backBack

The SMS One Time Password Era Is Over

SMS OTP is outdated, insecure, and failing users. Modern network-based authentication makes the wooden-screen-door era impossible to justify.

And the longer we pretend it isn't, the more we're putting users at risk.

Here's a thought experiment. Imagine you're building a bank vault in 2026. You hire the best architects, use the strongest steel, install biometric scanners at every entrance. Then, for the final layer of security, the one that actually authorizes access to the money, you install a wooden screen door with a hook latch.

That's essentially what we're doing every time we protect a modern digital account with an SMS one-time password.

SMS OTP is around 20 years old... The protocol was designed in an era when "mobile phone" meant a brick phone, when the internet was accessed via dial-up, and when the most sophisticated cyber threat was a teenager in a basement trying to guess your AOL password.

We have since built trillion-dollar digital economies, moved our entire financial lives online, and entrusted our most sensitive data to cloud platforms. And yet, the technology standing guard at the gate is older than Google, older than the modern internet, older than most of the engineers building the systems it's supposed to protect.

It's time to say it plainly: the SMS OTP era is over.

The Cracks in the Foundationheader link

The case against SMS OTP isn't theoretical. It's not a "what if" scenario cooked up in a security researcher's lab. The failures are happening at scale, right now, with devastating consequences.

Let's start with the numbers.

$68 millionheader link

That's the FBI-reported losses from SIM swap fraud in 2023 alone. And if you know anything about reported vs. actual cybercrime losses, you know the real number is dramatically higher. The FBI's Internet Crime Complaint Center (IC3) captures only a fraction of actual incidents, many victims don't report, and many more don't even realize how they were compromised.

SIM swap fraud is devastatingly simple. An attacker convinces a mobile carrier (through social engineering, bribery of retail employees, or exploitation of weak identity verification processes) to transfer your phone number to a SIM card they control. Once they have your number, they have your SMS OTPs. They have your password resets. They have your life.

The attack doesn't require sophisticated hacking tools. It doesn't require zero-day exploits. It requires a phone call and a convincing story. Sometimes it doesn't even require that, insider threats at carrier retail stores have been well-documented, with employees paid as little as $1,000 per swap.

Even the Standards Bodies Are Waving Red Flagsheader link

The National Institute of Standards and Technology (NIST), the organization whose security guidelines form the backbone of compliance frameworks worldwide, formally deprecated SMS as an authentication factor in their Digital Identity Guidelines (SP 800-63B).

Read that again. The institution that literally writes the rules for how the US government (and, by extension, much of the private sector) handles digital identity has said: stop using SMS for authentication.

NIST didn't use the word "deprecated" casually. In standards language, deprecated means "we're telling you this is a bad idea, and future versions of this guidance may remove it entirely." It's one step away from "prohibited."

And yet, years after this guidance was published, SMS OTP remains the dominant second factor for:

• Banking and financial services
• Healthcare portals
• Government services
• E-commerce platforms
• Social media accounts
• Cryptocurrency exchanges

The gap between what security experts know and what the industry practices has become a chasm. And that chasm is filled with fraud.

The User Experience Problem Nobody Talks Aboutheader link

Here's the part that drives me particularly crazy: SMS OTP isn't just insecure. It’s also an outdated approach that introduces needless friction into the user experience It's also a terrible user experience.

Think about what we're asking users to do. You're trying to log in to your bank account. You enter your password. Then you wait. You hope the text arrives. You watch your phone. Maybe it comes in 5 seconds. Maybe 30. Maybe it doesn't come at all, and you hit "resend" and wait again. Then you switch to your messaging app, copy the 6-digit code, switch back to the application you are trying to log in to, and finally paste the code. And this is all happening while you are racing against the expiration timer.

The industry data on SMS OTP delivery tells a story that should alarm anyone responsible for user authentication:

• Failure rates of 5-15% meaning up to one in seven legitimate users can't authenticate on any given attempt
• Delivery delays that routinely exceed the OTP expiration window
• International roaming failures that lock out travelers
• Number porting delays that create authentication gaps
• Message filtering by carriers that sometimes blocks OTP messages entirely

We've collectively accepted a 5-15% failure rate on our security infrastructure. In what other domain would that be acceptable? Would you fly on an airline whose landing gear deployed correctly 85-95% of the time?

The Replacement Is Here and It's Better in Every Wayheader link

This is where my perspective from working at the intersection of telecom and developer APIs becomes relevant. I've spent years watching the network API ecosystem evolve, and what's emerged is, frankly, elegant.

Network-based authentication, sometimes called "silent verification" or "number verification,” works by leveraging what the mobile network already knows: which SIM card is connected to which phone number, verified cryptographically by the network itself.

Here's how it works in practice:

1. A user initiates login on their mobile device
2. The application makes an API call to the mobile network
3. The network verifies, using its own cryptographic infrastructure, that the device making the request is genuinely connected to the phone number on file
4. The verification result is returned, typically in under one second

No SMS sent. No code to intercept. No code to type. No waiting. No failure because of network congestion or roaming issues.

The user doesn't even know it happened. They just... get authenticated. Silently. Securely. In milliseconds.

The numbers tell the story: Network-based authentication delivers sub-second verification with failure rates below 1%, compared to 5-15% failure rates for SMS OTP. It's simultaneously more secure AND more reliable AND more user-friendly. That combination almost never happens in security.

This isn't vaporware. This isn't a conference demo. Nokia Network as Code is a production-ready platform that puts carrier-grade network APIs, including Number Verification and SIM Swap Detection, directly in the hands of developers. No telco contracts. No custom integrations. The infrastructure is live, the APIs are standardized, and the access is available today.

This is the part that excites me most. For the first time, the security capabilities that have always existed within mobile networks are being exposed through standardized, developer-friendly APIs. The network has always known whether a SIM swap just occurred. The network has always been able to cryptographically verify a phone number. We just never had a standardized way to give that information to the applications that need it.

Now we do.

The Inertia Problemheader link

So if network-based authentication is more secure, more reliable, cheaper to operate, and better for users, why hasn't everyone switched already?

Three reasons:

1. SMS OTP is "good enough…" until it isn't. Organizations that haven't been burned by SIM swap fraud tend to view SMS OTP as adequate. It's the devil they know. Switching requires effort, budget, and organizational will. The calculus only changes when they suffer a breach or when regulatory pressure forces their hand.

2. The ecosystem was fragmented. Until recently, accessing network capabilities required bilateral deals with individual carriers, each with different APIs, different authentication methods, and different coverage. This was impractical for any application with a global user base. The GSMA Open Gateway and CAMARA standardization efforts have fundamentally changed this equation, creating a unified API layer across dozens of operators.

3. Awareness is still catching up. Many product managers and security engineers simply don't know these APIs exist. The mobile network has been a black box for the application layer for decades. The idea that you can make an API call to the network and get a cryptographic verification of a phone number in milliseconds still surprises people. That's partly why I'm writing this.

What Should You Do Today?header link

If you're responsible for authentication at your organization, here's my honest advice:

Immediately:

• Audit your current SMS OTP usage and understand your exposure
• Identify your highest-value authentication flows (financial transactions, password resets, account recovery)
• Explore the network-based authentication APIs available through GSMA Open Gateway participants

Near-term:

• Implement a layered approach: network verification as the primary factor, with fallback to Authenticator Apps or hardware keys (not SMS)
• Add SIM Swap Detection API checks before any high-value SMS-dependent flow you can't immediately migrate
• Begin measuring your SMS OTP failure rates

Strategic:

• Plan for a world where SMS OTP is not just deprecated but prohibited in regulated industries
• Build your authentication architecture to be factor-agnostic, so swapping out methods doesn't require re-architecting your system
• Engage with the CAMARA/Open Gateway ecosystem now, while you can be a first mover rather than a forced adopter

The Question We Should All Be Askingheader link

I've been in telecom and developer ecosystems long enough to recognize an inflection point. The technology to replace SMS OTP exists. It's standardized. It's deployed. It's better in every measurable dimension security, reliability, user experience, and cost.

The fraud data is unambiguous. The regulatory signals are clear. The industry momentum, with 68+ operators behind Open Gateway, is undeniable.

The only question is timing. And I think the right framing isn't "when will SMS OTP be replaced?" because the replacement is already here and growing.

The real question is:

How long until continuing to use SMS OTP is considered negligent?

I think the answer is: sooner than most organizations are prepared for.

The clock started when NIST deprecated SMS. It accelerated when 68+ operators standardized network APIs. It ticks louder with every SIM swap and account takeover that could have been prevented.

Twenty years is a remarkable run for any technology. But every era ends.

This one is ending now.