Earlier this year, the largest indication yet that the heyday of SMS two-factor authentication will come to a close soon occurred: after losing $60 million to SMS pumping fraud last year, Twitter dropped support for SMS as a 2FA option for any users who don’t pay a monthly subscription fee.
Whether or not people sympathize with the frustration of Twitter’s users or their backend team that has been fending off toll fraudsters, it didn’t have to happen this way. Rather than focusing on what these decisions say about Twitter, security professionals should focus more on what this object lesson says about the future of multi-factor authentication (MFA).
It highlights that the headaches of SMS 2FA are becoming increasingly untenable for companies and CISOs to manage, particularly in this economy. Despite this auth method’s popularity with users, SMS 2FA costs are becoming so cumbersome that it will get phased out even faster than passwords. And no technology will accelerate that decline faster than passkeys.
The rise and persisting appeal of SMS 2FA
Because of its popularity and adoption rates, SMS 2FA has served a valuable purpose over the past 10 years. Prior to the introduction of SMS 2FA, the cost to attack a password-protected account had become trivial. The frequency of data breaches combined with users’ tendency to reuse passwords meant that most users had dozens of their passwords available on the dark web at any given moment — a nightmare for security pros.
This consumer behavior introduced a highly-scalable attack method for fraudsters looking to steal and monetize the online accounts of users: by downloading leaked credentials exposed in other data breaches, fraudsters can then attempt to validate them on other potentially high-return sites like PayPal, Chase, Coinbase, or Robinhood.
But SMS 2FA thwarts this scalability by introducing friction that’s usually too costly for fraudsters to attempt to overcome: stealing SMS one-time passcodes in a timely manner often requires something called SMS swapping or various phishing attacks on top of credential stuffing methods. For most bad actors, that extra time and effort simply isn’t worth it.
Why SMS 2FA has lost its allure
With its widespread adoption, SMS 2FA has disincentivized fraud, or at least made it a lot harder on a massive scale. Unfortunately, fraudsters inevitably catch up to cybersecurity protections, outsmart them, and eventually render them untenable. And that’s precisely what happened with SMS 2FA.
Rather than existing on the user side, the biggest factors contributing to SMS 2FA’s decline have to do with the backend burden they put on engineering teams. Those include: deliverability and latency issues, a shortcoming inherent in relying on older telecommunication systems that cause undelivered or delayed messages; and a vector of bot abuse termed “SMS toll fraud.”
With SMS toll fraud, attackers pump expensive SMS traffic through partner mobile network operators (MNOs) and then share the profits with the MNO. These attacks can become significantly more costly than real or non-fraudulent SMS fees, as Twitter’s fraud issue revealed.
Why passkeys are best-positioned to replace SMS 2FA
If SMS 2FA was the best the market had to offer, developers might consider costs like preventing toll fraud or covering for latency issues worth the investment. But in 2023, better MFA methods are available. Standard-setters like the FIDO alliance have focused on passkeys.
Passkeys work by storing a key pair consisting of a public and private key in a user's primary device account, such as an iCloud account on an iPhone or Mac or a Google account on an Android or Chromebook. This key pair can then be used to sign up or sign into applications without creating or remembering an additional password.
On the user side, this creates a compelling experience. When users log into a given account, all they need to do is verify their biometric information with a thumbprint or FaceID, and their device will automatically exchange that secure cryptographic information with the app — and they’re logged in. The best part about passkeys today: users can apply them across devices.
Why SMS 2FA may fall before passwords
As promising as passkeys are, there are still many technological and infrastructural developments required before the industry can widely adopt them as a replacement for passwords. Only the newest models of most smartphone devices support passkeys, and many, if not most users are still attached to and comfortable with the old username/password combination, despite its security risks. Because of that, passkeys are positioned as the strongest replacement for SMS as a second authentication factor.
Hopefully, with the new technologies available, companies can eliminate painful auth infrastructure, without putting the security burden on users. Instead, they can migrate to passkeys, and prepare their engineering teams and users for the passwordless future.
Reed McGinley-Stempel, co-founder and CEO, Stytch
