Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

SMS OTP bans and restrictions: what IAM teams need now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Regulators in the UAE, Singapore, Malaysia, the Philippines, India, the EU, the United States, Vietnam, and Saudi Arabia are moving banking away from SMS one-time passwords toward phishing-resistant, device-bound authentication, according to IDlayr. The practical consequence is that identity teams must plan for jurisdiction-specific decommissioning of interceptable factors, not treat SMS OTP as a stable second factor.

NHIMG editorial — based on content published by IDlayr: The Global SMS OTP Ban: A Regulator-by-Regulator Guide

By the numbers:

Questions worth separating out

Q: How should security teams phase out SMS OTP without breaking customer access?

A: Start with a jurisdiction map, then migrate the highest-risk flows first.

Q: Why do regulators view SMS OTP as insufficient for banking authentication?

A: Because the code is not truly bound to the user’s trusted device or session.

Q: What operational failures happen when SMS OTP is removed too late?

A: Teams end up running a patchwork of exceptions, customer workarounds, and emergency support paths that are hard to audit and easy to abuse.

Practitioner guidance

  • Inventory every SMS OTP dependency by market Map login, transaction approval, account recovery, and change-of-details flows to the exact jurisdictions that still permit SMS OTP, restrict it, or mandate removal.
  • Replace number-based trust with device-bound authentication Prioritise app-based approval, passkeys, hardware-backed tokens, or biometric methods where the regulator accepts them.
  • Redesign recovery and fallback paths now Build device-loss, number-porting, and customer-support recovery flows that do not fall back to interceptable SMS OTP.

What's in the full article

IDlayr's full article covers the jurisdiction-by-jurisdiction operational detail this post intentionally leaves at the policy level:

  • The exact regulator instruments and deadlines that banks need for country-specific remediation planning.
  • The distinction between outright bans, conditional restriction, and narrow exceptions for OTP use in different markets.
  • The primary-source documents and links that compliance teams can use to verify each jurisdictional requirement.
  • The practical market comparison that helps teams decide which authentication flows to replace first.

👉 Read IDlayr's regulator-by-regulator guide to SMS OTP restrictions →

SMS OTP bans and restrictions: what IAM teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

SMS OTP is no longer a stable possession factor for regulated banking. The regulatory pattern in the article is not a regional anomaly. It is a coordinated recognition that phone-number-based authentication cannot reliably prove the user controls the intended device or the intended session. For IAM programmes, that means SMS OTP is being demoted from trusted second factor to transitional exception.

A few things that frame the scale:

  • 92% of organisations expose NHIs to third parties, raising concerns about supply chain security, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

A question worth separating out:

Q: Who is accountable when a bank keeps SMS OTP after regulators restrict it?

A: Accountability sits with the institution’s control owners, risk leaders, and compliance function, because the article makes clear that some regulators also shift liability for fraud linked to weak authentication. The practical question is whether the remaining exception is documented, time-bound, and defensible under the applicable market rule.

👉 Read our full editorial: SMS OTP restrictions are tightening across global banking



   
ReplyQuote
Share: