TOTP vs SMS OTP: And Why One Is Being Deprecated
Updated 2026-05-15 · 8 min read · By @guptadeepak
Key takeaways
- TOTP generates codes locally on the user's device from a shared secret. SMS OTP delivers codes via a carrier-controlled SMS channel.
- SMS OTP is vulnerable to SIM-swap and SS7 interception; TOTP requires the attacker to extract the seed from the user's device.
- NIST SP 800-63B-4 (2024) removed SMS OTP from the AAL2-acceptable authenticator set. TOTP remains AAL2-acceptable.
- The migration target in 2026 is passkeys; TOTP is the AAL2-compatible fallback when passkeys aren't available; SMS OTP is the legacy mechanism being phased out.
Same UX, different security
How each actually works:
TOTP (RFC 6238) — at enrollment, the server generates a shared secret and shows it to the user as a QR code. The user's authenticator app (Google Authenticator, Authy, 1Password, Bitwarden) scans the QR code and stores the secret. At authentication, the app computes a six-digit code by HMAC-SHA1 of the secret and the current 30-second time window. The server computes the same code with its copy of the secret and compares. No network communication during authentication; the device and server stay in sync via the clock.
SMS OTP — at authentication, the server generates a random six-digit code, looks up the user's phone number, and sends the code via SMS through the carrier network. The user reads the code from their phone and types it into the login form. The server compares against the code it sent. The security depends on the SMS being delivered to the user's device and only the user's device.
The architectural difference: TOTP keeps the secret on the user's device; SMS OTP relies on the telephony network as a trusted channel. Telephony network trust is the broken assumption.
The attacks that drove the SMS deprecation
SIM-swap. The attacker calls the victim's mobile carrier, impersonates the victim, and convinces customer service to port the phone number to a SIM the attacker controls. From that point, all SMS to the victim's number goes to the attacker — including OTP codes. The attack has been demonstrated repeatedly against high-value accounts (cryptocurrency exchanges, executive social media accounts, journalists). Carrier countermeasures (PIN locks, port-out delays) exist but are inconsistently enforced.
SS7 interception. Signaling System 7 is the global protocol carriers use to route SMS and voice between networks. Documented vulnerabilities allow attackers with SS7 access (which is more widespread than carriers acknowledge) to redirect or intercept SMS without any visible effect on the victim's phone. The victim sees no incoming SMS; the attacker reads it on a parallel network.
SIM cloning and physical interception. Less common but possible. A SIM card can be cloned with physical access; SMS can be intercepted by IMSI-catchers operating in proximity to the victim.
The TOTP attack surface is materially narrower. The attacker needs to compromise the user's device to extract the seed (requires malware, typically), shoulder-surf the QR code at enrollment (rare), or phish the current code at use time (defeated by domain-bound credentials like passkeys). None of these scale the way SIM-swap and SS7 attacks scale.
NIST SP 800-63B-4 and the AAL implications
The 2024 NIST update made the security difference explicit in the regulatory baseline. AAL2 authenticators must demonstrate resistance to specific attack classes; SMS OTP no longer meets the bar.
The implications cascade:
- HIPAA: OCR enforcement increasingly cites missing MFA as a contributing factor; AAL2 is the practical bar for clinical access. SMS OTP-based 2FA is technically present but doesn't satisfy the assurance level expected.
- PCI DSS 4.0: requires MFA for CDE access; SMS is technically a factor but the standard's MFA guidance leans toward phishing-resistant. PCI DSS 4.1 (expected 2026-2027) is widely anticipated to require phishing-resistant authentication for high-risk access.
- SOC 2: principle-based, no specific factor mandate, but customer security questionnaires increasingly ask about phishing-resistant MFA. "We use SMS OTP" is a soft no in B2B procurement.
- CMMC, FedRAMP, NIST-aligned compliance: explicitly track AAL classifications. SMS-OTP-based 2FA does not satisfy AAL2 in these regimes after the 2024 update.
The implication for production CIAM: the SMS OTP migration is not optional, it is on a clock driven by accumulating compliance and customer pressure.
The migration path
The 2026 sequence:
Step 1: enable passkeys. Add WebAuthn support, prompt users to enroll, default new sign-ups to passkey primary. Passkeys are the long-term target; every user who enrolls is a user who doesn't need OTP migration later.
Step 2: offer TOTP as the AAL2 fallback for users without passkey support. Authenticator app enrollment via QR code; standard backup-codes-on-enrollment to handle device loss. Most users with smartphones (most users in 2026) can do TOTP.
Step 3: make SMS OTP opt-in fallback only. Remove SMS from the default factor selection in the MFA enrollment flow; allow users to add it as a last-resort fallback. Communicate the deprecation timeline.
Step 4: phase out SMS OTP entirely (12-24 months). Notify enrolled-SMS-only users to migrate to TOTP or passkeys; provide assisted migration; eventually retire the SMS channel for primary authentication. Keep SMS as a verification mechanism for high-friction recovery flows (account recovery requires identity proofing that may include SMS), not as a primary factor.
The Auth0, Okta, WorkOS, Microsoft Entra, and most major CIAM platforms now ship this migration pattern as a managed flow. Self-hosted CIAM (Keycloak, Authentik) requires the operator to design the prompts and timing; the building blocks exist.
Where SMS OTP still legitimately fits
Honest accounting of the remaining roles:
- Account recovery as one factor among several — verify the user can receive a code at their registered phone number, alongside other identity-proofing checks. Not as the sole recovery factor.
- Markets without smartphone ubiquity — SMS works on any cellular device, including feature phones, which still dominate in some emerging markets.
- Customer-facing flows where the alternative is no MFA — better than nothing, but the right answer is to improve the alternative (drive passkey enrollment).
- High-friction step-up where additional channel proof matters — a financial transaction confirmation flow may want both a TOTP from the authenticator app and an SMS to the registered number, treating two independent channels as defense-in-depth.
In none of these does SMS OTP serve as the primary MFA factor in a high-assurance deployment. The role is residual.
Implementation guidance
- Default to passkeys as primary MFA. Single-factor passkey authentication is AAL2 by itself.
- TOTP as the AAL2-acceptable fallback for users without passkey support. Standard authenticator-app enrollment with backup codes.
- SMS OTP is opt-in fallback only, never the default offered. Communicate the deprecation timeline.
- Migrate enrolled-SMS-only users over 12-24 months. Notify, assist, eventually retire.
- Use number-matching for push notifications if push is part of your MFA stack — the 2022 MFA-fatigue attacks (Uber, Cisco) made number-matching the production default for push.
- For compliance-sensitive deployments (HIPAA, PCI, SOC 2): SMS OTP for primary access is a finding waiting to happen. Migrate ahead of the audit.
- Audit MFA factor distribution — track passkey share, TOTP share, SMS share over time. The passkey share is the leading metric for migration success.
Related vendors
Auth0
Auth0 remains the safest mid-market default for B2C plus B2B Enterprise SSO when developer velocity matters more than long-run TCO. Below 50k MAU it is hard to beat. Above 500k MAU, cost and Actions-driven lock-in make alternatives like FusionAuth (self-host), Cognito (AWS-native), or Stytch plus Corbado (passkey-first) increasingly attractive.
Authsignal
Authsignal is the strongest identity orchestration layer in 2026, designed to sit in front of any underlying CIAM (Auth0, Cognito, Keycloak, custom-built) and add the passkey orchestration, adaptive risk decisioning, and step-up MFA logic that most full-platform vendors do badly. For teams with an existing CIAM that want to fix passkey adoption or harden against account takeover without replacing the primary platform, Authsignal is the singular pick. Not a full CIAM, pick one of those first if greenfield.
Descope
Descope is the orchestration-first CIAM in 2026, its Flows visual editor is the most capable no-code auth designer in the market, paired with above-average passkey orchestration and an early MCP-native posture for AI agents. For mid-market B2C and B2B SaaS that wants modern auth without writing the orchestration layer, Descope is one of the strongest picks. Compliance breadth and ecosystem maturity still favor Auth0 above 500k MAU.
Keycloak
Keycloak is the de-facto open-source CIAM in 2026 and remains the right choice when data sovereignty, on-prem deployment, or zero per-MAU cost are non-negotiable. The trade-off is operational cost, running Keycloak well is closer to running PostgreSQL than running an SDK, and teams without that capacity should reach for FusionAuth (lighter ops) or a SaaS instead.
Stytch
Stytch is the strongest passkey-first CIAM in 2026 by orchestration quality, not raw feature count. Twilio acquired it on October 30, 2025; the product runs as a Twilio subsidiary with its own API surface, SDK family, and pricing, distinct from Twilio Verify. Post-acquisition the platform combines Stytch's modern auth with Twilio's communications infrastructure, repositioning it as a credible Auth0 alternative for developer-focused teams. Below 500k MAU the case is strong for both B2C and B2B SaaS; beyond that, gaps on FedRAMP, FGA, and adaptive MFA depth narrow it.
FAQ
- What is the difference between TOTP and SMS OTP?
- TOTP (Time-based One-Time Password, RFC 6238) is a code generated locally on the user's device — typically an authenticator app — from a shared secret and the current time. SMS OTP is a code sent via SMS to the user's phone number, generated and delivered by the relying party. To the user they look identical (a six-digit code); the security models are entirely different.
- Is SMS OTP still safe to use in 2026?
- Less safe than the alternatives, and no longer AAL2-acceptable per NIST SP 800-63B-4 (2024). SIM-swap attacks and SS7 protocol weaknesses let attackers intercept SMS without the user's knowledge. SMS OTP is still better than no second factor, but it should be the fallback option, not the primary, and high-value accounts should not rely on it.
- Why did NIST remove SMS OTP from AAL2?
- Two failure modes drove the change: SIM-swap (an attacker convinces the carrier to port the victim's phone number to a different SIM, then receives all SMS) and SS7 protocol weaknesses (the global telephony signaling network has documented vulnerabilities that allow SMS interception). Both attacks have been demonstrated repeatedly in real-world account takeovers. NIST's 2024 update reflects accumulated evidence.
- What should I use instead of SMS OTP?
- In priority order: passkeys (best — AAL2 by themselves), TOTP via authenticator app (AAL2-acceptable), push notification with number matching (AAL2-acceptable when properly implemented), hardware FIDO2 keys (AAL3). SMS OTP should be the absolute fallback option, available for users without alternatives but not the default offered.
- Can attackers steal TOTP codes too?
- Yes, but with materially more effort. TOTP requires the attacker to either extract the seed from the user's device (typically requires malware on the device, or shoulder-surfing the QR code at enrollment), or phish the current code at use time (defeated by phishing-resistant alternatives like passkeys). The attack economics are dramatically worse than SMS interception.
Sources
- RFC 6238 — TOTP: Time-Based One-Time Password Algorithm
- RFC 4226 — HOTP: HMAC-Based One-Time Password Algorithm
- NIST SP 800-63B-4 — Authentication and Authenticator Management (2024)
- CISA guidance on SIM-swap and SMS-based MFA risks