Why SMS OTPs are terrible, and Passkeys are great
21/02/25 12:46
Multi-Factor Authentication (MFA) is an absolute necessity in the modern world. Passwords just aren't enough, mainly due to breaches, stealers, and easily guessed passwords.
MFA is usually one of a few types:
Each type has its' own merits, for example, SMS and email are fairly ubiquitous and don't require any specific software. App based methods like HOTP & TOTP have the advantage that they phone hosting the app can be offline. Push based methods can be super convenient with just a simple yes/no answer, or a short numeric code to confirm. Certificate based methods in the modern world like Passkeys. Passkeys aren't necessarily MFA (as they can totally replace passwords), but are functionally similar to MFA, and are often referred to as "phishing resistant" because it's not something that someone can pass on over the phone or easily trick you into using.
You can read more about Passkeys at https://blog.google/inside-google/googlers/ask-a-techspert/how-passkeys-work/
In terms of security, I'd rank the methods as below (1 = best, 6 = worst):
While having some form of MFA is always better than no MFA, in reality SMS and Email OTPs should be considered to be insecure, in that they can be intercepted without huge effort or expense. Watch this video on how SMS and voice can be intercepted via SS7 https://www.youtube.com/watch?v=wVyu7NB7W6Y . Of course, SMS are also commonly intercepted by SIM swap attacks. Emails are even easier to intercept via a variety of methods. Another disadvantage of Email & SMS OTPs is that they can be delayed or blocked in transit, making these methods frustrating to use.
Yes/No based push authentication can be subject to timed attacks, such as attempting to login to a service at roughly the same time as the real user (such as at the start of the work day when a user is logging into their systems, and they really aren't paying too much attention), hence the move to the code based push method.
Some TOTP/HOTP systems don't have any limits on retries, so a brute-force approach can work on those (this has been demonstrated recently).
For the above reasons, we don't recommend the use of methods 3-6 unless there is no other option. If you're forced to use one of these, then app based HOTP/TOTP is the best choice.
So What Should I Use?
Our recommendation is to move to Passkeys wherever possible, and if these aren't possible, use the next best method.
MFA is usually one of a few types:
- SMS OTP
- Email OTP
- Application based HOTP/TOTP codes that change automatically
- Push based via an app
- Passkeys
Each type has its' own merits, for example, SMS and email are fairly ubiquitous and don't require any specific software. App based methods like HOTP & TOTP have the advantage that they phone hosting the app can be offline. Push based methods can be super convenient with just a simple yes/no answer, or a short numeric code to confirm. Certificate based methods in the modern world like Passkeys. Passkeys aren't necessarily MFA (as they can totally replace passwords), but are functionally similar to MFA, and are often referred to as "phishing resistant" because it's not something that someone can pass on over the phone or easily trick you into using.
You can read more about Passkeys at https://blog.google/inside-google/googlers/ask-a-techspert/how-passkeys-work/
In terms of security, I'd rank the methods as below (1 = best, 6 = worst):
- Passkeys
- Push based with a simple code
- Application based HOTP/TOTP
- Push based (Yes/No)
- SMS OTP
- Email OTP
While having some form of MFA is always better than no MFA, in reality SMS and Email OTPs should be considered to be insecure, in that they can be intercepted without huge effort or expense. Watch this video on how SMS and voice can be intercepted via SS7 https://www.youtube.com/watch?v=wVyu7NB7W6Y . Of course, SMS are also commonly intercepted by SIM swap attacks. Emails are even easier to intercept via a variety of methods. Another disadvantage of Email & SMS OTPs is that they can be delayed or blocked in transit, making these methods frustrating to use.
Yes/No based push authentication can be subject to timed attacks, such as attempting to login to a service at roughly the same time as the real user (such as at the start of the work day when a user is logging into their systems, and they really aren't paying too much attention), hence the move to the code based push method.
Some TOTP/HOTP systems don't have any limits on retries, so a brute-force approach can work on those (this has been demonstrated recently).
For the above reasons, we don't recommend the use of methods 3-6 unless there is no other option. If you're forced to use one of these, then app based HOTP/TOTP is the best choice.
So What Should I Use?
Our recommendation is to move to Passkeys wherever possible, and if these aren't possible, use the next best method.