Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SMS OTP bans and banking auth: what IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Regulators in more than 25 markets are moving banks away from SMS one-time passwords because shared, interceptable codes cannot withstand SIM swap, phishing, and device-linked fraud, according to IDlayr’s regulator-by-regulator guide. The shift makes phishing-resistant authentication, not OTP tuning, the new baseline for banking identity assurance.

NHIMG editorial — based on content published by IDlayr: The Global SMS OTP Ban: A Regulator-by-Regulator Guide

By the numbers:

Questions worth separating out

Q: How should banks phase out SMS OTP without breaking customer access?

A: Banks should phase out SMS OTP by starting with the highest-risk journeys, then replacing fallback paths before disabling the legacy factor.

Q: Why does SMS OTP create more risk in banking than many teams assume?

A: SMS OTP creates more risk because it is delivered over a channel the bank does not control and can be intercepted, relayed, or redirected.

Q: What do security teams get wrong about replacing OTP with stronger authentication?

A: Teams often focus on login and forget the surrounding lifecycle.

Practitioner guidance

  • Inventory every SMS OTP dependency Map where SMS OTP is used for login, transaction approval, account changes, and recovery.
  • Prioritise phishing-resistant factors for high-risk flows Move first on card payments, beneficiary changes, first-time device use, and other actions where interception risk creates direct fraud exposure.
  • Redesign recovery before disabling OTP Replace SMS-based fallback paths with stronger identity proofing, step-up methods, or device-bound recovery workflows.

What's in the full article

IDlayr's full article covers the regulatory detail this post intentionally leaves for the source:

  • Primary-source summaries for each regulator, including the exact instruments and deadlines.
  • Market-by-market differences between outright bans, restricted use, and expanded factor options.
  • The specific replacement controls banks are using, including app-based approvals, biometrics, and device binding.
  • Cross-border implications for institutions that need one policy baseline across multiple jurisdictions.

👉 Read IDlayr's regulator-by-regulator guide to the global SMS OTP ban →

SMS OTP bans and banking auth: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

SMS OTP is a channel-trust problem, not a factor-count problem. The industry often describes the issue as a missing second factor, but the real weakness is that the factor travels through infrastructure the bank does not control. That makes interception, relay, and replay the default failure modes rather than edge cases. Practitioners should treat this as a trust-boundary redesign problem, not a preference for one authentication method over another.

A few things that frame the scale:

  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: Who is accountable when SMS OTP fraud losses rise after a regulatory deadline?

A: Accountability usually shifts toward the institution when regulators have made stronger authentication mandatory or explicitly expected. Where the bank has not migrated off an interceptable factor in time, it is hard to argue that fraud losses were outside its control or governance scope.

👉 Read our full editorial: SMS OTP bans are forcing a reset in banking authentication



   
ReplyQuote
Share: