Deprecating SMS OTP in 2026: Why, When, and How
Updated 2026-05-07 · 11 min read · By @guptadeepak
Key takeaways
- NIST SP 800-63-4 (2024) places SMS OTP outside AAL2, SIM-swap and AitM-proxy attacks defeat it in real time.
- SMS OTP remains acceptable in 2026 only as a fallback where the alternative is no MFA at all.
- The replacement order: passkeys first (AAL2 single-factor), TOTP second, push MFA with number matching third, email OTP for recovery.
- Migration is staged: enroll new factor, prove it works, retire SMS, never delete SMS without verifying replacement enrollment.
- Communication beats coercion. Two-week pre-announcement plus self-service swap converts at 60%+; surprise enforcement triggers ticket spikes.
What changed and why it matters
The deprecation isn't symbolic. Real production breaches in the 2023–2024 window cited SMS-OTP bypass as the vector, Storm-1242 and Caffeine-platform phishing campaigns harvested SMS codes against major SaaS targets in real time, and SIM-swap volumes against retail and crypto users grew through 2024.
What replaces SMS, in priority order
1. Passkeys (synced WebAuthn)
The strongest 2026 replacement. Phishing-resistant by construction (the credential is bound to the relying party origin). Synced across the user's devices through their cloud password manager. Clears AAL2 as a single factor, meaning users on passkeys often don't need a second factor at all.
The catch is enrollment friction. Users on devices without passkey support, or who haven't enrolled, need a fallback. For consumer apps with a broad userbase, passkey-first deployments still need TOTP or email-OTP as the fallback, not SMS.
2. TOTP (authenticator app)
The next strongest option for users who don't enroll passkeys. AAL2-compliant, immune to SIM swap, works offline. Phishable via AitM proxy but not at the SMS-level vulnerability.
TOTP is the natural deprecation step for security-aware userbases (B2B SaaS, developer tools, finance). For consumer apps with a wide tail of less-technical users, the enrollment friction (scan QR code, install app, transcribe codes) is real.
3. Push MFA with number matching
Vendor-specific (Microsoft Authenticator, Okta Verify, Duo). The user receives a push notification, sees a number on their phone, and types it back into the application. Number matching defeats the prompt-bombing attack class (where the attacker spams pushes hoping the user accepts).
Strong, but vendor-locked and adds operational dependency on the push provider's infrastructure.
4. Email OTP
Fallback only, bounded by the strength of the user's email account auth. AAL1 unless email has its own MFA. Acceptable for recovery and unsupported devices; not a replacement primary factor.
5. SMS OTP
Last-resort fallback only. Better than nothing for users who have no other option, but should not be the primary or sole second factor for any new deployment.
The migration playbook
The pattern that converts the install base without locking users out:
Phase 1, Announce (week 0–2)
Communicate the change. Email the affected users (those currently on SMS), explain what's changing and why, link to the self-service enrollment flow for the replacement factor. Two-week notice converts most security-aware users.
Phase 2, Self-service swap (week 2–6)
Offer the replacement factor as the suggested option at next login. Make enrollment one click, don't make users navigate three menus. For users who don't act, prompt at sensitive actions (password change, payment update).
Track enrollment rate per cohort. By week 6 most users have moved.
Phase 3, Forced step-up (week 6–10)
For the holdout long tail, require enrollment of a stronger factor at next login. Block the login flow until enrollment completes. Communicate clearly that SMS will be retired.
Phase 4, Retire (week 10+)
Disable SMS as a registration option for new accounts. For existing accounts that completed step-up, drop the SMS factor. Keep SMS available only as last-resort recovery for accounts that didn't enroll a replacement (with rate limiting and audit logging).
The critical rule: never delete SMS without verifying the replacement is operational. Users with stale TOTP enrollments (lost their phone, didn't re-enroll on new device) will be locked out if SMS is removed before the new factor is confirmed working.
The B2B SaaS variant
For B2B SaaS, the migration is per-customer-organization, not per-user. The customer's IT admin enables stronger MFA policy at the Org level, communicates internally, and retires SMS through their workforce IT cycle. The CIAM provides the policy controls and the audit trail; the customer drives the rollout.
Most B2B-mature CIAM (Auth0, WorkOS, Frontegg) ship per-Org MFA policy with enrollment tracking. Customers who enable "passkeys preferred, TOTP allowed, SMS disabled" can complete the migration in weeks.
What about the long tail of legacy phones?
Some user populations (regional consumer apps, financial services with older customers, healthcare with patient demographics that skew older) have meaningful percentages of users on phones without app-installation capability or without reliable internet access. For these segments, SMS may remain the most-accessible factor for years.
The 2026 best practice is segmented deprecation: deprecate SMS aggressively for new accounts and for security-aware segments; retain SMS as a fallback only for the long-tail demographic where the alternative is no MFA at all. Document the segments, audit the residual SMS usage, and revisit annually.
Vendor support snapshot
The CIAM with the strongest 2026 deprecation tooling (per-Org policy, per-user factor inventory, automated migration prompts):
- Auth0, Adaptive MFA tier surfaces enrollment status; Actions can drive the migration prompts.
- Descope, Flows handle the migration as a no-code orchestration; the cleanest UX in this category.
- Stytch, strong passkey orchestration plus per-user factor management.
- MojoAuth, competitive on per-Org policy plus migration prompts at lower price points.
- Corbado, passkey-specialist orchestration that can layer in front of an existing CIAM specifically for the migration phase.
- Authsignal, orchestration layer that handles the migration without replacing the primary CIAM.
Related vendors
Auth0
Auth0 remains the safest mid-market default for B2C plus B2B Enterprise SSO when developer velocity matters more than long-run TCO. Below 50k MAU it is hard to beat. Above 500k MAU, cost and Actions-driven lock-in make alternatives like FusionAuth (self-host), Cognito (AWS-native), or Stytch plus Corbado (passkey-first) increasingly attractive.
Corbado
Corbado is the deepest passkey-specialist orchestration layer in 2026, focused exclusively on driving passkey adoption on top of any underlying CIAM, with adoption analytics, A/B testing, and recovery-flow tooling that no full-platform vendor ships. For teams running Auth0 / Cognito / Keycloak who want to fix passkey adoption without changing primary CIAM, Corbado is the singular pick alongside Authsignal. Not a full CIAM, pick one of those first if greenfield.
Descope
Descope is the orchestration-first CIAM in 2026, its Flows visual editor is the most capable no-code auth designer in the market, paired with above-average passkey orchestration and an early MCP-native posture for AI agents. For mid-market B2C and B2B SaaS that wants modern auth without writing the orchestration layer, Descope is one of the strongest picks. Compliance breadth and ecosystem maturity still favor Auth0 above 500k MAU.
MojoAuth
MojoAuth is a B2C CIAM specialist focused on modern passwordless and enterprise-grade auth for consumer apps. Passwordless orchestration (passkeys, magic links, OTP) is well above the market median; SAML / OIDC / adaptive MFA bring enterprise-tier features into B2C pricing tiers; consent management is unusually mature. Consumer apps evaluating Auth0 alternatives at the 100k–1M MAU band should put MojoAuth on the shortlist alongside Stytch and Descope.
Stytch
Stytch is the strongest passkey-first CIAM in 2026 by orchestration quality, not raw feature count. Twilio acquired it on October 30, 2025; the product runs as a Twilio subsidiary with its own API surface, SDK family, and pricing, distinct from Twilio Verify. Post-acquisition the platform combines Stytch's modern auth with Twilio's communications infrastructure, repositioning it as a credible Auth0 alternative for developer-focused teams. Below 500k MAU the case is strong for both B2C and B2B SaaS; beyond that, gaps on FedRAMP, FGA, and adaptive MFA depth narrow it.
FAQ
- Is SMS OTP still allowed for MFA?
- Allowed, yes, but no longer counted as AAL2 by NIST SP 800-63-4. For most regulated workloads (federal, healthcare, financial) AAL2 is the practical baseline, which means SMS OTP no longer satisfies the requirement on its own. Most consumer apps without strict regulatory requirements still use SMS as a fallback factor in 2026.
- What attacks defeat SMS OTP?
- SIM swap (attacker socially engineers the carrier into porting the user's number to a SIM under their control), SS7-protocol exploits (carrier signaling network attacks), and adversary-in-the-middle proxies (the user enters the OTP on a phishing site that relays it to the real site in real time). All three are documented in production attacks at scale.
- What should I migrate users to?
- Passkeys are the strongest single-factor replacement (AAL2 phishing-resistant). TOTP is the next strongest (AAL2, phishable via AitM but not SIM-swappable). Push MFA with number matching is competitive. Email OTP works as a fallback. The order depends on the population, consumer apps often skip TOTP and go passkeys-first; B2B SaaS often deploys TOTP first because the userbase is more security-aware.
- How do I migrate the install base off SMS?
- Stage it: prompt users to enroll a stronger factor next time they log in; verify the new factor works (not just enrolled); only then remove SMS. Never delete the SMS factor without confirming the replacement is operational, or you'll lock users out. Two-week pre-announcement plus self-service swap converts most users; the long tail eventually migrates through forced step-up at sensitive actions.
Sources
- NIST SP 800-63-4, Digital Identity Guidelines
- FIDO Alliance State of Passkeys 2026
- Documented AitM phishing campaigns 2023–2024
- Verizon Data Breach Investigations Report