Why TOTP is better than SMS for two-factor authentication

At Patreon, our security team is always focused on one thing: making our platform safer and easier for our creators, and the patrons that support them. Protecting your accounts from the actions of bad actors is not only our top priority — we think about it all day long.

We believe that a security feature should not only be usable; it should be understandable, as well. The idea being, if you know why a security feature exists, you’re more likely to actually use it, which is good for all parties involved.

For example, take two-factor authentication (“2FA” for short). This is a method for proving identity to access a resource, such as your Patreon account. It’s an added step to make sure you are the one logging in, and not someone pretending to be you. We use these “factors” as ways to prove identity. Commonly, these factors are something you know, and something you have. You know your password, and you have another thing — your phone, a token, etc.

There are a couple ways to do this.

One way is through text message, a method called SMS 2FA for short. This involves a code being sent to your phone when you log in with your password. Upon entering this code, you get access to your account. SMS 2FA has been around for a while, and is the most commonly offered 2FA across platforms. Patreon continues to support two-factor through SMS for creator and patron accounts.

While SMS 2FA is loads better than protecting your account with only a password, we now know the method isn’t foolproof: SMS 2FA can be circumvented by determined hackers because phone numbers can be stolen or impersonated.

Thankfully, there’s an even safer way to do 2FA than by SMS, and it’s called TOTP, or, Time-Based One-Time Password.

But why is TOTP better than SMS for two-factor authentication?

Like SMS, TOTP adds a second factor to the Patreon login process. However, instead of doing so with a six-digit static code texted to your phone, TOTP two-factor authentication uses a separate app that is constantly generating short-lived codes. There are many apps that provide two-factor TOTP such as Google Authenticator, which is free to use, and others like Duo or 1Password, which both charge a monthly fee. The fact that these apps generate codes that are always changing, and that aren’t dependent on your phone number, limits the chance of an attacker getting a hold of a valid code (your second factor), and thus, your account.

We’re proud to announce that Patreon now supports both SMS and TOTP two-factor authentication for our creator and patron accounts.

Using SMS as your second factor is better than protecting your account with only a password. However, if you want to make your account even safer, we recommend using TOTP two-factor authentication through a seperate app.

Need more convincing? In addition to this blog post, Patreon’s own Taryn Arnold made a video about 2FA, and the methods of SMS and TOTP. Since Taryn can make pretty much anything interesting (if she made a video about taxes, we’d watch it), she was an obvious pick to tackle this topic.

So sit back, grab some popcorn, and watch Taryn explain why Patreon wants creators and patrons to use two-factor authentication to secure their accounts, either through SMS or TOTP. And not only on Patreon — across all their accounts.

Watch the video here.

If you’re ready to make your account safer, this support page has step by step instructions on how to enable 2FA through SMS or TOTP on Patreon.