At Buffer, safety has all the time been a steadiness: holding our prospects’ accounts secure whereas making login as seamless as doable for our world consumer base.
A number of months in the past, we decided that may sound stunning — we eliminated SMS-based two-factor authentication (2FA) and moved absolutely to email-based verification.
It wasn’t a change we took frivolously. SMS has lengthy been seen as the usual for 2FA. However over time, the drawbacks started to outweigh the advantages.
Right here’s the story of how we bought there, what the transition seemed like, and what we’ve seen since.
Why we moved away from SMS
SMS-based 2FA has lengthy been thought of a safety customary, however our crew found a number of crucial points that made us rethink:
Safety vulnerabilities had been extra widespread than anticipated
SIM swapping assaults have turn out to be more and more refined, permitting attackers to hijack telephone numbers and bypass SMS-based safety.
Moreover, SMS messages journey unencrypted via a number of carriers, creating potential interception factors.
Prices had been scaling unsustainably
Each authentication SMS prices cash, and with our rising consumer base, these seemingly small charges had been including as much as lots of of {dollars} month-to-month. Worldwide SMS charges made this much more difficult as a result of our world consumer base.
Worldwide laws and Sender ID necessities
SMS laws fluctuate dramatically by nation, making compliance a continuing problem. Every nation has completely different necessities for Sender IDs (the identify that seems because the sender of an SMS), with some requiring pre-registration that may take weeks or months to finish.
For instance, Singapore requires enterprise verification paperwork, India calls for a template pre-approval course of, and the UAE has strict content material restrictions.
Managing these necessities throughout 100+ international locations created an unlimited administrative burden that grew with every new regulation.
Moreover, failing to adjust to any native regulation might lead to messages being blocked, and in the end prospects being unable to log into Buffer.
Third-party dependencies created failure factors
We relied on SMS gateway suppliers that sometimes skilled outages, supply delays, or rate-limiting points.
When these companies go down, our customers cannot entry their accounts—a crucial drawback for a software that powers social media methods worldwide.
Why electronic mail made extra sense
Once we seemed for options, we realized we already had a stronger choice: electronic mail.
So as an alternative of simply eradicating SMS and calling it a day, we reimagined our authentication stream by incorporating electronic mail as one other venue.
We carried out time-limited, single-use verification codes despatched by way of electronic mail with enhanced safety headers and encryption. Our electronic mail infrastructure, which we already maintained for notifications and updates, proved extra dependable than third-party SMS gateways.
We additionally added charge limiting and anomaly detection to forestall abuse.
The sudden advantages of switching to electronic mail
The transition delivered enhancements past our preliminary expectations:
Safety truly improved. E mail accounts sometimes have extra sturdy safety choices than telephone numbers, together with their very own 2FA, restoration choices, and exercise monitoring. Customers preserve higher management over their electronic mail accounts than their telephone numbers, which might be transferred with out their information.Assist tickets decreased. We noticed a drop in authentication-related help requests. Customers now not struggled with worldwide SMS supply points, modified telephone numbers, or carrier-specific issues.Growth velocity elevated. Our engineering crew now not wants to take care of integrations with the SMS supplier, debug supply points throughout completely different carriers, or deal with country-specific SMS laws.
How we rolled out the change
Making this transition required cautious planning.
We communicated the change to customers properly upfront, explaining the safety advantages and addressing issues. We offered detailed migration guides and briefly supported each strategies through the transition interval.
For customers who strongly most well-liked SMS, we helped them perceive that fashionable electronic mail safety, particularly with suppliers like Gmail or Outlook that provide sturdy safety, gives equal or higher safety than SMS.
We additionally enhanced our electronic mail supply infrastructure to make sure reliability, implementing redundant electronic mail service suppliers and monitoring supply charges intently.
The suitable alternative for Buffer
This determination will not be proper for each firm. Companies that do not have customers’ electronic mail addresses or that serve demographics with restricted electronic mail entry would possibly want completely different options. Nonetheless, for Buffer — the place each consumer already has an electronic mail account related to their profile — this variation aligned completely with our wants.
Three months after the transition, the outcomes converse for themselves: a discount in authentication-related help tickets, and important month-to-month financial savings that we have reinvested in product enhancements.
Wanting forward
Eradicating SMS authentication initially felt like swimming towards the present, nevertheless it pressured us to suppose critically about safety theater versus precise safety. Generally the “customary” answer is not the very best answer to your particular context.
We’re persevering with to discover extra authentication choices, together with help for {hardware} safety keys. However our email-first strategy has confirmed that easier can certainly be safer.
We share these sorts of tales as a result of we all know different groups face related tradeoffs. Have you ever reconsidered a “customary” safety observe not too long ago? We’d love to listen to from you on our social media! Discover us @buffer in every single place and observe Carlos on LinkedIn right here.
