By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: AuthsignalPublished October 5, 2025

TL;DR: India and the UAE are moving away from SMS OTP as a primary authentication method, with India mandating two-factor transaction checks from April 2026 and the UAE requiring a full phase-out by March 2026, according to Authsignal. The shift reflects a broader move toward phishing-resistant authentication that reduces interception and SIM-swap exposure.


At a glance

What this is: India and the UAE are reducing or eliminating SMS OTP because it no longer meets current fraud and interception risk expectations.

Why it matters: Identity teams should treat SMS OTP decline as a signal to accelerate phishing-resistant authentication, update step-up flows, and rework fallback paths for human identity programmes.

By the numbers:

👉 Read Authsignal's analysis of SMS OTP phase-outs in India and the UAE


Context

SMS OTP is a human authentication method, but it increasingly behaves like a weak shared secret when the delivery channel can be intercepted, swapped, or spoofed. In payments and banking, that creates a governance problem for IAM teams because the factor is familiar to users but structurally brittle under modern fraud pressure.

The article describes a regulatory move in India and the UAE away from SMS OTP toward stronger, phishing-resistant alternatives. For identity programmes, the key issue is not whether SMS can still function, but whether it should remain a primary factor in customer authentication, recovery, and step-up flows.


Key questions

Q: How should security teams phase out SMS OTP without breaking customer access?

A: Start by separating login, recovery, and transaction approval. Replace SMS first in the highest-risk journeys, then keep a tightly governed fallback for edge cases. Make sure customer support, fraud, and IAM teams share the same exception policy so legacy OTP does not reappear through the back door.

Q: Why does SMS OTP create more risk in banking and payments than many teams assume?

A: Because the trust boundary sits outside the application. A phone number can be moved, spoofed, or intercepted without the bank's knowledge, so the code does not reliably prove possession of the device. That makes SMS OTP weak against SIM swapping, phishing, and message interception.

Q: What breaks when SMS OTP remains the fallback after stronger authentication is deployed?

A: The programme looks modern at the front door but stays vulnerable in recovery and exception paths. Attackers often target the weakest supported route, so if SMS still approves resets or step-up requests, it remains the easiest way to complete account takeover or fraud.

Q: Who is accountable when regulators require stronger authentication than SMS OTP?

A: IAM, fraud, digital product, and risk leaders share accountability because the control spans customer experience and financial loss prevention. In regulated environments, the organisation must show that weaker channels were reduced, monitored, or retired in line with policy and supervisory expectations.


Technical breakdown

Why SMS OTP fails as a possession factor

SMS OTP depends on control of a phone number, but phone-number control is not the same as device possession. SIM swapping, SS7 interception, message spoofing, and plain-text transport all weaken the trust boundary. Once an attacker can reroute messages or read them in transit, the OTP stops being a reliable second factor and becomes a reusable bearer secret. In banking, that means the channel itself is part of the attack surface, not a neutral delivery mechanism.

Practical implication: treat SMS OTP as a legacy fallback, not a primary control for high-risk transactions.

How passkeys and in-app approvals change identity assurance

Passkeys shift authentication from shared, interceptable codes to cryptographic key pairs tied to a device and user verification method. In-app approvals keep verification inside the banking application, where risk signals, biometrics, and transaction context can be evaluated together. This reduces exposure to message interception and phishing because the user is not copying a one-time code from an external channel. The assurance model becomes bound to a device and an origin, not to a text message.

Practical implication: prioritise phishing-resistant methods for payments, account recovery, and high-value step-up requests.

Why risk-based authentication matters during OTP migration

When organisations phase out SMS OTP, they still need a fallback model for users, device loss, and anomalous sessions. Risk-based authentication uses signals such as device reputation, location, and behaviour to decide whether to approve, step up, or redirect the transaction. That matters because authentication is not only about initial login. It also governs transaction authorisation, which is where fraud control often breaks down if policies are too static.

Practical implication: design migration paths that keep risk-based step-up available while removing SMS from critical journeys.


NHI Mgmt Group analysis

SMS OTP created a channel trust problem, not just a user experience problem. The control assumes the phone-number delivery path is trustworthy enough to carry an authentication factor, but modern fraud techniques break that assumption routinely. Once the number can be swapped, spoofed, or intercepted, the factor no longer proves user possession in any meaningful way. Practitioners should stop treating delivery convenience as evidence of security maturity.

Phishing-resistant authentication is now a governance requirement for high-risk customer journeys. Passkeys, hardware tokens, and in-app approvals all reduce dependence on interceptable channels and improve resistance to social engineering. This aligns with NIST SP 800-63 Digital Identity Guidelines and the broader move toward stronger verifier binding. Teams should reclassify SMS OTP as a transitional control rather than a destination state.

Authentication recovery is the hidden weak point in most SMS-dependent programmes. Organisations often improve sign-in while leaving reset, fallback, and exception flows tied to the same compromised channel. That creates a loop where stronger front-door controls coexist with weak back-door access paths. IAM teams should evaluate recovery and step-up journeys with the same scrutiny as primary login.

Different markets are reaching the same conclusion for different reasons. India is forcing diversity in transaction verification, while the UAE is eliminating SMS and email OTP altogether. The common signal is that regulators now see OTP channel dependency as a systemic fraud enabler, not a minor implementation choice. Practitioners should expect similar pressure to spread across other regulated identity environments.

From our research:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means hidden access remains a persistent governance blind spot.
  • For the lifecycle angle, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for rotation, revocation, and offboarding patterns that map cleanly to identity control maturity.

What this signals

SMS OTP migration is part of a wider move toward channel-bound identity assurance. Human identity programmes now need to treat the delivery path as a controllable risk surface, not just a convenience layer. Teams that still depend on text-based verification should review their fallback logic before regulators or fraud trends force the change.

Friction will shift, not disappear. Replacing OTP with passkeys, biometrics, or in-app approvals changes where the user experiences security friction, but it also improves assurance where it matters most. For identity leaders, the programme question is whether exceptions, recovery, and support flows have been redesigned to match the new control model.


For practitioners

  • Map every SMS OTP dependency Inventory where SMS still appears in login, step-up, recovery, transaction approval, and exception handling. Replace each dependency with a ranked alternative path so product teams know what to remove first and what can remain only as fallback.
  • Prioritise phishing-resistant authentication for high-risk flows Move passkeys, device-bound tokens, or in-app approvals into payment authorisation and account recovery before less critical user journeys. Keep SMS only where a temporary transition path is unavoidable.
  • Redesign recovery before decommissioning OTP Review password reset, SIM-change, device-loss, and account takeover recovery journeys separately from sign-in. If recovery still depends on SMS, the migration is incomplete even if primary login has changed.
  • Tune risk-based step-up around transaction context Use device, location, behaviour, and amount thresholds to decide when to require stronger verification. Document which decisions should route to biometrics, app approval, or manual review instead of falling back to text messages.

Key takeaways

  • SMS OTP is losing credibility because its delivery channel can be intercepted, swapped, or spoofed too easily for modern fraud conditions.
  • The scale of the problem is already visible in payment fraud, account takeover, and regulatory phase-outs across multiple markets.
  • Identity teams should move high-risk journeys to phishing-resistant authentication and rework recovery paths before removing SMS from production flows.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-53 Rev 5 set the technical controls, while ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63BThe article centres on replacing weak OTP-based authentication with stronger factors.
NIST CSF 2.0PR.AA-01Authentication assurance and verifier strength are central to the migration away from SMS OTP.
NIST Zero Trust (SP 800-207)Zero Trust supports continuous verification instead of reliance on a single weak channel.
NIST SP 800-53 Rev 5IA-2Authentication and identifier management are directly implicated by OTP replacement.
ISO/IEC 27001:2022A.8.5Authentication information management is relevant where organisations retire SMS OTP.

Align stronger authentication choices with Annex A authentication requirements and recovery governance.


Key terms

  • Sms One-Time Password: A one-time code delivered through the mobile network to prove possession of a phone number. It is convenient but weak when the delivery channel can be intercepted, spoofed, or redirected, which is why it no longer provides strong assurance for high-risk identity actions.
  • Phishing-Resistant Authentication: An authentication method that cannot be replayed or copied easily by an attacker during a phishing flow. Passkeys and hardware-backed authenticators are common examples because the proof is cryptographically bound to the legitimate origin and the user's device, not typed into a text field.
  • Risk-Based Authentication: A decision model that changes authentication requirements based on device, location, behaviour, or transaction context. It lets security teams step up, approve, or deny access dynamically, which is especially useful when replacing a single static factor with a tiered control strategy.
  • Account Recovery: The set of processes used to restore access after password loss, device change, or suspicious activity. In practice, recovery is often the weakest part of an identity programme because attackers target fallback channels and exception handling rather than primary login flows.

What's in the full article

Authsignal's full article covers the operational detail this post intentionally leaves for the source:

  • Country-by-country implementation specifics for India, the UAE, Singapore, Malaysia, and the Philippines
  • The exact authentication alternatives banks are using, including biometrics, soft tokens, and in-app approvals
  • The fraud and cost figures behind each regional policy shift
  • The practical trade-offs between WhatsApp OTP, SMS OTP, and stronger phishing-resistant methods

👉 The full Authsignal article covers the regional policy details, fraud drivers, and alternative authentication methods.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org