At Buffer, security has always been a balance: keeping our customers’ accounts safe while making login as seamless as possible for our global user base.
A few months ago, we made a decision that might sound surprising — we removed SMS-based two-factor authentication (2FA) and moved fully to email-based verification.
It wasn’t a change we took lightly. SMS has long been seen as the standard for 2FA. But over time, the drawbacks began to outweigh the benefits.
Here’s the story of how we got there, what the transition looked like, and what we’ve seen since.
Why we moved away from SMS
SMS-based 2FA has long been considered a security standard, but our team discovered several critical issues that made us reconsider:
Security vulnerabilities were more common than expected
SIM swapping attacks have become increasingly sophisticated, allowing attackers to hijack phone numbers and bypass SMS-based security.
Additionally, SMS messages travel unencrypted through multiple carriers, creating potential interception points.
Costs were scaling unsustainably
Every authentication SMS costs money, and with our growing user base, these seemingly small fees were adding up to hundreds of dollars monthly. International SMS rates made this even more challenging because our global user base.
International regulations and Sender ID requirements
SMS regulations vary dramatically by country, making compliance a constant challenge. Each country has different requirements for Sender IDs (the name that appears as the sender of an SMS), with some requiring pre-registration that can take weeks or months to complete.
For example, Singapore requires business verification documents, India demands a template pre-approval process, and the UAE has strict content restrictions.
Managing these requirements across 100+ countries created an enormous administrative burden that grew with each new regulation.
Additionally, failing to comply with any local regulation could result in messages being blocked, and ultimately customers being unable to log into Buffer.
Third-party dependencies created failure points
We relied on SMS gateway providers that occasionally experienced outages, delivery delays, or rate-limiting issues.
When these services go down, our users can not access their accounts—a critical problem for a tool that powers social media strategies worldwide.
Why email made more sense
When we looked for alternatives, we realized we already had a stronger option: email.
So instead of just removing SMS and calling it a day, we reimagined our authentication flow by incorporating email as another venue.
We implemented time-limited, single-use verification codes sent via email with enhanced security headers and encryption. Our email infrastructure, which we already maintained for notifications and updates, proved more reliable than third-party SMS gateways.
We also added rate limiting and anomaly detection to prevent abuse.
The unexpected benefits of switching to email
The transition delivered improvements beyond our initial expectations:
- Security actually improved. Email accounts typically have more robust security options than phone numbers, including their own 2FA, recovery options, and activity monitoring. Users maintain better control over their email accounts than their phone numbers, which can be transferred without their knowledge.
- Support tickets decreased. We saw a drop in authentication-related support requests. Users no longer struggled with international SMS delivery issues, changed phone numbers, or carrier-specific problems.
- Development velocity increased. Our engineering team no longer needs to maintain integrations with the SMS provider, debug delivery issues across different carriers, or handle country-specific SMS regulations.
How we rolled out the switch
Making this transition required careful planning.
We communicated the change to users well in advance, explaining the security benefits and addressing concerns. We provided detailed migration guides and temporarily supported both methods during the transition period.
For users who strongly preferred SMS, we helped them understand that modern email security, especially with providers like Gmail or Outlook that offer robust protection, provides equal or better security than SMS.
We also enhanced our email delivery infrastructure to ensure reliability, implementing redundant email service providers and monitoring delivery rates closely.
The right choice for Buffer
This decision won’t be right for every company. Services that don’t have users’ email addresses or that serve demographics with limited email access might need different solutions. However, for Buffer — where every user already has an email account associated with their profile — this change aligned perfectly with our needs.
Three months after the transition, the results speak for themselves: a reduction in authentication-related support tickets, and significant monthly savings that we’ve reinvested in product improvements.
Looking ahead
Removing SMS authentication initially felt like swimming against the current, but it forced us to think critically about security theater versus actual security. Sometimes the “standard” solution isn’t the best solution for your specific context.
We’re continuing to explore additional authentication options, including support for hardware security keys. But our email-first approach has proven that simpler can indeed be more secure.
We share these kinds of stories because we know other teams face similar tradeoffs. Have you reconsidered a “standard” security practice recently? We’d love to hear from you on our social media! Find us @buffer everywhere and follow Carlos on LinkedIn here.
