Skip to content
Deepak Gupta markCIAM Compass
authentication

Anti-pattern: SMS OTP as the only second factor

Updated 2026-05-07

SMS OTP as the sole second factor is a 2018-era pattern that 2026 deployments should retire. The migration is staged, communicated, and respects the long tail of users who genuinely cannot enroll stronger factors, but the default for new accounts and the trajectory for existing accounts both move away from SMS.

For the migration playbook, see the SMS OTP deprecation guide and the MFA rollout playbook.

Do

  • Treat SMS OTP as last-resort fallback only, never primary

    SMS is acceptable when the alternative is no MFA at all. It is not acceptable as the only or primary second factor for any new deployment.

    NIST SP 800-63-4 places SMS OTP outside AAL2. Production AitM-proxy phishing campaigns through 2023–2024 demonstrated real-time SMS-OTP harvesting at scale.

  • Migrate existing SMS-OTP users to TOTP, push, or passkeys

    An installed base on SMS is a liability. Stage the migration: announce, offer self-service swap, force step-up at sensitive actions, retire SMS as primary.

    The migration playbook in the SMS OTP deprecation guide. Two-week pre-announcement plus self-service swap converts most users; the long tail eventually migrates through forced step-up.

  • Enroll multiple recovery factors so SMS isn't the recovery bypass

    Even where SMS is retained as fallback, it should not be the sole recovery factor. Enroll at least one stronger factor (TOTP, alternate verified email, backup codes) at signup.

    Best practice in NIST SP 800-63-4 and OWASP. Production deployments that relied on SMS for recovery have been compromised when SIM-swap victims lost recovery access alongside the primary.

Don't

  • Don't ship SMS OTP as the only MFA option for new users

    Default-on SMS as the only MFA tells security-aware users they can't enroll a stronger factor and tells security-unaware users 'you have MFA' when they have a known-broken factor.

    Documented in NIST SP 800-63-4 and broadly consensus across CIAM vendors in 2026. The 2018-era pattern of 'enable MFA, here's SMS' is no longer the responsible default.

  • Don't claim AAL2 compliance with SMS-only MFA

    NIST SP 800-63-4 is explicit: SMS OTP does not satisfy AAL2 requirements. Marketing or compliance claims of AAL2 with SMS-only MFA are inaccurate.

    NIST SP 800-63-4 publication. Vendor security teams are increasingly explicit about this in their compliance documentation; deployments that haven't updated their claims are gradually being audited and corrected.

  • Don't rely on SMS OTP for high-value financial or healthcare actions

    AitM phishing kits routinely defeat SMS OTP for high-value targets, banking transfers, account changes, healthcare data access. Step-up to a phishing-resistant factor for these actions specifically.

    Documented production fraud incidents. Banking sector regulators (FFIEC, PSD2) increasingly require phishing-resistant authentication for high-value transactions; SMS OTP no longer satisfies the bar.

Last updated 2026-05-07.