By NHI Mgmt Group Editorial TeamPublished 2026-06-11Domain: Governance & RiskSource: Authsignal

TL;DR: Banks are moving SMS OTP out of high-risk authentication across APAC and the Gulf, but the harder operational gap is onboarding, where phone verification, device binding, and recovery still need a stronger control path than a texted code, according to Authsignal. The migration is really about sequencing verification, passkey issuance, and fallback handling without breaking conversion or compliance.


At a glance

What this is: This is an analysis of why banks are phasing out SMS OTP and how onboarding must change when phone verification can no longer depend on texted codes.

Why it matters: It matters because IAM teams need a replacement path for phone verification, customer binding, step-up, and recovery that is stronger than SMS yet still workable across markets and channels.

By the numbers:

👉 Read Authsignal's analysis of how to eliminate SMS OTP at onboarding


Context

SMS OTP is becoming a weak default for banking authentication because regulators are moving away from shared secrets sent over channels the bank does not control. The problem is not only login security. It is also onboarding, where teams still need to prove that a customer controls a phone number before issuing a stronger credential.

That shift changes identity design for consumer IAM and financial services. Banks now need a verification flow that can bind a number, confirm the person, and issue a phishing-resistant credential without relying on the same SMS mechanism they are phasing out.


Key questions

Q: How should security teams replace SMS OTP in customer onboarding?

A: Security teams should replace SMS OTP in onboarding by separating phone verification from authentication. Use carrier-based verification where available, bind the customer to a real device or passkey after identity proofing, and keep a controlled fallback for unsupported channels. The goal is to remove shared-secret dependence without breaking account creation.

Q: Why does SMS OTP create more risk in banking than many teams assume?

A: SMS OTP creates more risk because the code travels over a channel the bank does not control. SIM swaps, phishing, malware, and telecom weaknesses can expose the secret before it is used, so the second factor becomes part of the attack path rather than a reliable barrier.

Q: What breaks when SMS OTP is removed without a new onboarding flow?

A: What breaks is number verification, device binding, and account recovery. If teams remove SMS from login but leave onboarding unchanged, they often discover that the first proof of control still depends on the same channel they no longer trust. That creates a gap between customer creation and secure authentication.

Q: Which framework should banks use when phasing out SMS OTP?

A: Banks should align the migration with NIST SP 800-63 Digital Identity Guidelines and zero-trust thinking for authentication, then map specific banking controls to local regulatory requirements. The practical test is whether the replacement flow is phishing-resistant, device-aware, and usable across real customer channels.


Technical breakdown

Why SMS OTP fails as an authentication control

SMS OTP was never a strong authenticator for high-risk banking flows because the secret travels over infrastructure the bank does not control. SIM-swap fraud, phishing pages, malware, and telecom routing weaknesses all let an attacker intercept or replay the code. Once the code is harvested, the second factor becomes part of the attacker’s path rather than a barrier. That is why regulators now treat SMS as a fallback at most, not a primary control for login, payment approval, device binding, or recovery.

Practical implication: map every flow that still depends on SMS OTP and separate low-risk fallback usage from high-risk authentication.

Silent network authentication and stronger phone verification

Silent Network Authentication verifies number ownership through the carrier network instead of sending a code to the handset. The check happens in the background, usually through mobile app or backend orchestration, and can remove the need for a user-visible message entirely. That matters because it closes off phishing capture and SMS pumping, both of which depend on code delivery. The limitation is coverage. SNA works best when the device is on the cellular network and the carrier path is available, so it needs a fallback architecture rather than a single-path design.

Practical implication: use SNA as the default verification path where carrier coverage allows it, and design alternate routes for Wi-Fi, roaming, and desktop sessions.

Passkeys shift the control point from shared secret to bound credential

Passkeys based on FIDO2 and WebAuthn use public-key cryptography, which means the private key stays on the user device or credential manager and cannot be copied like an OTP. This changes the security model. The bank is no longer asking the user to repeat a shared secret across transactions. Instead, it issues a credential that is origin-bound, harder to phish, and better suited to step-up and recovery workflows. In practice, the strongest designs anchor the phone and person first, then issue the passkey for ongoing use.

Practical implication: treat passkey issuance as the end state of onboarding, not as a bolt-on replacement after SMS has already been weakened.


NHI Mgmt Group analysis

SMS OTP phase-out is an onboarding governance problem, not just a login problem. The article makes clear that the hard operational gap appears before the first successful session, when a bank still has to verify number ownership and bind a customer identity. That shifts the control question from challenge delivery to identity proofing and channel trust. Practitioners should treat onboarding as the primary design point, not an afterthought.

Phone verification by SMS was built for a world where the channel and the authenticator were the same thing. That assumption fails once regulators no longer accept SMS as the main factor and attackers can abuse the same channel through SIM swaps and phishing. The implication is that onboarding flows must separate number verification from authentication instead of pretending one control can do both.

Silent Network Authentication creates a useful concept: channel-separated number verification. The bank still verifies that the number is in use, but the proof comes from the carrier layer rather than a message the customer must read and return. That is a materially different trust model, and it is the right direction for organisations that want to reduce shared-secret dependence without abandoning mobile onboarding.

Passkeys only solve the post-onboarding relationship if the front door is already anchored. A phishing-resistant credential does not fix weak account creation, poor device binding, or brittle recovery design. The strategic mistake is to think of passkeys as a login feature when the real value appears only after the customer has been anchored with stronger identity proofing. IAM teams should sequence the migration accordingly.

SMS OTP removal is accelerating the convergence of IAM, fraud, and customer experience teams. The bank can no longer optimise one control in isolation because onboarding, step-up, device change, and recovery now share the same identity boundary. That means programme ownership has to move from a single authentication team to a broader identity and risk operating model.

From our research:

  • Six jurisdictions across APAC and the Gulf have moved against SMS OTP, each with different scope and timing, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
  • The same research notes that when AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.
  • For a broader identity context, see Ultimate Guide to NHIs , The NHI Market for how identity risk changes when credentials become the control surface.

What this signals

Channel-separated verification is becoming the right mental model for consumer identity programmes. Banks can no longer assume that the same mechanism can both prove phone ownership and authenticate the user, especially as SMS OTP exits high-risk flows. Teams that keep those functions collapsed into one control will carry hidden migration risk into recovery and device-change journeys.

The practical signal for IAM leaders is that onboarding is now the security-critical stage of the customer lifecycle. If the front door still depends on texted codes, the programme is already carrying legacy risk into every downstream control decision, from step-up logic to account recovery.

For teams that need a standards anchor, NIST SP 800-63 Digital Identity Guidelines remains the clearest reference point for aligning authenticator strength, federation, and assurance with real-world customer journeys.


For practitioners

  • Map SMS usage by identity function Inventory every place SMS OTP is used and separate onboarding phone verification, login, device binding, transaction approval, and recovery. These are different controls and should not share the same replacement path.
  • Build a fallback tree before removing SMS Define which users can use Silent Network Authentication, which need WhatsApp or another stronger fallback, and which require assisted verification. Route by channel availability, not by habit.
  • Anchor recovery to the original identity proof Replace texted-code recovery with passkey plus liveness or another verified re-binding process so recovery does not reopen the same SMS risk you removed at login.
  • Separate control ownership across IAM and fraud Treat onboarding verification, step-up rules, and recovery as one policy surface across IAM and fraud operations. That prevents gaps where one team decommissions SMS while another still depends on it.

Key takeaways

  • SMS OTP is losing its place as a primary banking control because the channel itself is too easy to abuse.
  • The hardest migration step is onboarding, where phone verification, device binding, and recovery still need a stronger replacement path.
  • Banks that separate number verification from authentication can remove SMS without breaking the customer journey.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63BThe article centers on authenticator strength and phishing resistance.
NIST CSF 2.0PR.AC-7The piece focuses on identity proofing and access control at onboarding.
NIST Zero Trust (SP 800-207)The migration shifts banks toward stronger, context-aware verification.

Apply zero trust principles so authentication depends on context, device binding, and continuous risk evaluation.


Key terms

  • Silent Network Authentication: A phone-number verification method that confirms device and SIM association through the carrier network instead of sending a one-time code. It reduces exposure to phishing and SMS pumping because the user does not need to read or return a secret.
  • Passkey: A phishing-resistant credential based on public-key cryptography and usually implemented with FIDO2 and WebAuthn. The private key stays on the user device, which means the service never sees a reusable shared secret like an SMS code.
  • Account Recovery: The identity process used to restore access after a user loses a credential or device. In modern consumer IAM, recovery should reuse the strongest verified identity anchor available, because weak fallback paths often become the easiest account takeover route.

What's in the full article

Authsignal's full blog covers the operational detail this post intentionally leaves for the source:

  • A step-by-step onboarding sequence showing where Silent Network Authentication fits before passkey issuance.
  • Channel fallback logic for Wi-Fi, roaming, desktop, and unsupported carrier scenarios.
  • Implementation detail on liveness checks, device re-binding, and recovery design.
  • Practical examples of how to phase out SMS OTP across login, step-up, and account recovery.

👉 Authsignal's full post covers the onboarding sequence, fallback logic, and passkey migration detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-11.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org