Coinbase, one of the world's largest cryptocurrency exchanges, revealed that 95% of its account takeovers involved customers using SMS-based multi-factor authentication (MFA). These users represented 95.65% of all account takeovers Coinbase experienced as of November 2022, despite making up the same percentage of their user base.
It's a clear signal that SMS one-time passwords (OTPs), once considered a security upgrade, have become a critical vulnerability in modern authentication systems.
The evidence is overwhelming, and governments worldwide are taking action. In December 2024, the FBI and CISA issued urgent warnings against SMS authentication following the Salt Typhoon cyberattack. By 2026, multiple countries including the UAE, India, and the Philippines will phase out SMS OTP for financial services.
If you're still relying on SMS authentication to protect your customers' accounts, here's what you need to know.
Why regulators are banning SMS authentication
The shift away from SMS authentication isn't just a security recommendation anymore. It's becoming law.
The UAE became the first country to implement a complete ban. In June 2025, the Central Bank of the UAE issued a directive requiring all licensed financial institutions to eliminate SMS and email OTPs by March 31, 2026. This isn't just about compliance. The regulation includes an immediate liability shift that took effect in July 2025, meaning financial institutions must fully refund customers for any fraud involving SMS OTPs.
The urgency is driven by hard numbers. Over 40,000 people were scammed in the UAE during 2023 alone, losing an average of $2,194 each. Fraud jumped 43% year over year, with SMS OTP serving as the primary attack vector.
India took a different approach. On September 25, 2025, the Reserve Bank of India released new authentication rules effective April 1, 2026. While not an outright ban, the regulations force banks to offer stronger alternatives and prohibit relying on SMS as the sole authentication method. Every digital payment now requires two different verification methods, with at least one being dynamic and transaction-specific.
The Philippines followed with direct action against shared credentials. The Bangko Sentral ng Pilipinas issued Circular No. 1213 in June 2025, instructing banks to "limit the use of authentication mechanisms that can be shared with, or intercepted by, third parties unrelated to the transaction." The deadline is June 2026.
In the United States, federal agencies are leading the way. The USPTO discontinued SMS authentication on May 1, 2025. FINRA retired SMS as an acceptable option in July 2025. Microsoft mandated stronger authentication for Microsoft 365 admin accounts starting February 2025.
The pattern is clear. SMS authentication is being systematically eliminated from high-security environments worldwide.
The FBI and CISA warning that changed everything
In December 2024, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) issued an unprecedented warning to Americans. Stop using SMS for two-factor authentication.
CISA's Mobile Communications Best Practice Guidance stated bluntly: "Do not use SMS as a second factor for authentication. SMS messages are not encrypted. A threat actor with access to a telecommunication provider's network who intercepts these messages can read them."
This warning came in response to the Salt Typhoon cyberattack, where Chinese state-affiliated hackers infiltrated multiple major U.S. telecommunications networks including AT&T, Verizon, T-Mobile, and Lumen Technologies. The attackers gained access to customer call records and metadata for millions of users, unencrypted text messages including authentication codes, and even the actual content of calls and texts for targeted individuals.
The scale was massive. The FBI confirmed this was a "broad and significant cyber-espionage campaign," and emphasized that the adversaries remain "tenacious and sophisticated."
The FBI and CISA warnings aren't entirely new concerns. The National Institute of Standards and Technology (NIST) removed SMS from its list of recommended authentication methods back in 2016. NIST's Digital Identity Guidelines cited SMS's fundamental weaknesses and recommended organizations move to more secure methods.
In July 2025, NIST released SP 800-63-4, representing a fundamental shift in authentication standards. The key change is that AAL2 (multi-factor authentication) must now offer a phishing-resistant option. SMS OTP doesn't qualify.
How SMS authentication gets compromised
SMS authentication has multiple attack vectors, each well-documented and actively exploited by criminals.
SIM swapping has become one of the most damaging attacks. Criminals convince your mobile carrier to transfer your phone number to a SIM card they control. Once successful, they receive all your text messages, including authentication codes. The FBI reported that SIM swapping attacks alone cost victims $48 million in 2023. The attack works because SMS authentication assumes that possession of a phone number equals identity verification. That assumption is fatally flawed.
The underlying telecommunications infrastructure itself has known security flaws. The Signaling System 7 (SS7) protocol, which SMS relies on, allows attackers with access to telecommunications infrastructure to intercept SMS messages in transit, redirect messages to different devices, and read message content without alerting the sender or recipient. These aren't theoretical vulnerabilities. The Salt Typhoon attack demonstrated that state-level actors actively exploit these weaknesses at scale.
Phishing and social engineering remain effective even when SMS delivery works perfectly. Attackers trick users into sharing their codes through fake login pages that capture both passwords and OTP codes, SMS phishing messages that appear to come from legitimate services, and man-in-the-middle attacks that intercept codes on compromised devices. A 2025 FIDO Alliance survey found that over 35% of consumers had at least one account compromised in the past year. The combination of weak passwords and phishable SMS codes creates a perfect storm for account takeovers.
Beyond security concerns, SMS authentication suffers from operational problems. SMS OTPs have a 20% failure rate for delivery. Messages get delayed during network congestion, become completely unavailable in areas with poor cellular coverage, and are sometimes blocked by carrier spam filters. When authentication fails, frustrated users either give up or contact support, driving up operational costs.
The hidden costs of SMS authentication
SMS OTPs create financial burdens beyond the obvious per-message fees.
Direct transaction costs for SMS authentication range between $0.01 and $0.20 per message, varying by region and provider. For businesses with millions of users, these costs add up quickly. Twitter (now X) reportedly lost $60 million annually to SMS fraud alone. Air New Zealand saved 90% on authentication costs by switching to passkeys and WhatsApp OTP. Enterprises sending millions of OTPs monthly face authentication expenses that can reach hundreds of thousands of dollars annually. International SMS messages cost 2-5x more than domestic messages, making global operations particularly expensive.
Fraud creates additional losses beyond the direct costs. SMS traffic pumping, where attackers generate fake OTP requests to inflate costs, can drive SMS expenses through the roof. With a 20% SMS OTP failure rate, providers often bill businesses for multiple attempts, effectively double-dipping on transaction costs.
Support and operational overhead compound the problem. Failed SMS deliveries generate support tickets that require customer service intervention. Organizations using SMS OTP report that credential-related support calls account for a significant portion of their customer service load, adding substantial operational costs to the direct per-message fees.
What should replace SMS authentication
The good news is that several proven alternatives offer better security, lower costs, and improved user experience.
Passkeys represent the most secure replacement for SMS OTPs. They leverage public-key cryptography to create phishing-resistant authentication that can't be intercepted, stolen, or shared. Users authenticate with biometrics (Face ID, fingerprint) or device PIN. A cryptographic key pair is generated, with the private key never leaving the user's device. Authentication happens locally, eliminating network vulnerabilities.
The benefits are substantial. Passkeys are phishing-resistant, meaning even sophisticated attackers can't intercept them. They're cost-effective with a one-time integration cost and zero per-login fees, saving up to 90% compared to SMS. Average sign-in time drops to 14 seconds versus 23 seconds for SMS OTP, and first-try success rates hit 100% compared to 94% for SMS.
Major platforms have integrated passkey support. Apple, Google, and Microsoft now offer passkey functionality in their operating systems and browsers, meaning 99% of users already have devices capable of using passkeys. Leading organizations are seeing measurable results. Banking institutions report 30% reductions in authentication failures. Customer support calls related to authentication drop by 70%. Login times improve by 30% or more.
Want to see how passkeys work? Try our interactive passkey demo.
TOTP authenticator apps like Google Authenticator, Authy, and Microsoft Authenticator generate codes locally on the user's device. Unlike SMS, these codes never travel across vulnerable networks, work offline without cellular connection, and can't be intercepted through SIM swapping. However, TOTP codes are still vulnerable to phishing. If a user enters a TOTP code on a fake website, attackers can use it immediately. CISA notes that "while authenticator codes are better than SMS, they are still vulnerable to phishing. Only FIDO authentication is phishing-resistant."
For organizations not ready for full passkey deployment, WhatsApp OTP provides a middle ground. End-to-end encryption protects messages in transit. Costs typically run 50% less than SMS at $0.005-$0.10 per message. With over 3 billion active users worldwide already having the app, adoption barriers are low. WhatsApp OTP also delivers higher reliability than traditional SMS, making it an effective transitional solution while building toward full passkey implementation.
Push authentication sends a notification directly to the user's registered device. The user approves or denies the authentication request with a simple tap, often combined with biometric verification. This approach eliminates message delivery delays, costs less than SMS with no per-message fees, provides a better user experience with one-tap approval, and works through encrypted app-to-app communication.
Modern devices include built-in biometric capabilities including fingerprint scanning, facial recognition, and iris scanning on supported devices. When combined with passkeys or used for step-up authentication, biometrics provide strong security without requiring users to remember or type anything.
Other alternatives like email OTP and magic links can also play a role in a comprehensive authentication strategy, though they don't offer the same level of security as passkeys.
Implementation strategy for moving beyond SMS
Transitioning away from SMS authentication requires planning, but the process is straightforward.
Start by mapping where SMS OTPs are currently used. Look at primary login authentication, step-up authentication for sensitive actions, account recovery flows, and new device verification. Identify your highest-priority use cases and focus first on scenarios involving financial transactions or sensitive data access.
Don't force users to switch overnight. Instead, offer passkeys alongside existing methods. Add passkey enrollment to account settings and prompt users to create passkeys during secure sessions. Use progressive enrollment by suggesting passkeys after successful logins. This approach allows early adopters to benefit immediately while giving others time to adapt.
Use targeted prompts to increase adoption. Show users the security and convenience benefits, highlight the cost savings through faster logins and fewer support issues, and consider offering incentives for early adopters if appropriate. Organizations implementing passkeys report 10x higher adoption rates when using intelligent enrollment strategies versus basic DIY approaches.
Once adoption reaches critical mass (typically 60-70%), begin deprecating SMS. Stop offering SMS as an option for new accounts, send migration reminders to remaining SMS users, set a sunset date for SMS authentication, and provide clear communication about alternatives.
CISA emphasizes an important security consideration worth repeating. Just because you've enrolled in an authenticator app doesn't mean you've fully unenrolled from SMS. Many systems keep SMS as a fallback option even after users enable stronger methods. This creates a backdoor for attackers. When implementing new authentication methods, ensure you completely disable SMS fallback to eliminate this vulnerability.
Regional compliance considerations
Different regions have different requirements and timelines that organizations need to understand.
UAE financial institutions face the strictest requirements. The deadline is March 31, 2026, with a requirement for complete elimination of SMS and email OTPs. The liability implications are immediate and severe. Financial institutions must provide full refunds for 3DS fraud involving SMS OTPs, a requirement that took effect in July 2025. Acceptable methods under the new regulations include FIDO2/passkeys, biometrics, and in-app authentication.
India's digital payment regulations take effect April 1, 2026. The requirement mandates two different authentication methods with at least one being dynamic. Acceptable methods include passkeys, biometrics, app-based authentication, and hardware tokens. While not banning SMS outright, the regulations effectively force institutions to offer and encourage stronger alternatives.
The Philippines banking sector must comply by June 2026 with regulations that eliminate authentication methods that can be shared or intercepted. Acceptable methods mirror those in other jurisdictions and include passkeys, biometrics, and hardware tokens.
The European Union continues to evolve its approach under PSD2. While SMS OTPs aren't completely banned, the regulatory environment is increasingly restrictive and discourages their use. SMS can only serve as a possession factor and cannot meet dynamic linking requirements. Most importantly, SMS content must be encrypted for payment authentication, which is impractical to implement. While technically compliant in very limited scenarios, SMS OTPs are becoming a liability rather than an asset for EU banks focused on regulatory adherence and customer security.
In the United States, various federal agencies have already phased out SMS authentication. NIST SP 800-63-4 requires that AAL2 implementations offer phishing-resistant options. The trend suggests more agencies will prohibit SMS during 2026, making proactive migration the prudent strategy for organizations serving U.S. customers or partners.
Waiting is no longer an option
SMS authentication served a purpose when it was introduced, offering an accessible way to add a second factor to account security. But the threat landscape has evolved, and SMS hasn't kept pace.
The vulnerabilities are well-documented and the attacks are happening at scale. The regulatory response is clear and accelerating across multiple jurisdictions.
Organizations that continue relying on SMS authentication face increased fraud losses, regulatory non-compliance in multiple jurisdictions, higher operational costs, liability for fraud that could have been prevented, and competitive disadvantage as users expect better security.
The alternatives are mature, proven, and often cheaper than SMS. Passkeys, in particular, offer superior security, better user experience, and significant cost savings.
The question isn't whether to move away from SMS authentication. It's how quickly you can make the transition.
.svg)
