TL;DR: SMS-based OTP still feels familiar and cheap, but it was built for message delivery rather than security, and attackers now exploit SIM swapping, social engineering, and telephony routing weaknesses to intercept codes, according to Prove Identity. The shift now is toward device-bound, cryptographic possession factors that reduce interception and replay without reintroducing SMS as a recovery crutch.
At a glance
What this is: This is a Prove Identity analysis of why SMS-based 2FA is no longer a dependable possession factor and what stronger authentication models look like.
Why it matters: It matters because identity teams must move beyond SMS OTP before fraud, carrier abuse, and account recovery flows turn an inexpensive control into a liability for consumer identity, IAM, and fraud programmes.
By the numbers:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities.
👉 Read Prove Identity's analysis of why SMS-based 2FA is failing
Context
SMS OTP became the default second factor because it was easy to deploy, not because it was designed for high-assurance identity verification. The problem is not a single bug but a mismatch between a delivery channel and a trust decision, which is why authentication teams and fraud teams now have to evaluate SMS as a weak proxy for possession rather than a durable control.
For identity programmes, this is a familiar failure pattern: a control remains in place long after its threat model has changed. The article’s core claim is that modern fraud, carrier-level interception, and user-targeted social engineering have made SMS OTP a brittle dependency, especially where account recovery, step-up authentication, and customer trust all intersect.
Key questions
Q: What should organisations do when SMS OTP is still used for account recovery?
A: They should restrict SMS OTP to low-risk fallback use and move recovery to stronger proofing methods, such as device-bound verification or in-app approval. Recovery is where attackers most often exploit trust, so the process should require more assurance than ordinary login, not less. The safest design is one that preserves the user’s trusted device state instead of rebuilding trust from a text message.
Q: Why do SMS-based 2FA schemes fail in practice?
A: They fail because SMS proves message delivery, not durable possession of the user’s device. That leaves room for SIM swapping, message interception, and social engineering that redirects the code to an attacker. Once the OTP is exposed, the second factor no longer adds meaningful resistance, especially when recovery or step-up workflows still accept the same weak channel.
Q: How can identity teams know whether a stronger authenticator is actually working?
A: Look for reduced dependence on SMS fallback, fewer support-driven number changes, lower OTP replay and interception events, and more successful device-bound reauthentication during lifecycle events. A strong authenticator should improve assurance without increasing exception volume. If users keep falling back to SMS during resets or enrolment, the control is not yet durable.
Q: Who is accountable when a carrier or support workflow enables account takeover?
A: Accountability sits with the organisation that chose the assurance model and the exception process, not only with the carrier or the attacker. If the business relies on SMS OTP, it has accepted a weaker trust chain and must govern recovery, fraud detection, and step-up policy accordingly. Regulators and auditors will focus on whether the organisation matched control strength to risk.
Technical breakdown
Why SMS OTP is a weak possession signal
SMS one-time passwords rely on the assumption that control of a phone number equals control of a trusted device. That assumption is weak because SMS is a delivery protocol, not a secure authenticator, and messages can traverse carrier systems, aggregators, and routing infrastructure before they reach the handset. The risk is structural: interception, SIM replacement, and message forwarding can all preserve the appearance of legitimacy while the attacker controls the receiving path. This is why SMS OTP often survives as a convenience layer, not a true possession factor.
Practical implication: treat SMS OTP as a fallback channel, not a primary proof of identity, for any high-risk or regulated workflow.
How carrier ecosystem abuse turns identity into a routing problem
The article’s carrier-level attack model shows that authentication can fail without the end user doing anything wrong. In a SIM swap, the attacker does not need to break cryptography. They need to manipulate telecom support processes, port the number, and redirect messages to a new SIM. That makes the weak point the trust relationship between the subscriber, the carrier, and the support workflow. Once the number is reassigned, every downstream service that still treats SMS as proof of possession inherits that compromise.
Practical implication: remove phone-number ownership from privileged recovery decisions and require stronger re-verification before number-based changes are accepted.
Why device-bound keys change the authentication model
The article points toward a more deterministic model of possession based on device-bound cryptographic keys and privacy-preserving checks. Unlike SMS codes, these factors are tied to a specific device or secure element, so the proof is not a message sent across an exposed network. The trade-off is lifecycle complexity: device replacement, recovery, and synchronisation can reintroduce weaker channels if not governed tightly. The architectural goal is to bind trust to cryptographic state, not to a transient communication path.
Practical implication: build recovery and re-enrolment flows that preserve device binding instead of silently reverting to SMS OTP when a user changes hardware.
Threat narrative
Attacker objective: The attacker aims to take over the account, approve fraudulent activity, or bypass step-up authentication by controlling the OTP delivery path.
- Entry begins with reconnaissance against a high-value user, often using breached personal data to answer carrier or service support questions.
- Escalation occurs when the attacker socially engineers a carrier or user support workflow to redirect messages or trick the victim into revealing an OTP.
- Impact follows when the attacker uses the intercepted code to complete login, transaction approval, or account takeover without triggering stronger possession checks.
NHI Mgmt Group analysis
SMS OTP is a trust proxy, not a possession factor. The article is right to separate convenience from security because an OTP delivered over a public messaging path does not prove durable control of a device. That distinction matters for fraud teams and identity architects alike, because a proof mechanism that can be intercepted or redirected is not a stable basis for assurance. Practitioners should redesign step-up authentication around verifiable device binding, not message delivery.
The real failure mode is recovery and support, not just code interception. Fraudsters rarely need to defeat the token itself when they can manipulate number-porting, support scripts, or user behaviour. That is the governance lesson for IAM and customer identity programmes: the weakest part of the control chain is often the exception path, especially where account recovery sits outside the core authentication policy. Teams should treat recovery as a privileged workflow with tighter assurance than login.
Device-bound authentication creates stronger assurance, but only if lifecycle controls match it. A cryptographic key tied to a device is more resilient than an SMS code, yet it introduces new governance obligations around replacement, synchronisation, and fallback. The boundary between consumer identity and IAM is especially visible here, because the assurance level of a customer login now depends on how well the organisation manages enrolment, recovery, and exception handling. Practitioners should align authentication policy with lifecycle policy, not treat them as separate problems.
Multi-factor design is shifting from friction management to proof management. The article frames a broader market transition away from “low-friction” security toward passive assurance that survives carrier abuse and social engineering. That shift is meaningful for identity verification teams because the control objective is changing from user convenience with a second step to deterministic evidence of possession. Organisations should expect more pressure to retire SMS-based dependence in regulated, fraud-sensitive, and high-value user journeys.
What this signals
Verification trust gap: SMS OTP sits in the same architectural failure class as weak NHI recovery controls, where a control is trusted for convenience long after its assurance value has eroded. The practical signal for identity teams is that fallback mechanisms now matter as much as the primary authenticator, especially when account recovery can bypass stronger assurance.
The next planning question is how quickly organisations can remove SMS from privileged journeys without creating support failures or lockout spikes. That requires a staged migration plan, stronger lifecycle governance, and clearer separation between low-risk consumer convenience and high-assurance identity decisions. Teams can use the Ultimate Guide to NHIs as a lifecycle benchmark for tightening exception handling, even though the topic here is human authentication.
Fraud-resistant authentication increasingly depends on durable device trust, not one-time code delivery. For programmes that also govern APIs, bots, and service accounts, the lesson is consistent: trust should be bound to something the organisation can verify, track, and revoke across the lifecycle. The same governance discipline that reduces secret exposure also reduces authentication fragility.
For practitioners
- Replace SMS OTP in high-risk journeys Remove SMS OTP from account recovery, transaction approval, and admin step-up paths where interception or social engineering would create disproportionate impact. Keep it only as a constrained fallback while stronger possession factors are deployed.
- Harden number-change and port-out workflows Require stronger identity proofing before allowing SIM replacement, number porting, or contact detail updates that could redirect authentication traffic. Treat these requests as privileged changes rather than routine service actions.
- Bind recovery to device and cryptographic state Design re-enrolment and new-device flows so the user returns through trusted device-bound verification, not through the same SMS path that may already be compromised. The goal is to preserve possession proof across lifecycle events.
- Instrument fraud signals around OTP abuse Monitor repeated OTP requests, unusual call patterns, and rapid account recovery attempts as indicators of social engineering or SMS pumping. Correlate those signals with device, telecom, and session context before approving access.
Key takeaways
- SMS OTP is failing because it proves message delivery, not durable possession of a trusted device.
- Fraudsters exploit carrier workflows, social engineering, and recovery paths more often than they break the code itself.
- Identity teams should shift high-risk journeys to device-bound, cryptographic authentication and treat SMS as a constrained fallback only.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | SMS OTP and authenticator assurance are central to the article’s argument. |
| NIST CSF 2.0 | PR.AA-1 | The article is about improving authentication assurance for identity workflows. |
| NIST SP 800-53 Rev 5 | IA-2 | Authentication controls are directly implicated by SMS OTP weaknesses and recovery abuse. |
| GDPR | Art.32 | Identity verification and fraud controls affect the security of personal data processing. |
Assess whether authentication methods provide security appropriate to the personal data and fraud risk involved.
Key terms
- SMS OTP: SMS OTP is a one-time password sent by text message for authentication. It is a convenience-oriented second factor that can raise the bar above passwords, but it does not by itself prove durable device possession and can be exposed through interception, SIM swapping, or social engineering.
- SIM Swap: A SIM swap is an account takeover technique where an attacker convinces a mobile carrier to move a victim’s phone number to a SIM they control. Once the port succeeds, the attacker receives calls and text messages intended for the victim, including authentication codes and recovery prompts.
- Device-Bound Authentication: Device-bound authentication ties the proof of possession to a specific phone, laptop, or secure hardware element rather than to a message sent over the network. It reduces interception risk and creates a stronger assurance model, but it must be supported by careful enrolment, replacement, and recovery governance.
- Step-Up Authentication: Step-up authentication is the practice of requiring stronger proof when risk increases, such as during payments, recovery, or privileged actions. Its effectiveness depends on the quality of the factor being stepped up to and on the security of the workflows surrounding fallback and exception handling.
What's in the full article
Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:
- A deeper walkthrough of the SIM swap and social engineering attack paths that defeat SMS OTP in real user flows
- Practical design patterns for device-bound and biometric verification that move beyond message-based possession
- Lifecycle guidance for handling new-device enrolment and recovery without reverting to SMS-based fallback
- Examples of how organisations can reduce user friction while tightening authentication assurance across customer journeys
Deepen your knowledge
The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, secrets management, and workload identity with a focus on practical control design. It is designed for practitioners who need to connect identity assurance, lifecycle governance, and operational risk across their programmes.
Published by the NHIMG editorial team on 2025-12-12.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org