SMS OTP becomes risky because message delivery follows the number, while identity should follow the verified subscriber. When a number is recycled, transferred, or hijacked through SIM swap, the OTP can reach the wrong person. That turns a convenience factor into a recovery path for account takeover.
Why This Matters for Security Teams
SMS OTP is risky in mobile identity programmes because the control binds authentication to a phone number, not to a verified subscriber or device state. That mismatch becomes dangerous when numbers are recycled, ported, or attacked through SIM swap. In those cases, the “second factor” can be redirected without the organisation seeing a legitimate identity event. NIST’s Digital Identity Guidelines treat OTP channels as weaker than phishing-resistant options, and current guidance increasingly favours stronger authenticators for recovery and step-up flows.
For mobile identity teams, the issue is not just fraud. SMS OTP can undermine account recovery, high-risk transaction approval, and helpdesk reset workflows if the telecom layer is treated as trusted by default. NHIMG’s research on 52 NHI Breaches Analysis shows how identity compromise often starts with the weakest link in the trust chain, not the core application itself. The same pattern appears when mobile recovery uses a mutable number as proof of ownership. In practice, many security teams discover the failure only after a takeover, not during a planned identity review.
How It Works in Practice
The practical risk comes from how SMS OTP is delivered and how carriers manage mobile numbers. A number can be reassigned after inactivity, transferred through port-out abuse, or hijacked in a SIM swap. If the identity programme treats possession of that number as proof of user control, the OTP may authenticate the wrong person. That is why best practice is shifting toward phishing-resistant authenticators and away from SMS for sensitive flows.
In mobile identity programmes, a stronger design separates identity proofing, device binding, and session step-up. The user is established through a verified enrollment process, then the device or authenticator is bound to that account. At runtime, risk signals such as recent SIM change, port-out status, device re-enrollment, geovelocity, or impossible travel can trigger additional verification. The NIST Cybersecurity Framework 2.0 is useful here because it emphasises governing identity assurance across the full lifecycle, not only at sign-in.
- Prefer phishing-resistant authenticators for primary and recovery paths where possible.
- Use SMS only for low-risk notifications or as a fallback with compensating controls.
- Monitor telco events such as SIM change and number porting as risk inputs.
- Apply step-up checks when the channel changes or the account enters recovery.
- Shorten exposure by expiring codes quickly and invalidating them after use.
NHIMG’s Ultimate Guide to NHIs is relevant because it highlights how identity systems fail when long-lived trust is attached to something that can change outside the organisation’s control. The same design lesson applies to mobile numbers. These controls tend to break down when recovery teams lack carrier-risk telemetry and the programme still uses SMS as a default fallback for high-value accounts.
Common Variations and Edge Cases
Tighter authentication often increases user friction and recovery overhead, requiring organisations to balance fraud reduction against support cost and enrolment complexity. That tradeoff is especially visible in consumer mobile identity programmes, where not every user can adopt passkeys or dedicated authenticator apps immediately. Current guidance suggests using risk-based fallback paths, but there is no universal standard for when SMS is still acceptable.
There are a few edge cases worth separating. For low-value notifications, SMS may remain tolerable if it is not used as a trust signal. For regulated or high-assurance flows, it is increasingly hard to justify as a primary factor. For call-centre assisted recovery, SMS can create a circular dependency if the same compromised number is used to unlock the account. Organisations should also watch for recycled numbers assigned to new subscribers, since a legitimate OTP may reach an unrelated person weeks after deactivation. The NIST 800-63B publication remains the clearest external reference for understanding why SMS is treated cautiously.
There is still some variation in industry practice, but the direction is clear: treat SMS as a brittle transport channel, not as a durable proof of identity. In mobile identity programmes, the safer pattern is to reduce SMS dependence, bind accounts to stronger authenticators, and continuously re-evaluate whether the phone number is still under the right user’s control.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Identity proofing and authenticator choice are core to mobile OTP risk. |
| NIST SP 800-63 | SP 800-63B | Spells out authenticator strength and cautions around SMS OTP. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero trust requires re-evaluating trust when telecom state changes. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Number-based trust mirrors weak NHI credential governance patterns. |
| NIST AI RMF | GOVERN | Identity risk decisions need accountable governance across the lifecycle. |
Replace static recovery trust with tightly scoped, monitored, and revocable identity controls.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org