With the recent decision by Twitter to discontinue SMS-based two-factor authentication (2FA) for non-Twitter Blue users, the spotlight is now on the potential pitfalls of SMS-based authentication. Despite its widespread adoption, this method often presents challenges beyond just security concerns. This article delves into these challenges and introduces passkeys as a superior, passwordless standard authentication method.

A Brief Overview of SMS-based Authentication

SMS-based authentication encompasses two main types: single-factor and two-factor authentication. The former involves one-time passcodes (OTP) sent via SMS, offering a password-free login alternative. In contrast, 2FA with SMS employs a two-step process where users first sign in with their credentials and then confirm their login through an OTP sent to their mobile phones.

Drawbacks of SMS-based Authentication

Fraud: SMS Traffic Pumping: This involves sending many unwanted and often fraudulent SMS messages to specific phone numbers. Fraudsters exploit revenue-sharing agreements between mobile network operators (MNO) and messaging service providers, aiming to inflate SMS traffic and generate higher revenues.

SIM Swapping: Fraudsters exploit vulnerabilities in the MNO infrastructure to transfer a victim's mobile phone number to a new SIM card. By doing so, they intercept incoming SMS messages, including authentication codes or links, gaining unauthorized access to various platforms.

Cost Implications:

• Implementation: Building an in-house SMS-only 2FA solution can be costly. External solutions, though often cheaper, still come with associated costs.

• Operations: Sending SMS-based authentication messages incurs transaction costs, which vary based on factors like the number of SMS sent, target countries, and additional features.

• Maintenance: Most maintenance costs are typically covered within transaction prices. However, additional expenses may arise, such as handling vendor relationships and providing user support.

Reliability and User Experience:

• Reliability: Issues like message delivery delays, network congestion, and potential system downtimes can impede the prompt reception of authentication codes.

• User Experience: While SMS-based authentication works well on mobile devices, it's less intuitive on desktops, requiring an additional device for input.

The Benefits of Passkeys

Passkeys are emerging as a formidable alternative to traditional passwords and SMS-based authentication. They offer:

• Enhanced Security: Unlike SMS-based authentication, passkeys provide robust protection against fraudulent attacks due to public infrastructure usage. Even in the event of a server breach, user accounts remain protected.

• Cost-Effectiveness: Implementing passkeys eliminates the need to send SMS for login and sign-up, potentially saving significant costs annually.

• Improved User Experience: With the widespread adoption of biometrics for device unlocking, passkeys extend this convenience to account unlocking. Features like Conditional UI further enhance user interaction, suggesting and pre-filling stored passkeys.

Conclusion

Passkeys present a practical solution to address the limitations of SMS-based authentication. They amalgamate robust security, cost-effectiveness, and superior user experience, making them an intelligent choice for modern authentication needs.