SMS OTP is easy to relay, intercept, or socially engineer, and it also creates user friction that hurts conversion. Organisations move away from it because phishing-resistant methods reduce fraud exposure while improving the user journey. Regulation is also removing SMS OTP from acceptable assurance profiles in some markets.
Why This Matters for Security Teams
SMS OTP is moving out of favour because it was designed for convenience, not strong assurance. Attackers can relay codes through phishing kits, social engineering, SIM swap fraud, and compromised messaging channels, while users still experience delays and failed deliveries. Current guidance increasingly prefers phishing-resistant authentication because the risk profile is materially better for high-value accounts and admin workflows. NHI Mgmt Group notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which underscores how often attackers target the weakest authentication path.
For security teams, the real issue is not whether SMS works most of the time. It is whether it can stand up to modern credential theft and fraud patterns while meeting assurance expectations in NIST SP 800-53 Rev 5 Security and Privacy Controls. When organisations still rely on SMS OTP, they often preserve a legacy fallback that attackers can predict and users can be tricked into surrendering. In practice, many security teams encounter account takeover only after a fraud review or support escalation, rather than through intentional control testing.
How It Works in Practice
Organisations usually move from SMS OTP to a layered model built around phishing-resistant authentication, step-up checks, and risk-based policy. That often means passkeys, FIDO2 hardware-backed authenticators, authenticator apps with stronger device binding, or managed SSO flows that support conditional access. The principle is straightforward: authentication should prove possession of a device or cryptographic key, not just receipt of a text message.
In operational terms, teams map the sign-in journey by assurance level and account sensitivity:
- Low-risk consumer flows may still allow SMS as a fallback, but not as the preferred method.
- Privileged users and workforce admins are shifted to phishing-resistant factors first.
- High-risk events such as new devices, impossible travel, or password resets trigger stronger step-up controls.
- Recovery and enrolment are hardened so attackers cannot bypass strong auth by targeting the reset path.
This is where governance matters. The ISO/IEC 27001:2022 Information Security Management baseline supports formal risk treatment, while NIST control families help teams document authentication assurance, monitoring, and exception handling. For organisations managing identity at scale, NHI Mgmt Group’s Ultimate Guide to NHIs is useful for understanding why weak identity controls often persist across adjacent systems, including shared accounts and automated workflows. The same pattern appears in major incidents such as the Schneider Electric credentials breach and the Twitter Source Code Breach, where identity weaknesses amplified blast radius. These controls tend to break down when SMS remains the universal recovery path, because recovery becomes easier to abuse than the original login.
Common Variations and Edge Cases
Tighter authentication often increases friction and implementation cost, so organisations must balance fraud reduction against conversion, support load, and legacy compatibility. That tradeoff is real, especially where users lack modern devices or where regulations still allow SMS in limited scenarios. Best practice is evolving, and there is no universal standard that requires immediate removal of SMS in every user journey.
Common exceptions include:
- Fallback access for users with no smartphone or no network access.
- Transactional notifications where SMS is informational, not an authenticator.
- Jurisdictions or assurance frameworks that still permit SMS only for low-risk or secondary use.
- Migration periods where SMS remains temporarily available while passkey enrolment ramps up.
The practical mistake is treating SMS OTP as a neutral backup instead of a weak control with known abuse paths. Current guidance suggests limiting it to low-assurance use cases, then removing it from privileged access, account recovery, and regulated workflows as soon as a stronger alternative is available. Organisations that keep SMS for too long usually discover the gap only after fraud, helpdesk abuse, or a failed audit finding has already made the risk visible.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Authentication assurance is central to limiting account takeover risk. |
| NIST SP 800-63 | AAL2 | Assurance levels explain why SMS OTP is weak for higher-risk access. |
| OWASP Non-Human Identity Top 10 | NHI-04 | Weak authentication paths often expose broader identity and access weaknesses. |
| NIST AI RMF | Risk-based authentication changes should be governed through AI risk and decisioning controls. | |
| NIST Zero Trust (SP 800-207) | PDP/PAP | Phishing-resistant auth supports zero trust decisions at request time. |
Replace SMS OTP with stronger authenticators and document access control changes under PR.AC-1.
Related resources from NHI Mgmt Group
- Why are regulators moving away from SMS OTP in financial services?
- How should organisations move away from password-based authentication without hurting user productivity?
- Why is SMS OTP no longer enough for marketplace identity verification?
- How should security teams stop SMS pumping before OTP messages are sent?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org