TL;DR: SMS-based OTP still feels familiar and cheap, but it was built for message delivery rather than security, and attackers now exploit SIM swapping, social engineering, and telephony routing weaknesses to intercept codes, according to Prove Identity. The shift now is toward device-bound, cryptographic possession factors that reduce interception and replay without reintroducing SMS as a recovery crutch.
NHIMG editorial — based on content published by Prove Identity: Beyond the OTP: Why SMS-Based 2FA Is Failing and What Comes Next
By the numbers:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
Questions worth separating out
Q: What should organisations do when SMS OTP is still used for account recovery?
A: They should restrict SMS OTP to low-risk fallback use and move recovery to stronger proofing methods, such as device-bound verification or in-app approval.
Q: Why do SMS-based 2FA schemes fail in practice?
A: They fail because SMS proves message delivery, not durable possession of the user’s device.
Q: How can identity teams know whether a stronger authenticator is actually working?
A: Look for reduced dependence on SMS fallback, fewer support-driven number changes, lower OTP replay and interception events, and more successful device-bound reauthentication during lifecycle events.
Practitioner guidance
- Replace SMS OTP in high-risk journeys Remove SMS OTP from account recovery, transaction approval, and admin step-up paths where interception or social engineering would create disproportionate impact.
- Harden number-change and port-out workflows Require stronger identity proofing before allowing SIM replacement, number porting, or contact detail updates that could redirect authentication traffic.
- Bind recovery to device and cryptographic state Design re-enrolment and new-device flows so the user returns through trusted device-bound verification, not through the same SMS path that may already be compromised.
What's in the full article
Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:
- A deeper walkthrough of the SIM swap and social engineering attack paths that defeat SMS OTP in real user flows
- Practical design patterns for device-bound and biometric verification that move beyond message-based possession
- Lifecycle guidance for handling new-device enrolment and recovery without reverting to SMS-based fallback
- Examples of how organisations can reduce user friction while tightening authentication assurance across customer journeys
👉 Read Prove Identity's analysis of why SMS-based 2FA is failing →
SMS OTP is breaking down: what should identity teams replace it with?
Explore further
SMS OTP is a trust proxy, not a possession factor. The article is right to separate convenience from security because an OTP delivered over a public messaging path does not prove durable control of a device. That distinction matters for fraud teams and identity architects alike, because a proof mechanism that can be intercepted or redirected is not a stable basis for assurance. Practitioners should redesign step-up authentication around verifiable device binding, not message delivery.
A question worth separating out:
Q: Who is accountable when a carrier or support workflow enables account takeover?
A: Accountability sits with the organisation that chose the assurance model and the exception process, not only with the carrier or the attacker. If the business relies on SMS OTP, it has accepted a weaker trust chain and must govern recovery, fraud detection, and step-up policy accordingly. Regulators and auditors will focus on whether the organisation matched control strength to risk.
👉 Read our full editorial: SMS-based 2FA is failing as fraud exploits OTP trust