With the recent decision by Twitter to discontinue SMS-based two-factor authentication (2FA) for non-Twitter Blue users, the spotlight is now on the potential pitfalls of SMS-based authentication. Despite its widespread adoption, this method often presents challenges beyond just security concerns. This article delves into these challenges and introduces passkeys as a superior, passwordless standard authentication method.
A Brief Overview of SMS-based Authentication
SMS-based authentication encompasses two main types: single-factor and two-factor authentication. The former involves one-time passcodes (OTP) sent via SMS, offering a password-free login alternative. In contrast, 2FA with SMS employs a two-step process where users first sign in with their credentials and then confirm their login through an OTP sent to their mobile phones.
Drawbacks of SMS-based Authentication
Fraud: SMS Traffic Pumping: This involves sending many unwanted and often fraudulent SMS messages to specific phone numbers. Fraudsters exploit revenue-sharing agreements between mobile network operators (MNO) and messaging service providers, aiming to inflate SMS traffic and generate higher revenues.
SIM Swapping: Fraudsters exploit vulnerabilities in the MNO infrastructure to transfer a victim's mobile phone number to a new SIM card. By doing so, they intercept incoming SMS messages, including authentication codes or links, gaining unauthorized access to various platforms.
Cost Implications:
Implementation: Building an in-house SMS-only 2FA solution can be costly. External solutions, though often cheaper, still come with associated costs.
Operations: Sending SMS-based authentication messages incurs transaction costs, which vary based on factors like the number of SMS sent, target countries, and additional features.
Maintenance: Most maintenance costs are typically covered within transaction prices. However, additional expenses may arise, such as handling vendor relationships and providing user support.
Reliability and User Experience:
Reliability: Issues like message delivery delays, network congestion, and potential system downtimes can impede the prompt reception of authentication codes.
User Experience: While SMS-based authentication works well on mobile devices, it's less intuitive on desktops, requiring an additional device for input.
The Benefits of Passkeys
Passkeys are emerging as a formidable alternative to traditional passwords and SMS-based authentication. They offer:
Enhanced Security: Unlike SMS-based authentication, passkeys provide robust protection against fraudulent attacks due to public infrastructure usage. Even in the event of a server breach, user accounts remain protected.
Cost-Effectiveness: Implementing passkeys eliminates the need to send SMS for login and sign-up, potentially saving significant costs annually.
Improved User Experience: With the widespread adoption of biometrics for device unlocking, passkeys extend this convenience to account unlocking. Features like Conditional UI further enhance user interaction, suggesting and pre-filling stored passkeys.
Conclusion
Passkeys present a practical solution to address the limitations of SMS-based authentication. They amalgamate robust security, cost-effectiveness, and superior user experience, making them an intelligent choice for modern authentication needs.
Top comments (0)