Uncategorized
Why TOTP is best than SMS for two-factor authentication
At Patreon, our safety group is all the time centered on one factor: making our platform safer and simpler for our creators, and the patrons that assist them. Defending your accounts from the actions of unhealthy actors will not be solely our high precedence — we give it some thought all day lengthy.
We consider {that a} safety function mustn’t solely be usable; it ought to be comprehensible, as nicely. The concept being, if you realize why a safety function exists, you’re extra prone to really use it, which is nice for all events concerned.
For instance, take two-factor authentication (“2FA” for brief). This can be a methodology for proving id to entry a useful resource, similar to your Patreon account. It’s an added step to be sure you are the one logging in, and never somebody pretending to be you. We use these “components” as methods to show id. Generally, these components are one thing you realize, and one thing you have got. You realize your password, and you’ve got one other factor — your telephone, a token, and so forth.
There are a pair methods to do that.
A technique is thru textual content message, a technique known as SMS 2FA for brief. This entails a code being despatched to your telephone while you log in along with your password. Upon getting into this code, you get entry to your account. SMS 2FA has been round for some time, and is probably the most generally supplied 2FA throughout platforms. Patreon continues to assist two-factor by way of SMS for creator and patron accounts.
Whereas SMS 2FA is masses higher than defending your account with solely a password, we now know the strategy isn’t foolproof: SMS 2FA may be circumvented by decided hackers as a result of telephone numbers may be stolen or impersonated.
Fortunately, there’s an excellent safer solution to do 2FA than by SMS, and it’s known as TOTP, or, Time-Based mostly One-Time Password.
However why is TOTP higher than SMS for two-factor authentication?
Like SMS, TOTP provides a second issue to the Patreon login course of. Nonetheless, as a substitute of doing so with a six-digit static code texted to your telephone, TOTP two-factor authentication makes use of a separate app that’s consistently producing short-lived codes. There are lots of apps that present two-factor TOTP similar to Google Authenticator, which is free to make use of, and others like Duo or 1Password, which each cost a month-to-month price. The truth that these apps generate codes which can be all the time altering, and that aren’t dependent in your telephone quantity, limits the possibility of an attacker getting a maintain of a legitimate code (your second issue), and thus, your account.
We’re proud to announce that Patreon now helps each SMS and TOTP two-factor authentication for our creator and patron accounts.
Utilizing SMS as your second issue is best than defending your account with solely a password. Nonetheless, if you wish to make your account even safer, we advocate utilizing TOTP two-factor authentication by way of a seperate app.
Want extra convincing? Along with this weblog put up, Patreon’s personal Taryn Arnold made a video about 2FA, and the strategies of SMS and TOTP. Since Taryn could make just about something fascinating (if she made a video about taxes, we’d watch it), she was an apparent choose to sort out this subject.
So sit again, seize some popcorn, and watch Taryn clarify why Patreon needs creators and patrons to make use of two-factor authentication to safe their accounts, both by way of SMS or TOTP. And never solely on Patreon — throughout all their accounts.
When you’re able to make your account safer, this assist web page has step-by-step directions on allow 2FA by way of SMS or TOTP on Patreon.