SMS 2FA is Broken.
Here's What to Do.

A comprehensive analysis of authentication alternatives for eToro Plus — from TOTP authenticator apps to WebAuthn passkeys.

$48M+

Lost to SIM swap fraud (FBI 2023)

80%

Breaches involve weak credentials

Cost per TOTP authentication

4-6w

Time to ship Phase 1

📚 Documentation Hub

🏗️

System Architecture

High-level diagrams, data flows, infrastructure & security

⚙️

Server SpecKit

NestJS modules, DB schema, API endpoints, user stories

📱

Client SpecKit

React Native components, user flows, biometrics

📡

API Swagger Docs

Interactive OpenAPI 3.0 with examples & cURL

🔑

Passkey Demo

Interactive mockup — registration, login, biometrics & cross-device QR

The Problem

Why SMS-based 2FA is failing eToro users and putting the platform at risk

🔄

SIM Swapping Attacks

Attackers social-engineer carriers to port victim's phone number. All SMS OTPs then go to the attacker. FBI reported $48M+ in losses in 2023 alone — financial accounts are primary targets.

High Risk Active Threat

📡

SS7 Protocol Vulnerabilities

The SS7 telecom protocol (from 1975) has zero authentication. Anyone with network access can intercept SMS in real-time. German researchers demonstrated this on live TV, draining bank accounts.

Unfixable Infrastructure Level

✈️

Fails Internationally

5-30% SMS failure rate when roaming. Users traveling abroad (like being away for 2 weeks) get completely locked out. Local SIMs, eSIM switches, or carrier blocks all break SMS delivery.

User Lockout Support Cost

⚖️

Regulatory Pressure

NIST deprecated SMS 2FA in 2017. PSD2 SCA increasingly views SMS as insufficient. FCA expects "robust" authentication. Regulators are moving away from SMS — eToro should get ahead.

PSD2 FCA NIST

💸

Expensive at Scale

SMS costs $0.01-0.05 per message. At 1M users authenticating twice daily, that's $7-36M per year. TOTP authenticator costs $0. WebAuthn costs $0. The math is clear.

$7-36M/year TOTP = $0

🏪

Competitors Have Moved On

Coinbase, Binance, Interactive Brokers, Wise, and Revolut all offer authenticator app or better. Only Plus500 is still SMS-only. Don't be Plus500.

Competitive Gap

Solutions Comparison

Authentication methods ranked by security, cost, and user experience

Method	Security	Phishing-Proof	Works Offline	Cost/Auth	UX Score	Recommendation
SMS OTP	★★☆☆☆	No	No	$0.01-0.05	★★★☆☆	Deprecate
TOTP Authenticator	★★★☆☆	No	Yes	$0.00	★★★☆☆	★ Phase 1
Push Notification	★★★★☆	Partial	No	$0.001-0.005	★★★★☆	Optional
WebAuthn / Passkeys	★★★★★	Yes	Yes	$0.00	★★★★★	★ Phase 2

Authenticator App Comparison

App	iOS	Android	Desktop	Biometric	Cloud Backup	Open Source	Best For
Google Authenticator	✅	✅	❌	❌	✅	❌	Widest adoption
Microsoft Authenticator	✅	✅	❌	✅	✅	❌	Enterprise / M365
Authy	✅	✅	✅	✅	✅	❌	Multi-device
1Password / Bitwarden	✅	✅	✅	✅	✅	Partial	Convenience
Apple Keychain	✅	❌	macOS	✅	✅	❌	Apple users (zero-install)
Aegis	❌	✅	❌	✅	Manual	✅ GPL-3	Android power users

Standards & Protocols

TOTP (RFC 6238) Recommended Phase 1

Time-based One-Time Password. Shared secret + timestamp generates 6-digit code every 30 seconds. Universal standard — works with ANY authenticator app. Simple to implement with otplib.

WebAuthn / FIDO2 Recommended Phase 2

Public-key cryptography. Device signs challenge with private key that never leaves the device. Phishing-proof (origin-bound), no shared secrets, biometric UX. The future of authentication.

Passkeys (Synced WebAuthn)

WebAuthn credentials synced via iCloud Keychain / Google Password Manager. Replaces BOTH password AND 2FA. Apple, Google, Microsoft all support. 10B+ passkey registrations globally.

Competitor Audit

How other brokers and fintech platforms handle 2FA — click each card to expand

🟢 Coinbase Gold Standard

▼

Methods: Authenticator App (TOTP), Hardware Security Keys (FIDO2/WebAuthn), SMS
Highlights: Actively promotes hardware keys. Shows security level indicator. Provides insurance for hardware key users (Coinbase Vault). Most progressive approach in fintech.
Takeaway: This is the target — eToro should match Coinbase's TOTP + WebAuthn support.

🟢 Binance Most Options

▼

Methods: Authenticator (TOTP), Hardware Keys (YubiKey/FIDO2), SMS, Email, Binance Authenticator (push)
Mandatory: At least one method required
Extras: Anti-phishing code feature, withdrawal whitelist addresses
Takeaway: Most comprehensive — offers every method. Aggressive security posture for crypto.

🟡 Interactive Brokers Enterprise

▼

Methods: IBKR Mobile (push-based), IB Key (proprietary TOTP), Physical security card
Mandatory: Yes, for all trading accounts
Takeaway: Most sophisticated traditional broker. Proprietary but effective. Mandatory 2FA is the right call.

🟡 Revolut Mobile-First

▼

Methods: Biometric (Face ID/Touch ID) as primary, Passcode, In-app approval for web logins
Approach: The app itself IS the second factor — no separate authenticator needed
Takeaway: Elegant mobile-first approach. eToro could adopt similar in-app approval for web sessions.

🟡 Wise Clean

▼

Methods: Authenticator App (TOTP), SMS, Push approval via Wise app
Highlights: Clean implementation, recommends authenticator over SMS
Takeaway: Good baseline — eToro should at minimum match Wise's offering.

🔴 Plus500 Laggard

▼

Methods: SMS OTP only
Status: Behind the curve — no authenticator app, no WebAuthn, no push
Takeaway: This is what eToro should NOT be. Currently, eToro is in the same position as Plus500 on 2FA. Time to change that.

Competitive Position

Platform	TOTP App	WebAuthn	Push	Biometric	SMS	Rating
Coinbase	✅	✅	❌	✅	✅	Leader
Binance	✅	✅	✅	✅	✅	Leader
IBKR	✅	❌	✅	✅	❌	Strong
Revolut	❌	❌	✅	✅	❌	Innovative
Wise	✅	❌	✅	✅	✅	Good
Robinhood	✅	❌	❌	✅	✅	Adequate
eToro (now)	❌	❌	❌	❌	✅	Behind
eToro (proposed)	✅	✅	❌	✅	✅	Leader
Plus500	❌	❌	❌	❌	✅	Laggard

UX Flow — Interactive Mockup

The proposed 2FA setup experience in eToro Plus — click through each step

Step 1 / 7

Open Source Stack

Recommended libraries and platforms for implementation

Recommended Stack (Node.js/TypeScript)

otplib ★ TOTP

~12K GitHub stars · MIT License · Active maintenance

Best TOTP library for Node.js. TypeScript-first, modular architecture. Handles TOTP generation, verification, QR URI generation. Production-ready.

npm install otplib

@simplewebauthn ★ WebAuthn

~5K GitHub stars · MIT License · Active (Auth0 sponsored)

Best WebAuthn/FIDO2 library. Server + Browser packages. TypeScript-first. Supports Deno, Cloudflare Workers. Comprehensive docs.

npm install @simplewebauthn/server

Alternative Stacks

Language	TOTP Library	Stars	WebAuthn Library	Stars	Status
Node.js	otplib	~12K	@simplewebauthn	~5K	★ Recommended
Java	java-totp	~700	webauthn4j	~400	Good
Python	pyotp	~3K	python-fido2	~800	Good
Go	pquerna/otp	~2K	go-webauthn	~1.2K	Good

Full IAM Platforms (Open Source)

Platform	Stars	Language	TOTP	WebAuthn	Notes
Keycloak	~24K	Java	✅	✅	Red Hat backed. Full IAM. Heavy but complete.
Authelia	~22K	Go	✅	✅	Lightweight auth proxy. Great for reverse-proxy.
Authentik	~14K	Python	✅	✅	Modern. Beautiful admin UI. Growing fast.
Ory Kratos	~13K	Go	✅	✅	Cloud-native, API-first. Ory Cloud SaaS option.

Build vs Buy

Option	Cost (Year 1)	Cost (Ongoing/yr)	Time to Ship	Control	Verdict
Build (OSS libs)	$50-80K dev	~$0 + maintenance	4-6 weeks	Full	★ Recommended
Auth0 (Okta)	$2-5M	$2-5M	2-4 weeks	Limited	Too expensive
Twilio Verify	$36M+	$36M+	1-2 weeks	Moderate	Way too expensive
OneSpan	Custom	Custom	8-12 weeks	Low	Overkill

Implementation Plan

Phased rollout from TOTP to passwordless

Phase 1: TOTP Authenticator Support

Weeks 1-6 · Q1 2026 · 2 backend + 1 frontend + 1 mobile

TOTP setup/verify flow, backup codes (10 single-use), trusted devices ("remember 30 days"), recovery flow, SMS deprecation label. Covers 95% of the security gap. Works with Google Authenticator, Microsoft Authenticator, Authy, Apple Keychain, 1Password, or any TOTP app.

Phase 1.5: Migration & Adoption

Ongoing · Q1-Q2 2026 · Product + Marketing

Soft migration: Prompt SMS users to upgrade. Security score nudge. Require authenticator for high-value withdrawals. Progressive enforcement based on account balance. Target: 50%+ adoption in 3 months.

Phase 2: WebAuthn / Passkeys

Weeks 7-14 · Q2-Q3 2026 · 2 backend + 1 frontend + 1 mobile

Phishing-proof authentication. Support platform authenticators (Touch ID, Face ID, Windows Hello) and roaming authenticators (YubiKey). Multiple authenticators per user. Passkey sync via iCloud/Google.

Phase 3: Passwordless Login

Q4 2026 - 2027 · Full squad

"Sign in with passkey" — no password needed. Email magic link alternative. Password becomes optional. Requires regulatory review for FCA/CySEC compliance. Positions eToro as authentication leader.

Migration Strategy (SMS → Authenticator)

Timeline	Action	SMS Status
Month 1	Launch authenticator as option. Label SMS as "⚠️ Less secure"	Available
Month 2-3	Active nudge on every login. Email campaign. In-app notifications	Available (discouraged)
Month 4-6	Require authenticator for withdrawals >$X. Security score incentive	Limited
Month 6-12	No SMS for new 2FA setups. Existing users warned of deprecation	Legacy only
Month 12+	SMS removed as 2FA method. Kept only for account recovery	Recovery only

Cost Analysis

Annual authentication cost comparison at 1M users, 2 authentications per day

SMS OTP

$7.3M - $36.5M / year

Push (Twilio)

$3.6M

Auth0 MFA

$2-5M

Build (OSS)

$50-80K (one-time)

TOTP / WebAuthn

$0 per auth

5-Year Total Cost of Ownership

Approach	Year 1	Year 2-5	5-Year Total
SMS (current)	$7-36M	$28-146M	$35-182M
Auth0	$2-5M	$8-20M	$10-25M
Build with OSS ★	$80K	$200K (maint)	$280K

💰 Bottom Line

Building TOTP + WebAuthn in-house with open-source libraries saves $35-182M over 5 years compared to continuing with SMS, and $10-25M compared to Auth0. The one-time investment of $50-80K pays for itself in the first week of operation.

eToro Plus

SMS 2FA is Broken.Here's What to Do.