If the only 2FA options are SMS text or email which is the lesser evil?

Speeduser7533

So many websites still don't support effective 2FA and only offer text or email. (One of my pet peeves is that so many financial sites don't even support secure 2FA, which I find incredible, but that's a separate issue).

Anyway, of the choices SMS and email which is better? My hunch would be email since (hopefully) TLS provides some security but what say you folks?

IcyScroll

Speeduser7533 Anyway, of the choices SMS and email which is better? My hunch would be email

Mine too.

missing-root

Both are bad but email is at least mostly well encrypted in transit

Providers like Mailbox.org, Tuta and Proton also allow to encrypt them directly after receiving them. This is far from zero-trust, but if you trust them, at least past mails cannot be read by law enforcement etc.

Btw: you can avoid bullshit SMS 2FA often if you add an authenticator app. Works with Paypal for example

afenigma

Emails are probably more secure than SMS. But for the purpose of 2FA, I would probably pick SMS.

The reason behind that is that on most websites, you can reset your password using only your email. So if an attacker gains access to your email account, he will be able to reset your password and then answer the 2FA challenge (which by the way shouldn't even be called 2FA since there is only one factor involved).

On the other hand, if you pick SMS, it will be possible for an attacker to intercept the SMS (but it is still difficult enough that most attackers won't bother and as far as I know it is even more difficult if the attacker is from another country). But even with access to the SMS, the attacker will also need to get access to your email account. So in this situation an attacker needs to compromise two accounts to get access to his target which gets closer to what 2FA is supposed to be (still not exactly 2FA though).

Note however that if the attacker somehow finds your password, in the second scenario they won't need to break into your mailbox but only your weaker SMS line. So if you reuse passwords or use weak passwords, maybe 2FA through email is better.

job_shredder69

I'd always go with email. Even better is Google Voice used as 2FA to forward OTP to your email of your choice. If you are already using Simplelogin or Addy.io, you're in a better spot since the emails you're using are unique per service. I'm certain you wouldn't get locked out of your account nor SIM swapped.

HMC

Text usually means providing a phone number that may identify you. If that is an issue then email is definitely a lesser evil.

Off topic rant...

2FA stupidity... My eBay account was suspended twice in the last couple of days (unauthorized access - more likely my VPNs giving their rudimentary security a heart attack) and today I had to contact them to reactivate. I chose to have them call me on my registered phone number and part of the process was them sending me a text with a code. "But hang on.. You just called me on that number. Who comes up with this stuff?"
I have tried to keep that account without a phone number and it simply does not compute that a customer may not have a phone number. I can just see the dumb look on their faces. Their system will not allow a blank phone number field, even customer service cannot remove it. I've tried.
If it was only for account verification it wouldn't be a problem. eBay does nothing to secure my number and it is landing on China spam lists.

Ammako

I trust my email account(s) to be secure far more than I trust a mobile provider to not fall to social engineering