Q. Which is better to use for two-step verification: getting the codes sent by text message or using an authentication app?
A. Two-step verification — also known as two-factor authentication, or 2FA for short — makes your online accounts safer by requiring a separate numeric code to be typed in after you fill in the typical password. The codes you need for that second security step can be supplied by SMS text message to your phone or from a special authenticator app connected to that account. Preprinted backup codes and voice mail messages are other ways to confirm your identity in a two-factor situation.
There are pros and cons to getting codes by text message or an authentication app. Using the text-message method means a quicker setup, and you don’t have to download and configure a separate app just to log into an account. You typically get text alerts immediately when someone is trying to hack into your account.
But going with an authenticator app means you do not need a network connection to get a fresh code — which can be helpful when traveling outside your carrier’s network. Some security experts consider the app approach safer because you do not have to worry about the phone’s SIM card becoming compromised or messages getting intercepted, as the app generates the security codes locally on the phone. Authy, Google Authenticator and Microsoft Authenticator are three popular programs in this category.
While it is much better than using a single password, two-factor authentication is not completely uncrackable. Skilled criminals have hijacked authentication text messages sent to mobile phone numbers, and the National Institute of Standards and Technology recently stopped recommending that users get their codes by text message because of underlying security issues.
Authenticator apps are not infallible, either. Having both your accounts and your codes on the same device can provide a one-stop shopping experience for thieves, but the apps are still widely considered harder to crack than code sent by text.