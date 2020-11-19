Within its main business, it could seem that authentication revenues would be more resilient.

In my article titled "Twilio Obsolescence", I have already explained why I expect the majority of Twilio's (NYSE:TWLO) business to slowly go obsolete over the next decade. To sum up that thesis, this obsolescence will come because of a widespread replacement of programmatic legacy PSTN (Public Switched Telephone Network) voice and SMS functionality with in-app voice and messaging.

However, there's yet another second angle which can be explored in more detail. You see, one generator of legacy SMS traffic and associated authentication revenues for Twilio is the use of 2FA (2-factor authentication), where an SMS is used to deliver an OTP (One-Time Password) to the user. The use of 2-factor authentication has been exploding as a means to improve cybersecurity.

In spite of this favorable trend (exploding usage), here, too, Twilio faces an obsolescence problem. That is the theme of this article.

SMS-OPT Vulnerability

The usage of SMS as an authentication factor has long been known to present significant vulnerabilities (I, II, III, IV). These vulnerabilities exist at many levels. For instance, the following is a limited list of known vulnerabilities:

The message. An SMS is generated, travels, is stored, and is received in plain text with no encryption.

The sending device. If the device sending the SMS OPT is compromised, the message can be read at its source.

The receiving device. If the device receiving the SMS OPT is compromised, the message can be read at the receiving end.

The PSTN network nodes and service centers themselves. If these nodes are compromised, they can be explored to eavesdrop on SMS traffic to a given subscriber. Remember, SMS's travel as plain text.

The very nature of the operation of the PSTN network. The SS7 protocol can be fooled into redirecting traffic for a given telephone number into another network, where someone is impersonating that telephone number.

SIM cloning.

Social engineering. Telecom employees can move numbers to different SIMs.

The Result

Since these extreme vulnerabilities exist, they make the systems relying on SMS OPT vulnerable as well.

For instance, many well-known, successful, hacking attempts just used some of the vulnerabilities listed above, together with "lost password" systems which rely on those authentication SMS OPTs to (erroneously) provide a new password to the attacker. This at the same time defeats both layers of security, as the attacker, via SMS OPT, gains access to the main password (and he was already able to control the 2nd security factor via SMS vulnerabilities).

As a result of this, institutions interested in increasing their customers' security levels have, for a while now, started guiding away from the reliance on SMS OPT. However, since SMS OPT is so practical to implement, for now, we've actually seen an increase, not a decrease, in its usage (favoring Twilio).

Still, the security trend is clear. For instance, back in 2016, the NIST (National Institute of Standards and Technology) even deprecated the usage of SMS OPT. This guidance would have led public institutions to stop relying on SMS OPT. However, and due to practical matters, NIST did backtrack on that guidance, softening it. Instead, NIST made SMS OPT "restricted":

As threats evolve, some authenticators become less reliable, so we established the notion of "RESTRICTED" to tag authenticators if they become of concern. We didn't make this up: the NIST cryptography team has been using this approach for some time, and we like to be consistent with other NIST efforts so we don't confuse our stakeholders. Implementing a RESTRICTED authenticator requires the agency to assess, understand, and accept the risk associated with that authenticator. Therefore, the agency needs to: Offer subscribers at least one alternate authenticator that is not RESTRICTED.

Provide subscribers with meaningful information on the security risks of the RESTRICTED authenticator and availability of alternatives. It's the user's account and personal information, so we believe the user needs to participate in the risk determination process as well.

Include in its risk assessment any additional risk to subscribers.

Develop a migration plan for the possibility that the RESTRICTED authenticator is no longer acceptable at some point in the future. Currently, authenticators leveraging the public switched telephone network, including phone- and Short Message Service (SMS)-based one-time passwords (OTPs) are restricted. Other authenticator types may be added as additional threats emerge. Note that, among other requirements, even when using phone- and SMS-based OTPs, the agency also has to verify that the OTP is being directed to a phone and not an IP address, such as with VoIP, as these accounts are not typically protected with multi-factor authentication.

Notice, however, that the trend is clear. NIST, and many other security-minded institutions, would like to get rid of SMS OPT. As alternatives start being widespread, SMS OPT will immediately become obsolete. The efforts toward this end are ongoing by the major players, like Google (NASDAQ:GOOG) (NASDAQ:GOOGL), Apple (AAPL) or Microsoft (MSFT), based on such things as Google's Authenticator app, Apple's "security enclave" and Apple ID or Microsoft's coming "Pluton processor".

How Twilio Sees It

The SMS OPT vulnerabilities aren't unknown to Twilio. Twilio's opinion is conveyed in the way it markets its own Authy product, which also uses SMS OPT "but not just" (italics emphasis is mine):

Using SMS for 2FA security has recently been getting a legitimately bad rap, with a significant increase in successful attempts to intercept or redirect the 2FA codes sent via SMS as part of a login. We've addressed these issues (and more) with updates to the Twilio Authy API; making it possible to bypass sending SMS-based 2FA for a more secure, and less costly, authentication. The API now sends enhanced information from devices to allow you to make risk-based decisions for users authenticating to your applications.

The way Twilio (Authy) responds to this is to not use SMS OPT, and instead providing another technical solution. This is also "less costly". And indeed, it's the same problem faced by legacy PSTN voice and SMS: the alternative is not a "telco cost + margin" solution. Instead, the alternative is to just use a library for the function, or most likely in the future, using built-in services in the OS itself (now available through several Authentication apps).

Anyway, here, the problem for Twilio is the same as with in-app voice and messaging. Those businesses are difficult to replicate due to the need to connect to nearly 2 hundred telecoms and their APIs and business practices. Implementing a library and removing the operating cost from your app is nearly costless (beyond the development cost). This in turn destroys Twilio's business. Remember, 77% of Twilio's revenues come from Twilio getting paid for usage, and that usage overwhelmingly involves connecting to PSTNs (for voice or SMSs, and within SMSs, SMS OPTs).

Conclusion

It's entirely obvious that the usage of SMS OPT as a 2FA (2-factor authentication) tool will go obsolete. The method is already widely recognized as unsafe. In its place, we will see OS-integrated and hardware-integrated solutions, the likes of which are arriving or already in the market.

This is yet another unavoidable headwind for Twilio's main "usage-based" provision of legacy PSTN APIs, where Twilio makes most of its business (around three-fourths).

The current growth, even in the usage of SMS-based authentication, masks this. However, this growth will eventually turn into a mirage, since the underlying services are already known to be obsolete. Their expansion right now is a mere coincidence in time, tied to the very high convenience of implementing this (rather unsafe) feature.

In general, this article gives more detail on why most of Twilio's business risks obsolescence. Maybe Twilio will create some other business that isn't exposed to these dynamics, but the overwhelming part of its present (and growing) business is, indeed, exposed to these dynamics. This includes SMS OPT as I showed.

Idea Generator is my subscription service. It's based on a unique philosophy (predicting the predictable) and seeks opportunities wherever they might be found, by taking into account both valuation (deeply undervalued situations) and a favorable thesis. Idea Generator has beaten the S&P 500 by around 15% since inception (in May 2015). There is a no-risk, free, 14-day trial available for those wanting to check out the service.

Disclosure: I am/we are short TWLO. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.