SMS OTP (one time password) is a secure2 factor authenticationmethod where a text containing a unique alphanumeric or numeric code is sent to a mobile number (MSISDN).
The recipient then uses this code or password as an additional layer of security to login to a service, website or app. Because mobile numbers are universally unique, it provides a way for site owners to confirm that the person accessing their services is the same person who signed up for them.
SMS OTP has become common when logging into banks or any financial services account. In the UK and EU new lawscame into effect in March 2022 requiring all banks to have some form of Strong Customer Authentication (SCA) when logging in or making a purchase.
Increasingly, non-financial organisation are also using SMS OTP to increase their security. The primary use case are:
- Two-Factor Authentication – asking users to provide two methods to verify their identity.
- Mobile Number Validation – used where the mobile number is the primary identity, such as in parking apps. This also occurs where users set up their devices for later 2FA transactions.
- Payment Confirmation – supporting legal requirements to increase security around payments.
- Account Recovery – used to help re-establish access to sites and apps when the primary method of authentication has been forgotten or lost.
MEF survey reveals popularity of SMS OTP
In arecent survey conducted by Mobile Ecosystem Forum (MES), 450 organisations revealed some very striking statistics about the use of SMS OTP.
93% of enterprises worldwide use SMS OTP for some aspect of verification.
Of those organisation questioned 100% of UK enterprises use SMS OTP.
For how long is an SMS OTP valid?
An SMS OTP is normally valid for between 2 and 5 minutes, after which it will expire and can no longer be used.
There would normally be an option for the customer to generate a new SMS OTP if they were too slow to enter the first one they received.
SMS message delayscan cause issues as the code could expire before the user has had a chance to use it.
Why is SMS used for one time password authentication?
Although SMS does have some security issues and is by no means perfect as a solution delivering OTPs to customers, it’s still the most popular choice for most organisations.
Why is this?
Well SMS is the only communication channel that can be used by every single person who owns a phone.
There’s no special app to download, no compatibility issues to worry about. It’s simple, reliable and everyone understands it.
On top of that, SMS OTP is gloriously easy to deploy. All you need is integration to anSMS API orCPaaS and you can be up and running in a few hours. There are also plenty of off the shelf SMS OTP providers so you don’t need to get bogged down in writing your own systems orcode.
Security concerns about SMS OTP
A security flaw in the mobile networkSS7 routing protocolcould potentially allow cyber criminals to access and reroute SMS messages.
If they were able to access a text containing an OTP code, then they could potentially access bank accounts and illegally transfer funds.
As Zak Doffman, Forbes cybersecurity contributor said,
The greatest benefit with SMS is also its greatest weakness. it works across all apps and platforms and doesn’t rely on any specific ecosystem.
But, behind the façade, the SMS system over which those codes are being sent is wide open
Hacks and phishing attacks on SMS are rare but they do happen and despite generating somealarming headlines, the real risk of becoming a victim of an SMS hack is overstated.
The chances of being hacked and stolen from in this way are extremely remote and we shouldn’t waste our time worrying that we’re on the verge of being hacked into.
Inthe MEF survey about SMS OTP, 89% of organisations in the banking sector expressed concerns about the security of using SMS as route for deliveringOTPs.
It’s not perfect but SMS OTP is a pragmatic solution and far better than no2FA solutionat all.
SMS pumping – a new threat to SMS OTP
SMS pumping is a relatively new menace for users of SMS OTP. It happens when fraudsters target web forms that generate an outbound SMS. Usually this is an SMS OTP used for 2 factor authentication.
The fraudsters ambush the form by generating large numbers of outbound texts, sent to mobile numbers on a specific network. The network has a revenue share in place, so that the scammers can generate a revenue stream from the OTP texts.
This issue could pose a genuine threat to users of SMS OTP in 2023 and beyond and developers need to make sure that their systems detect and halt any possible attacks.
Examples of SMS OTP
Here are a few examples of SMS OTPs used by various organisations.
The aim is to make the text as simple as possible to understand with no scope for misinterpretation by the customer.
How do you set up SMS OTP?
There are dozens of companies offering SMS OTP services.
The main thing you need to decide is whether you want to build your own system, including generating unique codes or whether you want a complete off the shelf solution.
Off the shelf solutions will tend to be more expensive and have less flexibility but will be quick and easy to deploy.
Building your own SMS OTP system will certainly give you greater control but you have to factor in the development and maintenance costs.
Implement own SMS OTP platform with our SMS OTP service
If you want to explore SMS OTP,, then please feel free to use our SMS one time password platform. Once you’ve set up a free text account, we’ll add some free SMS credits for testing so you can trial us at no cost.
We’re really sharp on support too, so we’ll be standing by to answer any queries that may crop up.
Each SMS you send costs 3.45 pence but can be less if you’re sending larger volumes. Our SMS pricing pagewill provide you with the details.
Related articles
Complete Guide to 2fa SMSA deep deep dive into SMS 2fa. What can it be used and what are you options?
Formatting OTP SMS. A comprehensive guide for developers.
Is SMS Encrypted?How secureis SMS to use for your one time passwords? Could SMS be hacked and what are the risks?
Having UK based servers and data centres is now an essential part of being an SMS API providerDoes it matter if your SMS OTPs are sent via international data centres?
