Why TOTP is More Secure Than SMS for WordPress 2FA

Not All 2FA is Created Equal

When implementing two-factor authentication, you have choices. The most common are TOTP (Time-based One-Time Password) using authenticator apps and SMS verification via text messages. While both add security beyond passwords alone, TOTP is significantly more secure than SMS. Here's why WP Folder Shield uses TOTP—and why you should prefer it too.

How SMS Verification Works

With SMS 2FA:

1. You enter your password
2. A text message with a code is sent to your phone number
3. You enter the code from the text
4. You're logged in

Sounds secure, right? The problem is the SMS infrastructure itself.

SMS Security Vulnerabilities

SIM Swapping Attacks

Attackers call your mobile carrier, impersonate you, and convince them to transfer your phone number to a new SIM card. Suddenly, all your text messages—including 2FA codes—go to the attacker.

• Over 10,000 SIM swap attacks reported to FBI in 2023
• Losses exceeded $68 million
• High-profile victims include Jack Dorsey (Twitter CEO)

SS7 Protocol Vulnerabilities

The SS7 protocol that routes SMS messages has known security flaws. Sophisticated attackers can intercept text messages without accessing your phone or carrier.

Carrier Employee Insider Threats

Corrupt or bribed carrier employees have been caught redirecting phone numbers for attackers.

Phone Number Recycling

Old phone numbers get reassigned. If you changed numbers but didn't update your 2FA, the new owner might receive your codes.

Interception via Malware

Malware on your phone can read incoming text messages, capturing 2FA codes in real-time.

How TOTP Works

TOTP (Time-based One-Time Password) takes a completely different approach:

1. During setup, a secret key is shared between the server and your app
2. Both generate codes using the same algorithm and current time
3. Codes change every 30 seconds
4. No network transmission required—codes generate offline

Why TOTP is More Secure

No Network Transmission

TOTP codes are generated locally on your device. There's no message to intercept because nothing is sent over any network.

Immune to SIM Swapping

Your phone number is irrelevant. Even if an attacker takes over your number, they can't generate your TOTP codes.

Works Offline

No cell signal? No WiFi? TOTP still works. The algorithm only needs the correct time.

No Carrier Involvement

No mobile carrier can redirect, intercept, or expose your codes because they're never involved.

Standardized and Open

TOTP is an open standard (RFC 6238) reviewed by security experts worldwide. SMS security depends on telecom infrastructure designed decades ago.

Security Comparison

*TOTP apps typically have additional protection. **30-second code window limits phishing utility.

When SMS Might Still Be Used

Account Recovery

Some services use SMS as a backup recovery method. This is risky—consider disabling if possible.

No Alternative

Some services only offer SMS 2FA. It's still better than no 2FA, but push for TOTP support.

Low-Risk Accounts

For accounts with no sensitive data and no access to other systems, SMS may be acceptable.

Setting Up TOTP with WP Folder Shield

WP Folder Shield uses TOTP exclusively—the most secure option:

1. Install an authenticator app (Authy, Google Authenticator, etc.)
2. Go to Users > Profile in WordPress
3. Scan the QR code with your app
4. Enter the code to verify
5. Save your backup codes

No phone number required. No SMS messages. No carrier vulnerabilities.

Additional TOTP Best Practices

Use a Reputable Authenticator App

Stick to well-known apps: Authy, Google Authenticator, Microsoft Authenticator, 1Password.

Enable App Lock

Protect your authenticator app with PIN or biometrics so phone theft doesn't mean 2FA theft.

Backup Your Tokens

Use Authy's encrypted backup or save backup codes. Don't lose access to your own accounts.

Industry Recommendations

Major security organizations recommend TOTP over SMS:

• NIST - Deprecated SMS for authentication in government systems
• CISA - Recommends phishing-resistant MFA (TOTP qualifies)
• Microsoft - Reports 99.9% attack prevention with any MFA, but recommends app-based

Conclusion

SMS verification is better than passwords alone, but significantly weaker than TOTP. SIM swapping, SS7 vulnerabilities, and carrier security make SMS a risky choice for important accounts. WP Folder Shield implements TOTP because it's the most secure widely-available 2FA method. Protect your WordPress site with proper 2FA—use an authenticator app, not text messages.