SMS 2FA is a code that you're entering from a phone number. The "risk" is that your phone number can be ported without your permission, and then someone else can get the code.
TOTP is more secure because it isn't tied to a phone number. You're right that it's still phishable but that's not the point.
In both cases, the primary benefit to the general population is to have a rotating credential that, if one website is hacked, is useless on another website.
No, TOTP is far more secure because it has no dependence on a third-party who can mess up in many ways (Denial of service like in this case by being unavailable, Impersonation by allowing SIM swaps or intercepting messages directly).
You fully control how to store the TOTP seed and how you compute the value, so it is far more secure.
Yes, it can be phished if you fall for that, but it removes several attack vectors.
> Yes, it can be phished if you fall for that, but it removes several attack vectors.
How was the first factor (the password) compromised?
Assuming the user is using site-unique passwords, in 99% of cases where an attacker obtains a functional password they can get at least one TOTP code or the seed in the same manner. (ie, if I can steal your password DB, odds are pretty good for me stealing your TOTP seed DB as well.)
The outcome of a single successful authentication is a longer-lived session cookie. Once an attacker has that they can reset your creds (usually just requiring re-entering the password) and the account is theirs.
IMO, the only 2nd factor that matters are those that mutually authenticate like PassKeys / FIDO keys.
That's assuming your attacker already has your password, or the service allows SMS password reset. (thus negating the second factor. Essentially SMS becomes the only factor.)
ezfe|2 years ago
TOTP is more secure because it isn't tied to a phone number. You're right that it's still phishable but that's not the point.
In both cases, the primary benefit to the general population is to have a rotating credential that, if one website is hacked, is useless on another website.
jjav|2 years ago
You fully control how to store the TOTP seed and how you compute the value, so it is far more secure.
Yes, it can be phished if you fall for that, but it removes several attack vectors.
SpaethCo|2 years ago
How was the first factor (the password) compromised?
Assuming the user is using site-unique passwords, in 99% of cases where an attacker obtains a functional password they can get at least one TOTP code or the seed in the same manner. (ie, if I can steal your password DB, odds are pretty good for me stealing your TOTP seed DB as well.)
The outcome of a single successful authentication is a longer-lived session cookie. Once an attacker has that they can reset your creds (usually just requiring re-entering the password) and the account is theirs.
IMO, the only 2nd factor that matters are those that mutually authenticate like PassKeys / FIDO keys.
Scoundreller|2 years ago
Sorta. The seed still needs to be issued to you in some way.
throwway120385|2 years ago
SpaethCo|2 years ago