Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SMS OTP at onboarding: what changes for IAM teams?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Banks are moving SMS OTP out of high-risk authentication across APAC and the Gulf, but the harder operational gap is onboarding, where phone verification, device binding, and recovery still need a stronger control path than a texted code, according to Authsignal. The migration is really about sequencing verification, passkey issuance, and fallback handling without breaking conversion or compliance.

NHIMG editorial — based on content published by Authsignal: Eliminating SMS OTP starts at onboarding

By the numbers:

Questions worth separating out

Q: How should security teams replace SMS OTP in customer onboarding?

A: Security teams should replace SMS OTP in onboarding by separating phone verification from authentication.

Q: Why does SMS OTP create more risk in banking than many teams assume?

A: SMS OTP creates more risk because the code travels over a channel the bank does not control.

Q: What breaks when SMS OTP is removed without a new onboarding flow?

A: What breaks is number verification, device binding, and account recovery.

Practitioner guidance

  • Map SMS usage by identity function Inventory every place SMS OTP is used and separate onboarding phone verification, login, device binding, transaction approval, and recovery.
  • Build a fallback tree before removing SMS Define which users can use Silent Network Authentication, which need WhatsApp or another stronger fallback, and which require assisted verification.
  • Anchor recovery to the original identity proof Replace texted-code recovery with passkey plus liveness or another verified re-binding process so recovery does not reopen the same SMS risk you removed at login.

What's in the full article

Authsignal's full blog covers the operational detail this post intentionally leaves for the source:

  • A step-by-step onboarding sequence showing where Silent Network Authentication fits before passkey issuance.
  • Channel fallback logic for Wi-Fi, roaming, desktop, and unsupported carrier scenarios.
  • Implementation detail on liveness checks, device re-binding, and recovery design.
  • Practical examples of how to phase out SMS OTP across login, step-up, and account recovery.

👉 Read Authsignal's analysis of how to eliminate SMS OTP at onboarding →

SMS OTP at onboarding: what changes for IAM teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

SMS OTP phase-out is an onboarding governance problem, not just a login problem. The article makes clear that the hard operational gap appears before the first successful session, when a bank still has to verify number ownership and bind a customer identity. That shifts the control question from challenge delivery to identity proofing and channel trust. Practitioners should treat onboarding as the primary design point, not an afterthought.

A few things that frame the scale:

  • Six jurisdictions across APAC and the Gulf have moved against SMS OTP, each with different scope and timing, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
  • The same research notes that when AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes, and as quickly as 9 minutes in some cases.

A question worth separating out:

Q: Which framework should banks use when phasing out SMS OTP?

A: Banks should align the migration with NIST SP 800-63 Digital Identity Guidelines and zero-trust thinking for authentication, then map specific banking controls to local regulatory requirements. The practical test is whether the replacement flow is phishing-resistant, device-aware, and usable across real customer channels.

👉 Read our full editorial: Eliminating SMS OTP starts at onboarding



   
ReplyQuote
Share: