0

In reference to OTP 2FA Auth apps:

I'm trying to understand the concept of the QRcode being more secure in-transit than SMS?

Is it because the QRcode itself is not of any value to fraudulent entities since the Auth App doing the scanning is generating the actual code on the device itself?

RWB
  • 11
  • 1

1 Answers1

1

The QR code contains the key used for HOTP or TOTP, so it must be kept secret. If someone gets a picture of your QR code when you're setting up your authenticator, they'll have the key and will be able to generate valid 2FA codes.

The reason this is more secure than SMS is because it's encrypted in-transit by TLS, whereas with SMS it's been publicized many times how it can be intercepted. This prevents remote attackers from getting the QR code, but you are still responsible for keeping it secret from anyone around you (ie you shouldn't set up your authenticator in a public area).

You can read a bit more about how HOTP/TOTP apps work here.

AndrolGenhald
  • 15,506
  • 5
  • 45
  • 50
  • Thank you sir, so it's encrypted in transit by TLS. I wonder why they could not encrypt the SMS, but alas from what I read it's a dated signal paradigm that's always been. Ah and additionally I'm guessing the Auth app on your device plays a part in accepting the encrypted code similar to needing your email server to support your client email app sending email TLS – RWB May 01 '19 at 19:14