October 24, 2014

Twitter’s Foray into Authentication: SMS to Replace Passwords


The microblogging service and social network Twitter is now the latest entrant in the race to replace passwords, with a new system called “Digits”. It’s got a hip name and the idea behind Digits seems very promising. Digits authentication is based entirely on cellular access. Your username is your phone number and a real-time, disposable SMS-generated code is your password.

The most interesting thing is that it isn’t just for Twitter — it’s available for any developer that wants Digits authentication in their app. And there is a reason why they will be glad to have it.


“Phone numbers are the primary identity for the fastest growing mobile demographics, including emerging markets, which account for over 70% of the world’s mobile population,” Twitter says. “With Digits, you can build a customized onboarding and sign-in experience for these markets.”
“Onboarding” seems to be new-age developer jargon for getting people to sign up for a particular app. As in: getting users onboard.

The service seems particularly useful in parts of the world that aren’t beholden to the near-ubiquitous tech-giants. In the United States, for example, countless applications will offer users the capacity to sign up for, and later authenticate themselves into a certain app or service by using their Facebook or Twitter or Gmail account identity as their username along with a specific password. Email accounts are obviously the most popular variation. Just take a moment to think about how many online accounts are tied to your email…

But once you move a couple of thousand miles from nearest Tesla charging station and your favourite organic food store at the corner, you realise that it isn’t that common there to use email, Facebook, Twitter and so on. There is huge amount of people who don’t have anything from this list. But what they do have is mobile phone number. Because in many places of the world cellular network is the only option for making call or getting Internet access.

As example of how it works we can look at mobile banking in emerging markets. Africa, particularly the sub-Saharan parts, home to many of the world’s most aggressively emerging markets, rely in part on something of a cashless economy. Payment is dominated by mobile telecoms in Kenya. And people aren’t paying with apps on their smart phones: they’re relying on relatively simple services like M-Pesa, which work on the older variety brick or burner phones. Through M-Pesa, users can transfer money, make payments and even take out withdrawals from local merchants.

The graphic below comes from the Wall Street Journal and is based on World Bank statistics:

Mobile Payment Distribution

This illustrates that simple mobile phone based services are growing in the developing world. It’s hard to say if Twitter’s move was based in part on the M-Pesa economy in places like Kenya, Tanzania, India and South Africa, but I think that reality, that cellular access if relatively cheap and available in emerging markets, bodes well for a service like Digits.

But it isn’t just about emerging markets. The core idea looks interesting for developed countries too. We’re generally skeptical of new ideas to replace passwords, but Digits strikes us as a simple solution to a tough problem, prompting us to wonder why no one has thought of this before?

Twitter Digits Code

And for developers out there, it seems the code required to implement Digits into your app is incredibly simple

I’ve written about heartbeat-based, fingerprint-based, iris-based, smell-based, earlobe-based, electromagnetic tattoo- and pill-based, geolocation-based and who knows how many other forms of biometric and wearable authenticators. They we’re all interesting but they all seemed overly complicated.

“When users forget what they used to sign up for your app — you can lose customers. By using our SMS verification you can minimize both support costs and sign-in failures” – says Twitter

Digits is designed to shift the authentication paradigm away from email and toward mobile number. Perhaps more importantly, Digits offers a seamless replacement for static passwords. It also could help resolve the problem of forgotten passwords.

“When users forget which service they used to sign up for your app — email addresses, usernames, or passwords — you can lose customers,” Twitter argues in its promotional material. “By using our SMS verification in lieu of passwords, you can minimize both support costs and sign-in failures — all while keeping your users happy and your app growing.”

Of course, it can’t be all good news. Digits isn’t particularly helpful in places without a cellular signal. That’s not such a big deal out in the wild, where you probably don’t have Internet access anyway, but it could spell trouble in your parent’s basement.

Another problem is security. Our phones become more and more precious and we have to take care about their protection.