CIAM.wiki

SMS OTP and SIM swap: why text-message codes are not enough

A code texted to a phone is the second factor most customers have used, and it is meaningfully better than a password alone. It is also the weakest of the common factors, for two reasons that have nothing to do with how careful the customer is. The phone number is not a channel you control, and the code can be stolen while it is still valid.

Failure one: the channel is not yours

A phone number is assigned by a mobile carrier, and a carrier can be convinced to move it. In a SIM swap, an attacker uses social engineering, a bribed insider, or forged identity documents to have the victim’s number ported to a SIM they control. From that moment every call and text, including your authentication codes, goes to the attacker. The customer often notices only when their own phone loses signal, which is usually too late. Network-level interception of SMS is also possible without touching the SIM at all. Either way, you are trusting a delivery path that a third party can reassign.

Failure two: the code is phishable in real time

Even when the SMS reaches the right phone, the code is a secret the customer can be tricked into handing over. A phishing site that proxies the real login asks for the code, the customer types it, and the attacker replays it within its short validity window. This is why SMS OTP is not phishing-resistant: the human is in the loop, and the human can be deceived. The same weakness applies to app-generated one-time passwords, though those at least remove the SIM-swap channel risk.

Why it persists anyway

SMS OTP survives because it is universal, needs no app install, and lifts security over a bare password, so it still converts well at sign-up. For low-value accounts that trade-off can be defensible. The mistake is treating it as sufficient protection for accounts that hold money, personal data, or loyalty value, where the attacker has a real incentive to run a SIM swap or a live phishing proxy. It is a floor, not a ceiling, on the MFA ladder.

The stronger direction

The durable fix is a phishing-resistant factor. Passkeys and FIDO2 security keys bind the credential to the real domain, so nothing phishable is ever typed and a proxy site cannot use them. Where passkeys are not yet an option, an authenticator-app code or a push approval with number matching beats SMS, because it removes the carrier from the trust path. The full ladder and the recovery story are in passwordless and passkeys.

What CIAM should do

Match the factor to the value of the account rather than using one method everywhere. Keep SMS as an enrollment-friendly fallback, but require a stronger, phishing-resistant factor before high-value actions through step-up. Feed SIM-swap and risk signals into adaptive authentication, and treat a recent SIM change like any other elevated-risk event. The wider takeover picture is in account takeover and fraud.

What to ask a CIAM vendor

  • Can we offer passkeys as the primary factor and demote SMS OTP to a fallback?
  • Can authentication strength be tied to the value or risk of the action, not fixed per user?
  • Can the platform consume SIM-swap or carrier change signals into its risk engine?
  • Is push-with-number-matching or app TOTP available as a stronger non-SMS option?

The buyer takeaway: SMS OTP is a starting point, not a defense for anything worth stealing, because the channel can be reassigned and the code can be relayed. Move high-value authentication to phishing-resistant factors and keep SMS as a fallback, then run the vendor matcher.