to particular Trojans that can capture codes and relay them back to outside parties, as reported recently by ThreatFabric.

Other alternatives to SMS codes

In addition to authenticator apps and SMS codes, other authentication options are available.

Email confirmation

Some applications will allow you to use email as a 2FA method. There is a convenience factor to this. However, email account security can vary significantly from one client to another. As such, it can sometimes be less secure than using an SMS code or other methods. Still, email can provide an added layer of security. Some services will deliver emails about granting access to new devices, enabling you to discover if your account has been compromised through other methods.


Fingerprint, voice and facial recognition can add a new layer of security for your accounts, too. When not used in combination with other factors, however, this method can be abused.

Physical keys

Many of the interceptions discussed above disappear with the use of secure physical keys. These hardware options can be inserted into a device to grant access and verify permissions. Of course, loss and theft are possible risks with this method.

Get in touch with Total Defense today to learn more about how we can help you protect your devices and accounts.