Table of Contents
For over a decade, SMS one-time passwords were the default second factor in two-factor authentication. When a service wanted to verify your identity beyond a password, it sent a six-digit code to your phone via text message. Simple, universally accessible, and easy to understand. The problem is that SMS was never designed to be a secure communications channel, and the vulnerabilities that make it insecure have been exploited at scale. Regulators worldwide are now catching up, and the era of SMS OTP as an acceptable authentication factor is ending.
This shift is part of a broader evolution in authentication trends that is pushing the industry toward phishing-resistant credentials.
Why SMS OTP Is Insecure
SIM Swapping
SIM swapping is the most well-known attack against SMS-based authentication. An attacker contacts your mobile carrier (or bribes an employee) and convinces them to transfer your phone number to a new SIM card. Once the transfer is complete, the attacker receives all SMS messages sent to your number – including one-time passwords.
SIM swapping is not rare. The FBI’s Internet Crime Complaint Center reported thousands of SIM swap complaints with losses exceeding $72 million in a single year. High-profile victims have included cryptocurrency investors, technology executives, and journalists. The attack is particularly effective because it requires no technical sophistication on the attacker’s part – just social engineering skills and, in many cases, a corrupt carrier employee.
The rise of deepfake-as-a-service makes SIM swapping even easier. An attacker who can clone your voice may be able to pass carrier voice verification, adding another dimension to an already dangerous attack vector.
SS7 Protocol Vulnerabilities
The Signaling System 7 (SS7) protocol, designed in the 1970s, is the backbone of the global telecommunications network. It was built in an era when the only entities with access to the network were trusted telephone companies. That assumption has not held up.
SS7 vulnerabilities allow an attacker to intercept SMS messages without compromising the target’s phone or SIM card. The attacker exploits flaws in the protocol to redirect messages to their own infrastructure. This has been demonstrated by security researchers and documented in real-world attacks.
Because SS7 is a fundamental protocol that requires global coordination to replace, these vulnerabilities are not easily patched. The telecoms industry has been working on the successor protocol (Diameter, used in 5G networks), but the transition is incomplete, and many messages still traverse SS7 infrastructure.
Malware and SMS Interception
Mobile malware capable of intercepting SMS messages is widely available. Android devices are particularly vulnerable because the platform’s openness allows apps to request SMS read permissions. Malware that intercepts SMS OTP codes and forwards them to an attacker operates in the background, invisible to the user.
Even on iOS, where the security model is more restrictive, iMessage and SMS phishing (smishing) can trick users into revealing OTP codes through social engineering rather than technical interception.
Network-Level Interception
State-level actors and sophisticated criminal organizations can intercept SMS at the network level through legal intercept mechanisms, rogue base stations (IMSI catchers), or compromised network infrastructure. While these attacks are less common for everyday users, they represent a systemic vulnerability in SMS-based authentication that cannot be mitigated by individual users.
The Regulatory Response
NIST Special Publication 800-63B
NIST’s digital identity guidelines first flagged SMS OTP as problematic in 2016, labeling it a “restricted” authentication channel. The guidance has strengthened in subsequent revisions. NIST no longer recommends SMS OTP for sensitive applications and advises organizations to migrate to app-based authenticators, hardware security keys, or passkeys.
This guidance is influential because many regulatory frameworks reference NIST standards. When NIST says SMS OTP is inadequate, regulatory requirements across industries shift accordingly.
Financial Sector Regulations
The European Union’s Payment Services Directive (PSD2) required strong customer authentication for online transactions. While SMS OTP initially met the requirements, subsequent guidance from the European Banking Authority has encouraged migration to more secure methods. Several European banks have already stopped offering SMS OTP, replacing it with app-based authentication.
In Asia, regulators in Singapore (MAS) and India (RBI) have issued guidance discouraging SMS OTP for financial transactions. Singapore’s approach has been particularly aggressive, with regulatory pressure accelerating the adoption of app-based and hardware authentication across the financial sector.
Government Services
Multiple governments are removing SMS OTP from their digital identity systems. The UK’s GOV.UK Verify and Australia’s myGov have moved toward app-based verification. The US federal government’s zero trust strategy explicitly prioritizes phishing-resistant MFA over SMS-based methods.
Industry Standards
The PCI DSS (Payment Card Industry Data Security Standard) has increasingly discouraged SMS OTP. HIPAA guidance for healthcare organizations emphasizes the risks of SMS-based authentication for accessing protected health information. SOC 2 auditors are flagging SMS OTP as a control weakness.
The pattern is clear: across industries and geographies, the regulatory consensus is moving away from SMS OTP.
What Replaces SMS OTP
App-Based TOTP
Time-based one-time passwords (TOTP) generated by authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) are a direct upgrade from SMS OTP. The codes are generated on-device using a shared secret, eliminating the network-based vulnerabilities of SMS. TOTP is phishing-resistant only to the extent that users verify they are entering codes on legitimate sites – the codes themselves can still be phished through real-time proxy attacks.
Push Notifications
Authentication apps that use push notifications (Duo, Microsoft Authenticator, Okta Verify) provide a better user experience than TOTP. You receive a prompt on your phone and approve or deny the login attempt. However, push notification fatigue – where users approve prompts reflexively – has been exploited in attacks, leading to the addition of number matching (the user must enter a number shown on the login screen).
Hardware Security Keys
FIDO2 security keys (YubiKey, Titan, SoloKeys) provide phishing-resistant authentication that is immune to all the attack vectors that affect SMS OTP. The key must be physically present and communicates directly with the authenticating service through a cryptographic protocol that verifies the service’s identity. Hardware keys cannot be phished, intercepted, or cloned.
The limitation is convenience and cost. Security keys must be purchased, carried, and managed. Losing a key without a backup creates an account recovery problem. For high-security accounts, the trade-off is worthwhile.
Passkeys
Passkeys represent the convergence of security key technology with platform integration. A passkey provides the same phishing-resistant authentication as a hardware security key, but the key material lives on your device (phone, laptop, tablet) and is protected by biometrics (Face ID, Touch ID, fingerprint). No separate hardware to carry.
Passkey adoption is accelerating because it combines the security of hardware keys with the convenience of biometrics. For most users, passkeys are the natural successor to SMS OTP – providing dramatically better security with less friction, not more.
The Transition Challenge
Universal Accessibility
The strongest argument for SMS OTP has always been accessibility. Every phone – even a basic feature phone – can receive SMS. No app installation required. No special hardware. This universality made SMS OTP the default for reaching the widest possible audience.
Moving away from SMS means accepting that some users will need to install an app or acquire a device. For services that prioritize inclusion (government services, banking, healthcare), this transition must be managed carefully to avoid disenfranchising users who rely on SMS-based verification.
User Behavior Change
Users are accustomed to SMS codes. They understand the flow: enter password, receive text, type code. Changing this flow – even to something simpler, like approving a push notification or using a passkey – requires education and trust-building.
The good news is that biometric authentication (Face ID, Touch ID) has already normalized the concept of verifying identity without typing a code. Users who experience passkey login often prefer it. The challenge is getting them through the initial setup.
What You Should Do
Stop relying on SMS OTP for your most important accounts. Email, financial services, and cloud storage should use app-based TOTP, hardware keys, or passkeys. Check which of your accounts offer these options and migrate now.
Use a password manager that supports TOTP. Many password managers can generate TOTP codes alongside your passwords, consolidating your security into a single tool. PanicVault and other KeePass-compatible apps support TOTP within the KDBX format, keeping your second-factor codes alongside your passwords in an encrypted, portable database.
Enable passkeys where available. Passkeys are the long-term replacement for both passwords and SMS OTP. Adopting them now gives you immediate security benefits and positions you for the post-SMS future.
Keep your phone number private. Your phone number is the key to SMS-based attacks. Minimize where you share it, remove it from data broker databases where possible, and consider a secondary number for public use.
The regulatory ban on SMS OTP is not arbitrary – it reflects a genuine security problem that has been exploited at scale. The alternatives are better in every dimension: more secure, often more convenient, and increasingly well-supported. The transition away from SMS is one of the clearest improvements individuals can make to their security posture.
