After X's announcement to discontinue SMS-based two-factor authentication (2FA) for non-Twitter Blue users starting 20 March 2023 as a response to fraudsters' abuse of SMS- based 2FA, questions arise concerning other potential drawbacks of SMS-based authentication.

Despite its broad adoption by companies in general (single-factor and two-factor) to provide better account protection for their users, this authentication method often comes with more drawbacks beyond security issues.

In this article, well explore these drawbacks, including fraud and challenges with costs, reliability, and user experience. To address them, passkeys can be used as the new passwordless standard authentication method that is superior in many aspects compared to SMS-based authentication methods.

In light of the potential replacement application of passkeys, we at Corbado offer a plug-and-play passkey solution to make the Internet a safe place and save your business huge SMS-related expenses right away.

Before we explore the drawbacks of SMS-based authentication, it's essential to understand its fundamental concept. SMS-based authentication comprises two primary types:

• Single-factor authentication
• Two-factor authentication

The former includes methods like one-time passcodes (OTP) sent via SMS, providing a password-free login alternative to traditional passwords. The latter employs a two-step process to ensure 2FA protection. Users first sign up/log in with their username/email and password and then confirm their sign up/log in through a one-time passcode sent to their mobile phones via SMS.

Let's dive deeper into the drawbacks of SMS-based authentication by shedding light on different forms of fraud associated with this login method and uncover challenges with reliability, user experience, and the financial costs incurred in implementing, operating, and maintaining this authentication technology.

SMS were invented more than 20 years ago and have not perceived any major security update ever since. That’s why SMS fraud is a huge problem.

In SMS-based authentication, when a user requests an authentication code or a link via SMS, the service provider sends the code or link to the user's mobile phone number through an SMS message. SMS traffic pumping takes advantage of this process by sending a massive volume of unwanted and often fraudulent SMS messages to a specific phone number.

The fraudsters of SMS traffic pumping schemes exploit the revenue-sharing agreements between mobile network operators (MNO) and messaging service providers. They aim to inflate the SMS traffic and generate higher revenues for themselves, as the messaging service providers pay the MNOs a fee for delivering each message. As pointed out by a current Stytch employee on Hacker News, the MNOs collaborate with the hacker by sharing revenues here. While specific preventive measures such as disabling phone numbers from receiving SMS (geo permissions), implementing rate limits, and detecting bots can help mitigate SMS traffic pumping, complete elimination of misuse is nearly impossible due to the design of the sending process.

As a result, businesses and service providers often face significant expenses from the surge in incoming messages. Commsrisk says Twitter alone lost an incredible 60 million USD yearly due to SMS traffic pumping. Also, legitimate users may experience delays in receiving their authentication codes or links.

In this type of fraud, fraudsters exploit vulnerabilities in the MNO infrastructure to transfer a victim's mobile phone number to a new SIM card. By doing so, the attackers gain control over the victim's phone number, allowing them to intercept incoming SMS messages, including authentication codes or links. Once they gain control of a user's phone number, they can bypass the authentication process and get unauthorized access to their accounts on various platforms. SIM swapping is challenging to detect. Attackers often use social engineering to deceive MNO customer support, enabling them to transfer the victim's number to a new SIM card. Since companies with concerned users often remain unaware, SIM swap attacks usually result in data breaches, financial losses, and damage to the company's reputation.

SMS are costly and there’s no real trend visible that points to a reduction in SMS prices.

For SMS-based authentication, there are two options for implementation. You can either build and maintain an in-house system or use an external authentication solution. While a mix-and-match approach is possible, the latter option is recommended for simplicity. According to a Messente survey, in-house building an SMS-only 2FA solution can easily cost five figures. That's why going for an external solution, which is usually cheaper, is often a better idea.

As sending SMS-based authentication messages to users is very complex, almost every company goes with an experienced provider. Their service incurs transaction costs that vary based on the chosen provider. These costs depend on factors like:

• the number of SMS sent
• the target countries to which the SMS is sent
• additional features.

Some providers may charge an extra fee for successful authentication via SMS, although this is often included in the overall price. According to miniOrange, transaction prices usually range from 0.01 to 0.20 USD per SMS, with high-quality SMS services directly linked to major providers starting at around 0.06 USD. Since users of digital products are often located in different countries, purchasing various SMS plans will increase expenses. According to our information, this shows how quickly the costs of sending authentication messages alone can skyrocket and why SMS-based authentication costs a leading e-commerce 12 million USD per year. Obviously, you can offer SMS-based authentication for key target countries only and thereby save money, but that is just a drop in the ocean and would also negatively impact the user experience for some users.

The majority of maintenance costs are typically covered within the transaction prices. These include expenses related to enabling providers to manage large SMS volumes, facilitate international SMS delivery to various MNOs, implement essential security measures, and ensure compliance with regulations. However, additional expenses may arise for the company, such as handling vendor relationships with the SMS provider, providing user support, and allocating resources to address downtime and technical issues.

In the context of SMS-based authentication, this refers to the consistent and timely delivery of the SMS and the uninterrupted accessibility of the authentication system by the sent authentication code. Depending on the local infrastructure, message delivery delays, network congestion, and potential system downtimes can impede the prompt reception of authentication codes. This can cause user frustration and hinders the authentication process.

One key aspect to consider is the varying user-friendliness across different platforms. SMS-based authentication works excellently on mobile devices due to the autofill function that makes authentication code entry easy. Conversely, on desktops, you must use an additional device, your mobile phone, to input the authentication code manually, resulting in a less intuitive and convenient experience. As previously mentioned, user experience also suffers when fraud attacks occur, or issues arise in SMS delivery and authentication code retrieval.

So far, passkeys have mainly been perceived as the passwordless alternative for passwords only.

Moreover, since passkeys provide a built-in 2FA functionality, they serve as an alternative to passwords and any type of SMS-based authentication. This enhances security and avoids the user experience challenges posed by SMS-based one-time passcodes. By replacing authentication messages, passkeys bring substantial benefits that effectively eliminate the drawbacks of SMS-based authentication.

Unlike SMS-based authentication, which can be susceptible to interception and manipulation, passkeys offer robust protection against all forms of fraudulent attacks due to the use of public-key infrastructure. This ensures that even if a server breach occurs, user accounts remain safeguarded as the essential private key remains secure within the user's device, embedded within the operating system. Additionally, passkeys' linkage to the specific registered online service is a countermeasure against phishing attempts, making passkeys the most secure authentication method currently available.

Similar to SMS-based authentication, there are costs associated with implementing passkeys. While handling the implementation in-house is possible, focusing on secure authentication often leads to a preference for specialists. Their expertise comes at a fraction of in-house costs and aligns with what SMS-based authentication provider charge for implementation. From a cost standpoint, the significant advantage of investing in passkeys is eliminating the need to send SMS for login and sign-up. Instead, users can securely log in using Face ID or Touch ID. This not only results in potential savings of millions of costs for authentication annually (especially for larger consumer-oriented businesses) but also eradicates all the challenges that can arise when sending and receiving SMS.

For verifying users' phone numbers, often required for marketing or other communication purposes, sending an initial SMS with a one-time passcode remains an option. This allows SMS to run alongside passkeys. Additionally, SMS can serve as a fallback method. The key distinction between both scenarios and traditional SMS-based authentication is that SMS are sent only occasionally rather than being sent with every login attempt.

The adoption of biometrics (e.g., Face ID, Touch ID, Windows Hello) for unlocking phones and desktop devices has rapidly become commonplace among users. Passkeys now extend this familiar experience to account unlocking. Given that most mobile phones and desktop devices are already passkey-ready, they offer a one-to-one replacement for SMS-based authentication. With local fingerprint or facial scans from the device, the requirement for a secondary device, as still needed for laptop-based SMS authentication, is eliminated. This substantial enhancement simplifies user experience and renders account login effortless. Another unique feature of passkeys is Conditional UI. This feature enhances user convenience by automatically suggesting and prefilling stored passkeys when users interact with the username input field. This eliminates the need for manual searching of credentials, including usernames, as these are already securely stored within the device or browser and are automatically pre-filled.

The transition to passkey-based authentication is not only about a smoother login UX and better (phishing-resistant) MFA. Passkeys can also save substantial SMS OTP costs if two things are achieved:

• a high passkey adoption rate
• a high passkey login rate

Corbado's passkey technology and intelligent design focus on optimizing both these aspects to provide high SMS cost savings. We achieve up to 90% cost savings with 10x higher adoption rates of passkeys compared to traditional DIY solutions. Let’s see how.

The first step is converting existing users into passkey users by allowing them to create passkeys in the account settings. However, this alone is not enough to increase passkey adoption rates among the existing user base. Corbado offers several solutions:

• Progressive Automatic Enrollment: Our passkey intelligence engine is designed to optimize the passkey enrollment process, guiding users through passkey adoption in a smooth and frictionless manner whenever possible (e.g. during login with traditional authentication methods). This proactive approach ensures that users are not overwhelmed or confused, thereby reducing drop-off rates and increasing overall adoption.
• Automatic Local Passkey Creation: If customers log in via Cross-Device Authentication, they are offered the option to create a local passkey in the environment they are currently using, increasing passkey adoption on all their devices. In situations where the current desktop device does not offer a platform authenticator to create a passkey, a mobile-first strategy can be employed to create a passkey on a mobile phone.
• Automatic Passkey Upgrade: Corbado's decision engine facilitates an automatic upgrade to passkeys for users, significantly increasing adoption rates without requiring active user participation. This seamless transition is powered by our passkey intelligence decision engine, which works automatically on iOS 18+ devices (more to follow).

We ensure that more users adopt passkeys effortlessly, achieving adoption rates 10x higher than do-it-yourself passkey implementations.

The second important step is to trigger passkey logins whenever possible and actively encourage the re-use of existing passkeys.

• Identifier-First Approach: Starting the login process by only asking for an identifier (e.g. email address) and then automatically determining if a passkey login is possible simplifies the UX and encourages higher passkey usage. This method reduces the steps needed for users to log in, making the process quicker and more intuitive than offering a separate "Sign in with Passkey" button, which consumers frequently ignore.
• Cross-Device Authentication and One Tap Passkey Login: Corbado automatically falls back to WebAuthn Cross-Device Authentication when no local passkey is available. Additionally, once a passkey login has been recorded on a device, the user identifier field is automatically converted into a One Tap Passkey Login button, making the login even more seamless.

Corbado's innovative approach to maximizing passkey adoption and login rates offers significant advantages over DIY approaches. By leveraging this intelligent design, we ensure that users not only integrate but actively adopt passkeys, resulting in up to 10x higher adoption and login rates. This shift not only enhances security and user experience but also delivers substantial cost savings, particularly by reducing SMS OTP expenses by up to 90%. In the upcoming passkey era, where efficient and secure authentication is important, Corbado stands out as a leader in driving both adoption and cost-effectiveness.

To sum it up, passkeys offer a practical solution to tackle the drawbacks of SMS-based authentication. They provide robust security, cost-effectiveness, and high user experience, making them an intelligent replacement. With biometric technology and user-friendly features like Conditional UI, passkeys make security seamless and user experience smooth across platforms. For companies looking to step up their authentication game, Corbado's passkey solution is a simple way to enhance security, cut costs, and leave the challenges of SMS-based authentication behind. Contact us for a tailor-made passkey authentication solution for your SMS OTP / 2FA setup.