TL;DR: Regulators in the UAE, Singapore, Malaysia, the Philippines, India, the EU, the United States, Vietnam and Saudi Arabia are moving banking away from SMS OTP, but with different mandates, deadlines and liability shifts, according to IDlayr. The security issue is no longer whether SMS OTP is convenient, but whether organisations can still rely on a channel they do not control.
At a glance
What this is: This is a regulator-by-regulator briefing on the global move away from SMS OTP in banking, with a clear split between outright bans, restricted use and tighter authentication requirements.
Why it matters: It matters because IAM, PAM and fraud teams must align customer authentication, device trust and account recovery controls with jurisdiction-specific rules before legacy OTP flows create compliance and breach exposure.
By the numbers:
- More than 25 regulators worldwide have now moved toward phishing-resistant authentication.
- The State Bank of Vietnam has reported a roughly 50% drop in fraudulent transactions since rollout.
- The UAE requires licensed financial institutions to eliminate SMS- and email-based OTPs by 31 March 2026.
👉 Read IDlayr's regulator-by-regulator guide to SMS OTP restrictions
Context
SMS OTP is a human authentication control, but in banking it now behaves like a weak possession factor because the channel itself can be intercepted or redirected. The article’s core point is that regulators are no longer treating text-based OTP as sufficient for high-risk financial access.
That shift matters for identity programmes because bank login, step-up authentication and account-change flows are governed differently across markets. Institutions need a jurisdiction-aware view of customer authentication, recovery and fraud liability rather than a single global MFA policy.
Key questions
Q: What breaks when SMS OTP is still used for high-risk banking actions?
A: SMS OTP breaks down when an attacker can intercept or redirect the code through SIM swap, phishing or carrier-layer abuse. In high-risk banking actions, that means the factor may still satisfy a login prompt while failing to prove real possession of the intended device. The practical result is account takeover risk, disputed transactions and weaker regulatory defensibility.
Q: Why are regulators moving away from SMS OTP in financial services?
A: Regulators are moving away from SMS OTP because it depends on a channel the institution does not control and it is vulnerable to interception and replay. They are also responding to fraud patterns that exploit weak recovery and step-up flows. The shift reflects a preference for stronger, device-bound authentication that better supports liability and audit requirements.
Q: How do banks know when to replace SMS OTP first?
A: Banks should replace SMS OTP first wherever it authorises money movement, account changes or recovery actions, because those flows carry the highest fraud and liability exposure. Lower-risk verification steps may remain transitional in some jurisdictions, but the priority should be the journeys that create direct financial loss if intercepted.
Q: Who is accountable when SMS OTP fraud occurs under new rules?
A: Accountability depends on the jurisdiction, but the article shows a clear trend toward shifting more responsibility to the institution when OTP-based fraud succeeds. That means policy, control design, customer communication and evidence retention all become part of the accountability chain, not just the authentication method itself.
Technical breakdown
Why SMS OTP fails as a possession factor
SMS OTP depends on a phone number and carrier-delivered message path that the institution does not control. That creates exposure to SIM swap, port-out abuse, SS7 interception, phishing and adversary-in-the-middle attacks, where the attacker captures the code in real time. In identity terms, the factor proves access to a reachable phone path, not reliable possession of the customer’s intended device or session. Regulators are responding because the control breaks at the transport layer, not just at the user behaviour layer.
Practical implication: treat SMS OTP as a transitional control and map every banking flow where it still remains in use.
Why regulators are separating login from transaction approval
A number of regulators are not banning OTP everywhere. They are narrowing where it may appear, often allowing it only for lower-risk steps or non-authorising functions such as confirming a mobile number. This distinction matters because login, step-up approval, payee changes and high-value transfers carry different risk and liability profiles. The direction of travel is toward cryptographic, device-bound and phishing-resistant authentication for actions that move money or change account state.
Practical implication: classify each customer journey by risk tier and remove SMS OTP first from transaction approval and account-change flows.
What device-bound and biometric factors change in practice
Device-bound authentication and biometrics shift trust away from a shared secret toward a stronger binding between the user, the device and the transaction context. That does not eliminate fraud, but it reduces replay, interception and reuse of intercepted credentials. In several markets, regulators are also linking these controls to liability shifts, which means the authentication method becomes both a security and a governance decision. The practical design question is no longer whether OTP works in isolation, but whether the factor survives interception and supports regulatory evidence.
Practical implication: ensure replacement methods can withstand SIM swap, device change and fraud challenge scenarios without breaking customer access.
Threat narrative
Attacker objective: The attacker’s objective is to take over the customer account or authorise fraudulent financial activity using an intercepted or redirected OTP.
- Entry occurs when attackers abuse SMS OTP through SIM swap, phishing, smishing or interception of the verification code.
- Escalation occurs when the stolen OTP is reused to authenticate login, approve a transfer or change account settings.
- Impact follows when the attacker completes financial transactions, account takeover or unauthorised profile changes before the institution detects the fraud.
Breaches seen in the wild
- Meta AI Instagram Account Takeover — 20,225 Instagram accounts hijacked via compromised Meta AI support chatbot with overprivileged access.
- Replit AI Tool Database Deletion — Replit vibe coding AI assistant deletes live production database and creates 4,000 fake user records.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
SMS OTP has become a liability-bearing authentication control, not a neutral convenience. Once regulators shift fraud responsibility back to the institution, the authentication method is no longer just a UX choice. The control has to be judged on interception resistance, account-change safety and evidentiary strength. Practitioners should treat OTP retirement as part of customer-risk governance, not a cosmetic MFA upgrade.
Channel trust, not just factor strength, is the real issue in banking authentication. SMS OTP fails because the bank does not own the transport path, and that path can be redirected without changing the user’s stated identity. The result is a structural mismatch between legacy MFA models and modern fraud tactics. Identity teams should re-evaluate any control that proves reachability instead of durable possession.
Regulators are effectively standardising a transition from shared secrets to device-bound identity proof. Across the article’s markets, the common theme is that the trusted object is moving from a texted code to a cryptographic or device-linked factor that is harder to intercept and easier to audit. That reinforces Zero Trust thinking for customer authentication and pushes banks toward stronger lifecycle control over recovery, enrolment and step-up flows. Practitioners should align architecture to that direction now rather than waiting for local deadlines.
SMS OTP phase-out creates an identity lifecycle problem as much as an authentication problem. Replacement methods introduce new enrolment, device-binding, recovery and exception-handling requirements that must be governed across jurisdictions. The operational challenge is no longer only factor replacement but control consistency across customers, channels and regulatory regimes. Practitioners should build the migration as a governed identity programme, not a series of isolated login changes.
From our research:
- More than 25 regulators worldwide have now moved toward phishing-resistant authentication, according to Ultimate Guide to NHIs.
- 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
- For the lifecycle angle, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for rotation and offboarding patterns that map to authentication migration.
What this signals
Regulatory pressure is turning authentication design into a lifecycle issue. As more markets tighten rules around SMS OTP, banks will need to manage enrolment, device change, recovery and offboarding as a single governed process rather than a login-only control. The operational risk is uneven migration, where one market’s compliant flow becomes another market’s exception.
With 97% of NHIs carrying excessive privileges, according to the Ultimate Guide to NHIs, the broader lesson is that weak trust models tend to persist until governance makes them expensive to keep. Banking authentication is following the same pattern: once liability and fraud evidence become explicit, legacy controls become harder to justify. Teams should prepare for policy fragmentation, not assume a uniform global retirement path.
For practitioners
- Map every OTP-dependent customer journey Inventory login, transaction approval, account recovery and account-change flows by country, product and risk tier so you know where SMS OTP still authorises access or movement of funds.
- Separate proof of login from proof of transaction Use different controls for low-risk authentication and high-risk financial actions, because several regulators allow OTP only for narrow verification purposes and not as an authorisation factor.
- Prioritise device-bound replacements for high-risk flows Move the highest-risk journeys first to device-bound or cryptographic methods that can survive SIM swap, porting and phishing without depending on carrier-delivered codes.
- Align fraud liability, policy and evidence Update governance so authentication policy, customer notifications, dispute handling and regulator evidence all reflect the same control standard across markets.
Key takeaways
- SMS OTP is no longer a reliable default for banking authentication because regulators now treat it as too easy to intercept and too weak for high-risk actions.
- The evidence points to a global transition toward device-bound, cryptographic and biometric methods, but the exact mandate still varies by regulator and use case.
- Identity teams should migrate by journey risk, not by channel preference, and align fraud liability, evidence and recovery controls with each jurisdiction.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, while PCI DSS v4.0 define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | SP 800-63B | The article centers on authenticator strength and restricted SMS OTP use. |
| NIST CSF 2.0 | PR.AC-1 | Authentication and access control are the article's core governance themes. |
| NIST SP 800-53 Rev 5 | IA-2 | Identity proofing and authentication controls govern the replacement of OTP-based login factors. |
| NIST Zero Trust (SP 800-207) | The article reflects a shift toward stronger trust assumptions in financial access. | |
| PCI DSS v4.0 | Payment and financial transaction controls are directly affected by OTP retirement. |
Review payment authentication flows against PCI-DSS requirements where cardholder data or payment authorisation is involved.
Key terms
- Sms Otp: A one-time password delivered by text message and used as a possession-style second factor. It is widely deployed but increasingly treated as weak for high-risk access because the delivery channel can be intercepted, redirected or replayed outside the bank’s control.
- Device-Bound Authentication: An authentication method that ties proof of possession to a specific device or cryptographic credential rather than a shared secret sent over a separate channel. In regulated banking, it reduces interception risk and creates a stronger evidence trail for authorisation and dispute handling.
- Phishing-Resistant Authentication: Authentication designed so that captured credentials cannot be easily reused by an attacker. In practice, that usually means cryptographic or device-bound methods that resist code theft, adversary-in-the-middle attacks and replay across separate sessions.
- Authentication Lifecycle: The governed set of steps covering enrolment, use, recovery, replacement and offboarding of a credential or factor. For banking, lifecycle management matters because replacing one factor with another also changes liability, evidence and exception handling across jurisdictions.
What's in the full article
IDlayr's full article covers the jurisdiction-by-jurisdiction regulatory detail this post intentionally leaves for the source:
- Primary-source references for each regulator and instrument, including the exact policy wording behind the SMS OTP restrictions.
- Market-specific deadlines and scope notes that separate full bans, partial restrictions and narrower step-up requirements.
- Country-by-country explanations of what counts as an acceptable replacement factor in each jurisdiction.
- Operational notes on how banks are sequencing consumer migration away from SMS OTP without breaking access.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2026-06-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org