What are the key drawbacks of SMS-based authentication?

SMS-based authentication is widely used but comes with significant limitations that impact security, cost, reliability, and user experience.

SMS authentication is highly vulnerable to attacks, making it an unreliable security measure:

• Phishing Attacks: Users can be tricked into entering their SMS OTP on fraudulent websites, allowing attackers to gain unauthorized access.
• SIM Swapping: Hackers can steal a user’s phone number by fraudulently transferring it to another SIM card, intercepting SMS OTPs.
• SMS Traffic Pumping Fraud: Attackers inflate SMS traffic to generate revenue at the expense of businesses, costing enterprises millions.
• Lack of Encryption: SMS messages travel in plaintext, making them susceptible to interception by attackers.

Using SMS for authentication is expensive, especially for large-scale enterprises:

• Per-Message Costs: Businesses pay $0.01 to $0.20 per SMS, which accumulates quickly.
• Operational Expenses: Managing SMS-based authentication includes vendor fees, maintenance, and user support costs.
• Fraud-Related Costs: Companies lose millions due to SMS fraud, such as SMS pumping attacks.

SMS messages are not always delivered promptly, creating frustration for users and risks for businesses:

• Network Delays: SMS OTPs may arrive late or not at all due to network congestion or carrier issues.
• Blocked SMS in Certain Regions: Some countries restrict international SMS messages, making authentication unreliable.
• Carrier Filtering: SMS messages can be flagged as spam and never reach the user.

SMS authentication disrupts the user journey and adds unnecessary friction:

• Multi-Device Hassle: Users must switch between devices to retrieve and enter OTPs.
• Desktop Login Inconvenience: Unlike mobile autofill, desktop users must manually type OTPs.
• Authentication Fatigue: Users find entering OTPs annoying and disruptive, leading to login abandonment.

To overcome these limitations, many organizations are replacing SMS authentication with passkeys, a phishing-resistant, cost-effective, and user-friendly alternative. Passkeys eliminate OTPs entirely, enhancing security and user experience while reducing fraud and cutting authentication costs by up to 90%.