SMS 2FA is Broken.
Here's What to Do.
A comprehensive analysis of authentication alternatives for eToro Plus โ from TOTP authenticator apps to WebAuthn passkeys.
๐ Documentation Hub
System Architecture
High-level diagrams, data flows, infrastructure & security
Server SpecKit
NestJS modules, DB schema, API endpoints, user stories
Client SpecKit
React Native components, user flows, biometrics
API Swagger Docs
Interactive OpenAPI 3.0 with examples & cURL
Passkey Demo
Interactive mockup โ registration, login, biometrics & cross-device QR
The Problem
Why SMS-based 2FA is failing eToro users and putting the platform at risk
SIM Swapping Attacks
Attackers social-engineer carriers to port victim's phone number. All SMS OTPs then go to the attacker. FBI reported $48M+ in losses in 2023 alone โ financial accounts are primary targets.
SS7 Protocol Vulnerabilities
The SS7 telecom protocol (from 1975) has zero authentication. Anyone with network access can intercept SMS in real-time. German researchers demonstrated this on live TV, draining bank accounts.
Fails Internationally
5-30% SMS failure rate when roaming. Users traveling abroad (like being away for 2 weeks) get completely locked out. Local SIMs, eSIM switches, or carrier blocks all break SMS delivery.
Regulatory Pressure
NIST deprecated SMS 2FA in 2017. PSD2 SCA increasingly views SMS as insufficient. FCA expects "robust" authentication. Regulators are moving away from SMS โ eToro should get ahead.
Expensive at Scale
SMS costs $0.01-0.05 per message. At 1M users authenticating twice daily, that's $7-36M per year. TOTP authenticator costs $0. WebAuthn costs $0. The math is clear.
Competitors Have Moved On
Coinbase, Binance, Interactive Brokers, Wise, and Revolut all offer authenticator app or better. Only Plus500 is still SMS-only. Don't be Plus500.
Solutions Comparison
Authentication methods ranked by security, cost, and user experience
| Method | Security | Phishing-Proof | Works Offline | Cost/Auth | UX Score | Recommendation |
|---|---|---|---|---|---|---|
| SMS OTP | โ โ โโโ | No | No | $0.01-0.05 | โ โ โ โโ | Deprecate |
| TOTP Authenticator | โ โ โ โโ | No | Yes | $0.00 | โ โ โ โโ | โ Phase 1 |
| Push Notification | โ โ โ โ โ | Partial | No | $0.001-0.005 | โ โ โ โ โ | Optional |
| WebAuthn / Passkeys | โ โ โ โ โ | Yes | Yes | $0.00 | โ โ โ โ โ | โ Phase 2 |
Authenticator App Comparison
| App | iOS | Android | Desktop | Biometric | Cloud Backup | Open Source | Best For |
|---|---|---|---|---|---|---|---|
| Google Authenticator | โ | โ | โ | โ | โ | โ | Widest adoption |
| Microsoft Authenticator | โ | โ | โ | โ | โ | โ | Enterprise / M365 |
| Authy | โ | โ | โ | โ | โ | โ | Multi-device |
| 1Password / Bitwarden | โ | โ | โ | โ | โ | Partial | Convenience |
| Apple Keychain | โ | โ | macOS | โ | โ | โ | Apple users (zero-install) |
| Aegis | โ | โ | โ | โ | Manual | โ GPL-3 | Android power users |
Standards & Protocols
TOTP (RFC 6238) Recommended Phase 1
Time-based One-Time Password. Shared secret + timestamp generates 6-digit code every 30 seconds. Universal standard โ works with ANY authenticator app. Simple to implement with otplib.
WebAuthn / FIDO2 Recommended Phase 2
Public-key cryptography. Device signs challenge with private key that never leaves the device. Phishing-proof (origin-bound), no shared secrets, biometric UX. The future of authentication.
Passkeys (Synced WebAuthn)
WebAuthn credentials synced via iCloud Keychain / Google Password Manager. Replaces BOTH password AND 2FA. Apple, Google, Microsoft all support. 10B+ passkey registrations globally.
Competitor Audit
How other brokers and fintech platforms handle 2FA โ click each card to expand
Competitive Position
| Platform | TOTP App | WebAuthn | Push | Biometric | SMS | Rating |
|---|---|---|---|---|---|---|
| Coinbase | โ | โ | โ | โ | โ | Leader |
| Binance | โ | โ | โ | โ | โ | Leader |
| IBKR | โ | โ | โ | โ | โ | Strong |
| Revolut | โ | โ | โ | โ | โ | Innovative |
| Wise | โ | โ | โ | โ | โ | Good |
| Robinhood | โ | โ | โ | โ | โ | Adequate |
| eToro (now) | โ | โ | โ | โ | โ | Behind |
| eToro (proposed) | โ | โ | โ | โ | โ | Leader |
| Plus500 | โ | โ | โ | โ | โ | Laggard |
UX Flow โ Interactive Mockup
The proposed 2FA setup experience in eToro Plus โ click through each step
Open Source Stack
Recommended libraries and platforms for implementation
Recommended Stack (Node.js/TypeScript)
otplib โ TOTP
~12K GitHub stars ยท MIT License ยท Active maintenance
Best TOTP library for Node.js. TypeScript-first, modular architecture. Handles TOTP generation, verification, QR URI generation. Production-ready.
npm install otplib@simplewebauthn โ WebAuthn
~5K GitHub stars ยท MIT License ยท Active (Auth0 sponsored)
Best WebAuthn/FIDO2 library. Server + Browser packages. TypeScript-first. Supports Deno, Cloudflare Workers. Comprehensive docs.
npm install @simplewebauthn/serverAlternative Stacks
| Language | TOTP Library | Stars | WebAuthn Library | Stars | Status |
|---|---|---|---|---|---|
| Node.js | otplib | ~12K | @simplewebauthn | ~5K | โ Recommended |
| Java | java-totp | ~700 | webauthn4j | ~400 | Good |
| Python | pyotp | ~3K | python-fido2 | ~800 | Good |
| Go | pquerna/otp | ~2K | go-webauthn | ~1.2K | Good |
Full IAM Platforms (Open Source)
| Platform | Stars | Language | TOTP | WebAuthn | Notes |
|---|---|---|---|---|---|
| Keycloak | ~24K | Java | โ | โ | Red Hat backed. Full IAM. Heavy but complete. |
| Authelia | ~22K | Go | โ | โ | Lightweight auth proxy. Great for reverse-proxy. |
| Authentik | ~14K | Python | โ | โ | Modern. Beautiful admin UI. Growing fast. |
| Ory Kratos | ~13K | Go | โ | โ | Cloud-native, API-first. Ory Cloud SaaS option. |
Build vs Buy
| Option | Cost (Year 1) | Cost (Ongoing/yr) | Time to Ship | Control | Verdict |
|---|---|---|---|---|---|
| Build (OSS libs) | $50-80K dev | ~$0 + maintenance | 4-6 weeks | Full | โ Recommended |
| Auth0 (Okta) | $2-5M | $2-5M | 2-4 weeks | Limited | Too expensive |
| Twilio Verify | $36M+ | $36M+ | 1-2 weeks | Moderate | Way too expensive |
| OneSpan | Custom | Custom | 8-12 weeks | Low | Overkill |
Implementation Plan
Phased rollout from TOTP to passwordless
Phase 1: TOTP Authenticator Support
TOTP setup/verify flow, backup codes (10 single-use), trusted devices ("remember 30 days"), recovery flow, SMS deprecation label. Covers 95% of the security gap. Works with Google Authenticator, Microsoft Authenticator, Authy, Apple Keychain, 1Password, or any TOTP app.
Phase 1.5: Migration & Adoption
Soft migration: Prompt SMS users to upgrade. Security score nudge. Require authenticator for high-value withdrawals. Progressive enforcement based on account balance. Target: 50%+ adoption in 3 months.
Phase 2: WebAuthn / Passkeys
Phishing-proof authentication. Support platform authenticators (Touch ID, Face ID, Windows Hello) and roaming authenticators (YubiKey). Multiple authenticators per user. Passkey sync via iCloud/Google.
Phase 3: Passwordless Login
"Sign in with passkey" โ no password needed. Email magic link alternative. Password becomes optional. Requires regulatory review for FCA/CySEC compliance. Positions eToro as authentication leader.
Migration Strategy (SMS โ Authenticator)
| Timeline | Action | SMS Status |
|---|---|---|
| Month 1 | Launch authenticator as option. Label SMS as "โ ๏ธ Less secure" | Available |
| Month 2-3 | Active nudge on every login. Email campaign. In-app notifications | Available (discouraged) |
| Month 4-6 | Require authenticator for withdrawals >$X. Security score incentive | Limited |
| Month 6-12 | No SMS for new 2FA setups. Existing users warned of deprecation | Legacy only |
| Month 12+ | SMS removed as 2FA method. Kept only for account recovery | Recovery only |
Cost Analysis
Annual authentication cost comparison at 1M users, 2 authentications per day
5-Year Total Cost of Ownership
| Approach | Year 1 | Year 2-5 | 5-Year Total |
|---|---|---|---|
| SMS (current) | $7-36M | $28-146M | $35-182M |
| Auth0 | $2-5M | $8-20M | $10-25M |
| Build with OSS โ | $80K | $200K (maint) | $280K |
๐ฐ Bottom Line
Building TOTP + WebAuthn in-house with open-source libraries saves $35-182M over 5 years compared to continuing with SMS, and $10-25M compared to Auth0. The one-time investment of $50-80K pays for itself in the first week of operation.