The Days of 2FA SMS (and A2P) Are Numbered
My thoughts on why SMS will eventually find a home next to my imaginary fax machine
Can you hear that clock ticking?
That's the time left until SMS will be as relevant as the fax machine. We still have that fax machine around somewhere -- probably buried deep in our printer and unconnected to the phone line -- but it's there.
SMS is said to be growing in use. As I write these lines and look at my SMS app on Android, as shown at right, I can see why. Let me explain what you're seeing in this mix of English and Hebrew:
- 2 verification PIN codes for services (I had to factory reset my phone and sign in a lot last week)
- 1 spam message suggesting I take out a loan
- 1 coupon for my birthday (from a book store... definitely going to go)
- 1 request for feedback on a service we used a year ago (?!)
If you're not on an iPhone, where your SMS messages are all mangled with iMessages, then you probably have a similar mixture of "notifications" finding their way to you in the form of SMS.
We're told that this is a growing trend. Probably because SMS is already a graveyard for person-to-person communications.
Companies are using SMS for three types of services these days:
- Security -- either through two-factor authentication (2FA), for signing in to services; or one-time password (OTP), which replaces the need to remember a password for various apps
- Notifications for services -- these would be notifications that you care about or that offer you information, like that request for feedback or maybe that birthday coupon
- Pure spam -- businesses just send you their unsolicited crap trying to get you to sign up for their services
Here's the thing, though. All this, besides the pure spam, is going to leave the archaic SMS system and find a home elsewhere.
Why? Because SMS is too expensive, doesn't hold any context, and isn't long lived or rich enough. Plus, it's not really bidirectional, and isn't that secure or convenient.
Where would these activities find their new home?
For some time now, Google has been quietly providing the ability for users to verify their Google account sign-ins without the need for those SMS messages. Rather, all Google does is show a mobile prompt. Now it's rolling this out to all of its users.
The reason Google has indicated for this new approach is "an increase in SS7 telephony protocol attacks" (read: SMS isn't really secure).
The result, though, is a better user experience, since there's no need to click stupid digits into an entry box anywhere -- just approve the sign-in when a popup shows up on your device.
This security service works out of the box on Android devices. On iOS devices it requires installation of the Google Search app.
Here's the thing -- mobile operating systems can now replace telcos for 2FA and OTP SMS messages as well, and do it globally.
If this rollout is successful, I'm sure Google will start offering it as a service with a simple API for third parties. And I can't see why Apple won't do that as well for iOS.
Notifications for Services
This great channel of communications for businesses is touted as ubiquitous.
People read their SMS messages. They give them priority over emails or other types of notifications. If you have a mobile phone number, then you can send an SMS to it, so the success rate is really high.
But do people really want this? And is the "conversation" you can strike via SMS rich enough?
I don't think we care anymore.
Two things are at play here:
- Social messaging platforms are APIs and bots so businesses can hold conversations with users over these platforms. Facebook, Telegram, soon WhatsApp... they are all headed in this direction
- Apple Business Chat, which offers discoverability and conversations between users and businesses across all of Apple's assets on iOS devices. You can contact businesses by finding them on Safari, Spotlight search, Apple Maps, or via Siri -- and then strike a conversation over iMessage
Where does SMS fits in exactly?
Goodbye SMS, It's Time for Us to Move On
Don't be fooled by the growth of 2FA and application-to-person (A2P) type messages over SMS. This will have a short lifespan of a few years. But five to 10 years from now? It will just be a service sitting next to my imaginary fax machine.