At Buffer, safety has at all times been a stability: maintaining our prospects’ accounts protected whereas making login as seamless as potential for our international consumer base.
A couple of months in the past, we decided which may sound shocking — we eliminated SMS-based two-factor authentication (2FA) and moved absolutely to email-based verification.
It wasn’t a change we took evenly. SMS has lengthy been seen as the usual for 2FA. However over time, the drawbacks started to outweigh the advantages.
Right here’s the story of how we bought there, what the transition regarded like, and what we’ve seen since.
Why we moved away from SMS
SMS-based 2FA has lengthy been thought-about a safety customary, however our crew found a number of crucial points that made us rethink:
Safety vulnerabilities had been extra widespread than anticipated
SIM swapping assaults have grow to be more and more subtle, permitting attackers to hijack telephone numbers and bypass SMS-based safety.
Moreover, SMS messages journey unencrypted by means of a number of carriers, creating potential interception factors.
Prices had been scaling unsustainably
Each authentication SMS prices cash, and with our rising consumer base, these seemingly small charges had been including as much as a whole lot of {dollars} month-to-month. Worldwide SMS charges made this much more difficult as a result of our international consumer base.
Worldwide rules and Sender ID necessities
SMS rules fluctuate dramatically by nation, making compliance a relentless problem. Every nation has totally different necessities for Sender IDs (the title that seems because the sender of an SMS), with some requiring pre-registration that may take weeks or months to finish.
For instance, Singapore requires enterprise verification paperwork, India calls for a template pre-approval course of, and the UAE has strict content material restrictions.
Managing these necessities throughout 100+ nations created an infinite administrative burden that grew with every new regulation.
Moreover, failing to adjust to any native regulation might lead to messages being blocked, and in the end prospects being unable to log into Buffer.
Third-party dependencies created failure factors
We relied on SMS gateway suppliers that sometimes skilled outages, supply delays, or rate-limiting points.
When these providers go down, our customers cannot entry their accounts—a crucial drawback for a device that powers social media methods worldwide.
Why electronic mail made extra sense
After we regarded for alternate options, we realized we already had a stronger possibility: electronic mail.
So as an alternative of simply eradicating SMS and calling it a day, we reimagined our authentication stream by incorporating electronic mail as one other venue.
We carried out time-limited, single-use verification codes despatched through electronic mail with enhanced safety headers and encryption. Our electronic mail infrastructure, which we already maintained for notifications and updates, proved extra dependable than third-party SMS gateways.
We additionally added charge limiting and anomaly detection to stop abuse.
The surprising advantages of switching to electronic mail
The transition delivered enhancements past our preliminary expectations:
- Safety truly improved. E mail accounts usually have extra sturdy safety choices than telephone numbers, together with their very own 2FA, restoration choices, and exercise monitoring. Customers keep higher management over their electronic mail accounts than their telephone numbers, which might be transferred with out their information.
- Assist tickets decreased. We noticed a drop in authentication-related assist requests. Customers not struggled with worldwide SMS supply points, modified telephone numbers, or carrier-specific issues.
- Improvement velocity elevated. Our engineering crew not wants to take care of integrations with the SMS supplier, debug supply points throughout totally different carriers, or deal with country-specific SMS rules.
How we rolled out the swap
Making this transition required cautious planning.
We communicated the change to customers properly prematurely, explaining the safety advantages and addressing considerations. We supplied detailed migration guides and quickly supported each strategies throughout the transition interval.
For customers who strongly most popular SMS, we helped them perceive that trendy electronic mail safety, particularly with suppliers like Gmail or Outlook that provide sturdy safety, offers equal or higher safety than SMS.
We additionally enhanced our electronic mail supply infrastructure to make sure reliability, implementing redundant electronic mail service suppliers and monitoring supply charges intently.
The fitting selection for Buffer
This choice will not be proper for each firm. Providers that do not have customers’ electronic mail addresses or that serve demographics with restricted electronic mail entry may want totally different options. Nevertheless, for Buffer — the place each consumer already has an electronic mail account related to their profile — this alteration aligned completely with our wants.
Three months after the transition, the outcomes communicate for themselves: a discount in authentication-related assist tickets, and important month-to-month financial savings that we have reinvested in product enhancements.
Wanting forward
Eradicating SMS authentication initially felt like swimming towards the present, but it surely compelled us to assume critically about safety theater versus precise safety. Generally the “customary” answer is not the very best answer on your particular context.
We’re persevering with to discover extra authentication choices, together with assist for {hardware} safety keys. However our email-first strategy has confirmed that less complicated can certainly be safer.
We share these sorts of tales as a result of we all know different groups face related tradeoffs. Have you ever reconsidered a “customary” safety apply just lately? We’d love to listen to from you on our social media! Discover us @buffer all over the place and comply with Carlos on LinkedIn right here.
