Subscribe to the Non-Human & AI Identity Journal

Why does SMS OTP create more risk than many teams assume?

Because the trust boundary sits in the telecom and messaging path, not in the user’s device alone. Phishing relay, SIM swap, port-out fraud, recycled numbers, and SS7 interception can all break the model without stealing the user’s password. For regulated journeys, that makes SMS OTP a weak assurance factor rather than a stable control.

Why This Matters for Security Teams

SMS OTP is often treated as a convenient second factor, but the security boundary is wider than most teams assume. The trust chain includes the mobile carrier, number porting processes, handset state, and the messaging infrastructure itself. NIST Cybersecurity Framework 2.0 recognises identity assurance as a control problem, yet SMS OTP sits in a path that attackers can manipulate without ever touching the endpoint directly.

That matters because regulated journeys often need more than possession of a phone number. Once a number is recycled, ported, or intercepted, the factor no longer proves the intended person is present. NHIMG research on identity exposure shows why weak identity paths become operational risk, not just authentication inconvenience, and the same pattern appears in service and human identity failures alike in the Ultimate Guide to NHIs — Why NHI Security Matters Now. In practice, many security teams discover SMS OTP weakness only after an account takeover, not through intentional assurance testing.

How It Works in Practice

The main problem is that SMS OTP authenticates access through a communications path that is outside the application’s direct control. An attacker may use phishing relay, SIM swap, port-out fraud, malware on the handset, or telecom-layer interception to receive the one-time code. The password may remain unchanged, which is why teams sometimes misread the event as a “successful MFA” rather than a broken assurance model.

Current guidance suggests treating SMS OTP as a lower-assurance factor, especially where account recovery, money movement, or privileged access is involved. For stronger control, teams usually pair identity proofing with phishing-resistant authenticators such as FIDO2/WebAuthn, device-bound credentials, or step-up checks tied to transaction context. The NIST Cybersecurity Framework 2.0 is useful here because it pushes organisations to align authentication with risk, not convenience. For broader identity risk patterns, see Top 10 NHI Issues, which shows how fragile identity paths become when secrets and recovery channels are over-trusted.

  • Assume the phone number is not a stable possession factor.
  • Review recovery flows, since many attacks bypass login and target reset paths instead.
  • Use SMS OTP only where the business impact of compromise is low.
  • Log and alert on unusual carrier events, number changes, and step-up failures.

These controls tend to break down in consumer-scale environments with weak account recovery and no device binding, because attackers can compromise the recovery path faster than the application can detect the fraud.

Common Variations and Edge Cases

Tighter authentication often increases user friction and support cost, so organisations have to balance assurance against enrolment failure and helpdesk load. That tradeoff becomes sharper for legacy users, low-end devices, and jurisdictions where app-based authenticators are not practical.

There is no universal standard for when SMS OTP is “acceptable,” but current guidance suggests using it only as a fallback, not as the primary factor for sensitive actions. For low-risk notifications, SMS may be tolerable. For regulated transactions, privileged admin access, or high-value account recovery, the safer pattern is to move toward phishing-resistant methods and stronger assurance checks. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks highlights the broader lesson: identity controls fail when organisations confuse reachability with trust.

Edge cases also include shared phones, recycled numbers, roaming users, and organisations that rely on telecoms without visibility into port-out events. In those environments, SMS OTP can appear functional while silently degrading assurance. The safer policy is to define where SMS is disallowed, where it is only a step-up option, and where a stronger factor is mandatory.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-7 SMS OTP is an access assurance issue and must be assessed by authentication strength.
NIST SP 800-63 AAL2 SMS OTP often falls short of phishing-resistant assurance needed for higher-risk use cases.
NIST Zero Trust (SP 800-207) Policy 3 Zero Trust requires continuous risk-based verification rather than trust in a phone number.
OWASP Non-Human Identity Top 10 NHI-01 Weak identity assurance paths mirror NHI trust failures and overreliance on static secrets.
NIST AI RMF GOVERN Risk governance should define where SMS OTP is acceptable versus disallowed.

Reduce reliance on brittle identity factors and enforce stronger credential lifecycle controls.