Organisations should stop using SMS as soon as an account can affect customer data, internal systems, privileged operations, or regulated workflows. SMS may still be acceptable as a temporary fallback for low-risk access, but it should not be the default second factor where phishing, recovery abuse, or SIM swap would matter.
Why This Matters for Security Teams
SMS is a convenience control, not a strong assurance factor, and that gap becomes material the moment an account can change data, trigger payments, reach admin consoles, or initiate recovery. NIST guidance treats SMS as vulnerable to interception, redirection, and social engineering, which is why stronger authenticators are preferred for higher-risk access. The practical question is not whether SMS can work, but whether the blast radius of compromise is acceptable.
This is especially important where account recovery is weak, because attackers often bypass the login flow entirely by targeting the phone number, support desk, or carrier process. The risk profile also rises when organisations use SMS for privileged access, regulated workflows, or anything tied to customer trust. The NIST Cybersecurity Framework 2.0 reinforces that identity controls should be aligned to business impact, not convenience alone. NHI Mgmt Group’s Ultimate Guide to NHIs shows how often weak identity practices become incident multipliers once credentials or recovery paths are exposed.
In practice, many security teams discover SMS weakness only after a recovery abuse, SIM swap, or takeover has already occurred, rather than through intentional phase-out planning.
How It Works in Practice
The right stopping point is risk-based: phase out SMS first wherever an authenticated session can expose sensitive data, alter records, invoke APIs, administer infrastructure, or approve financial or regulated activity. For those use cases, current guidance suggests moving to phishing-resistant authentication such as FIDO2/WebAuthn, device-bound authenticators, or other stronger controls that are less exposed to interception and replay.
A practical migration path usually has four parts:
- Classify applications by impact, then remove SMS from high-impact journeys first.
- Preserve SMS only as a temporary fallback, and restrict that fallback to low-risk access with additional checks.
- Harden recovery flows with help-desk verification, step-up authentication, and audit logging so recovery is not the weakest link.
- Track exceptions separately so the organisation can see where SMS still creates residual risk.
For identity teams, the key issue is not just initial login but the full account lifecycle. If an attacker can reset a password, intercept a one-time code, or persuade support to rebind a phone number, SMS creates a recoverable path into the account. That is why NHI Mgmt Group’s Ultimate Guide to NHIs is relevant here: identity risk grows when credentials or recovery mechanisms are easy to substitute, persist too long, or remain broadly trusted. The NIST Cybersecurity Framework 2.0 supports this kind of control tuning by linking identity strength to the impact of the asset being protected.
These controls tend to break down when legacy applications, outsourced support desks, or telecom-dependent recovery processes cannot support phishing-resistant alternatives without business disruption.
Common Variations and Edge Cases
Tighter authentication controls often increase rollout friction, help-desk load, and user migration cost, so organisations have to balance security uplift against operational continuity. That tradeoff matters most for customer-facing services, workforce authentication, and environments with regulatory obligations.
There is no universal standard for an exact SMS retirement date, but best practice is evolving toward eliminating SMS wherever compromise would be hard to absorb. A reasonable exception is temporary fallback for low-risk access or for users who cannot yet enroll a stronger factor, provided the fallback is time-limited and monitored. For privileged access, SMS should be treated as a legacy exception, not a normal second factor.
One practical mistake is keeping SMS for “recovery only” without recognising that recovery is often the attacker’s preferred path. Another is allowing SMS in one application tier while protecting the same account with stronger methods elsewhere, which creates inconsistent assurance and confuses incident response. Organisations should also watch for jurisdictions or sectors where policy, audit expectations, or customer commitments effectively require stronger identity assurance than SMS can provide. The NIST guidance and NHI Mgmt Group research both point to the same operational conclusion: the higher the business impact, the less defensible SMS becomes as a durable authentication method.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-1 | Identity proofing and authentication strength should match access risk. |
| NIST AI RMF | Risk-based governance supports phasing out weak authenticators where harm is high. | |
| OWASP Non-Human Identity Top 10 | NHI-01 | Weak recovery and credential reuse often turn authentication into compromise. |
Review recovery paths and remove SMS where takeover would expose credentials or secrets.
Related resources from NHI Mgmt Group
- How do organisations know if certificate-based authentication is actually reducing risk?
- How should organisations decide between federated authentication and SSO?
- How should organisations modernize authentication in critical infrastructure without breaking operations?
- How should organisations move away from password-based authentication without hurting user productivity?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
