Subscribe to the Non-Human & AI Identity Journal

What should organisations do when SMS OTP is still used for account recovery?

They should restrict SMS OTP to low-risk fallback use and move recovery to stronger proofing methods, such as device-bound verification or in-app approval. Recovery is where attackers most often exploit trust, so the process should require more assurance than ordinary login, not less. The safest design is one that preserves the user’s trusted device state instead of rebuilding trust from a text message.

Why This Matters for Security Teams

account recovery is often the easiest path around strong login controls, which is why SMS OTP should be treated as a constrained fallback rather than a primary trust signal. A recovery flow that leans on text messages can be vulnerable to SIM swap, number recycling, message interception, and social engineering at the carrier or help desk. Guidance from the NIST Cybersecurity Framework 2.0 reinforces that identity and recovery controls should be designed to reduce attack surface, not merely restore access quickly.

The practical issue is that recovery often bypasses the strongest parts of the authentication stack. If the organisation has invested in phishing-resistant login, but recovery still accepts an SMS OTP as sufficient proof, attackers will target the weaker step. That creates a gap between stated assurance and actual operational risk. Security teams should therefore classify recovery as a higher-risk workflow, with stronger checks than everyday sign-in and with clear escalation paths when the user no longer has access to their trusted device. In practice, many security teams encounter account takeover only after recovery abuse has already occurred, rather than through intentional control testing.

How It Works in Practice

Current best practice is to move recovery away from knowledge- or possession-based factors that can be redirected, and toward evidence that is harder to clone or intercept. That usually means preserving an existing trusted device state, requiring in-app approval, using device-bound cryptographic proof, or relying on a previously enrolled authenticator with stronger assurance. Where SMS remains in the design, it should be limited to low-risk fallback use, short-lived, and paired with step-up checks that consider account sensitivity, recent risk signals, and recovery context.

Operationally, this means building recovery as a policy decision, not a single yes-or-no challenge. A sensible recovery workflow will typically:

  • Confirm the request through an enrolled device or app first, before considering SMS.
  • Use risk signals such as geography, velocity, device change, and recent login history.
  • Limit what can be changed during recovery, especially email, phone number, and MFA resets.
  • Delay high-impact actions until additional review or waiting periods are completed.
  • Log recovery events for monitoring, audit, and fraud review.

Control mapping should also reflect the sensitivity of the process. NIST SP 800-53 Rev 5 Security and Privacy Controls is useful here because account recovery touches authentication, access enforcement, auditability, and incident handling. Organisations should translate that into concrete steps such as stronger identity proofing for reset requests, separation of duties for help desk overrides, and tight change management for recovery attributes. These controls tend to break down when help desk staff can override recovery with only a phone number and a sense of urgency because the process then becomes a social engineering target rather than a security control.

Common Variations and Edge Cases

Tighter recovery controls often increase user friction and support cost, requiring organisations to balance account access speed against fraud resistance. That tradeoff is real, especially for consumer services, shared-device environments, and users who frequently change phones or numbers. There is no universal standard for this yet, so current guidance suggests using SMS as a narrow fallback only when stronger recovery options are unavailable.

Edge cases matter. Users who lose both device access and number access need an alternative route that is still resistant to takeover, such as pre-enrolled backup methods, assisted verification with strict approval, or regulated identity proofing for high-value accounts. For regulated sectors, recovery design should also align with broader assurance and fraud controls, especially where account compromise could lead to financial loss or personal data exposure. The main mistake is assuming one recovery method can fit all risk levels. For higher-value accounts, the safer pattern is to preserve device-bound trust wherever possible and reserve SMS only for the least sensitive recovery scenarios.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AA Recovery flows must preserve trustworthy identity assurance and access control.
NIST SP 800-53 Rev 5 IA-2 Identity verification and authentication controls govern recovery assurance strength.

Treat account recovery as an access assurance workflow and raise controls when trust is re-established.