Skip to main content

SMS authentication: why it’s bad (and what to do instead)

Twitter’s Account Security Report shows users still opt for SMS authentication. Andrew Shikiar at the FIDO Alliance explains why that’s bad and what to do instead

Only 2.3% of Twitter’s active users are taking advantage of two-factor authentication to secure their accounts, according to Twitter’s latest Account Security report. Of those select few, 79.6% are using SMS-based one-time passcodes (OTPs), one of the least secure forms of two factor authentication (2FA). 

The low utilization of two-factor authentication and the continued popularity of SMS for 2FA underscore something critical: our industry is failing to educate consumers on the effectiveness of available two-factor authentication methods.

This lack of awareness is among the biggest challenges in protecting people’s data and stamping out the massive global data breach problem.

Not all two-factor authentication is created equal 

SMS one-time pass-codes

SMS-based authentication checks the box for using multiple forms of authentication, but it also only protects accounts from a targeted attack up to 76% of the time. In fact, SMS authentication has long been recognized by the tech industry as less effective against common threats like phishing, SIM swap, SS7 attacks and more. And if you’ve ever used it, you know it is a hassle.

Authenticator apps

Rather than delivering an authentication code via text, authenticator apps are already on a user’s device. They work by continuously generating new codes so users can prove possession of their device, which is tied to their account — acting as a second layer of authentication. While they raise the bar for security, they can be intercepted via phishing, man-in-the-middle and other advanced attacks. They also need to be re-set up whenever the user gets a new device.

Security keys

Security keys are physical authentication tokens that connect via USB, Bluetooth or NFC to a user’s devices to prove their identity on a website or application. The same security key can be used across services that accept them, such as Google, Github, Twitter and others, making them convenient.

Security keys based on FIDO standards provide maximum security, protecting accounts from a targeted attack 100% of the time and are strongly recommended for users with administrator access, public-facing figures, C-level executives, or those who are generally outspoken on social media or at industry events are more likely to be targeted by a cybercriminal and need more protection.

On-device biometrics

Many service providers are starting to let users login leveraging FIDO on-device biometrics. Based on the same phishing-resistant technology security keys, on-device biometrics using FIDO standards keep the user’s information securely stored on their device, never in the cloud or on a server.

The benefits of security keys apply here as well, with an added layer of simplicity since many consumers already have access to this technology through the biometrics on phones or laptops that they are likely using already to unlock these devices.  

So, how can we do better? 

The answer needs to be simple: make it easy for users to enable multi-factor authentication. Twitter’s report shows just how few people have taken steps to secure their accounts, but this isn’t unique to Twitter. Our recent survey also shows 31% of respondents either haven’t taken the time or don’t know how to protect their online accounts, even when options are available.

As service providers, making authentication options available is only half the battle. Getting users to enable them is the other half, and the only way to do that is to make it as easy as possible. 

Service providers should take steps to simplify the process for users, like making strong authentication options front and center during account creation rather than burying it in security settings. They should also communicate with users through multiple channels (like website prompts or marketing emails) on where and how to enable multi-factor authentication to make the setup process faster.

There are also best practices available to help service providers encourage their customers to get the security they need without sacrificing usability. 

It all boils down to this: consumers need to be educated on the risks and implications of fraud and the solutions available to secure their online accounts — and online service providers are uniquely positioned to be effective messengers for our collective journey to eliminate online fraud.

There’s certainly a fine line between raising awareness and scaring customers away, but driving better authentication practices brings greater benefit to consumers and service providers alike as the only people who benefit from data breaches are hackers. 

Andrew Shikiar is Executive Director of the FIDO Alliance

Main image courtesy of


All rights reserved Teiss Recruitment Ltd.