SMS one-time passwords are the weakest form of two-factor authentication still in widespread use. NIST SP 800-63B classifies them as a “restricted” authenticator because the delivery channel — the public telephone network — was not designed for authentication and carries exploitable vulnerabilities. The two primary attacks are SIM swap fraud, which redirects your number to a device an attacker controls, and SS7 signaling exploitation, which can intercept SMS in transit without affecting your SIM at all. Phishing and real-time relay attacks round out the threat model.
Migrating high-value accounts from SMS OTP to a TOTP authenticator app or a passkey eliminates the delivery-channel risk entirely. TOTP generates codes locally on the device with no carrier involvement; passkeys (FIDO2/WebAuthn) are additionally phishing-resistant because the private key is cryptographically bound to the legitimate service domain.
This guide explains each threat in detail, covers the NIST SP 800-63B classification, and provides a concrete migration path for moving from SMS OTP to a stronger alternative.
What Makes SMS OTP Structurally Weak
An SMS one-time password depends on two assumptions: that your phone number reaches only your device, and that the message is delivered privately. Both assumptions can be broken.
The phone number assumption fails in SIM swap. Your phone number is a carrier-level identifier, not a device-level one. A carrier can reassign it to any SIM card — including one an attacker controls. The reassignment requires no access to your device and no knowledge of your passwords.
The private delivery assumption fails in SS7 exploitation. The signaling protocol that routes SMS between carriers worldwide was designed for a closed network of trusted operators in an era before adversarial network access. Entities with SS7 access can issue commands that reroute or copy your SMS without visible indication on your device.
Phishing compounds both. Even without SIM swap or SS7 access, an attacker can build a real-time phishing proxy that relays your SMS code to a target service within the code’s validity window. You enter the code into what appears to be the real login page; the proxy forwards it instantly and completes the attacker’s login.
These are not theoretical edge cases. NIST SP 800-63B restricts PSTN-based OTP because the telephone network was not designed for authentication — SIM swap and SS7 exploitation are the documented real-world attack mechanisms that make that restriction necessary.
NIST SP 800-63B: The Restricted Authenticator Classification
NIST Special Publication 800-63B — Digital Identity Guidelines: Authentication and Lifecycle Management — is the US federal standard for authenticator assurance levels. The current edition (SP 800-63B-4, 2025) defines the category of “restricted authenticators” in Section 3.2.9, with PSTN-based delivery addressed in Section 3.1.3.3.
A restricted authenticator is one that the NIST guidelines allow agencies to use, but only with additional conditions:
- The agency must monitor and assess threats against the authenticator type and offer users an alternative.
- The agency must provide a migration path away from the restricted authenticator when risk levels increase.
- Users must be informed that the authenticator is restricted and offered the alternative.
NIST SP 800-63B identifies the public switched telephone network (PSTN) as the delivery channel under restriction, covering both SMS OTP and voice call OTP delivery. The concern is that the security of authentication depends on the PSTN, which was not built for this purpose.
The practical implication: any organization following NIST guidance must treat SMS OTP as a transitional mechanism, not a long-term security control.
SIM Swap Fraud: Redirecting Your Number
SIM swap fraud exploits the carrier’s account management process. An attacker who has gathered enough personal information — typically from data breaches, phishing, or social engineering — contacts your carrier and impersonates you to request a SIM replacement. If the agent is convinced, your number is transferred to a SIM the attacker controls.
From that moment, every SMS sent to your number arrives on the attacker’s device. Any account using SMS OTP as its second factor is now accessible: the attacker triggers a password reset, the code arrives on their device, and they set a new password before you notice your own service has been disrupted.
The visible sign of an active SIM swap is the sudden loss of mobile service on your device. Calls stop connecting. SMS stops arriving. Your phone shows no service in an area where it normally has coverage. By that point, the attacker may already have received their first authentication codes.
The FBI’s Internet Crime Complaint Center recorded 982 SIM swap complaints in the United States in 2024, with reported losses of approximately $26 million — an average of more than $26,000 per victim. The UK’s Cifas reported nearly 3,000 unauthorized SIM swaps in 2024. South Africa has documented SIM swap as a primary vector for banking fraud. The attack is not limited to any single market.
For the full attack chain and carrier-level protections (SIM locks, account PINs, port-out blocking), see the SIM Swap Fraud guide.
SS7 Signaling Vulnerabilities: Interception Without Touching the SIM
SS7 (Signaling System No. 7) is a suite of telephony signaling protocols developed from the 1970s and standardized by the ITU in the 1980s, still used to route calls and SMS between carriers worldwide. SS7 was designed for a network of trusted telecommunications operators — mutual authentication between network nodes was not built in, because the assumption was that only authorized carriers could send SS7 messages.
That assumption no longer holds. Research published by Positive Technologies and presented at the 2014 Chaos Communication Congress demonstrated that an entity with access to an SS7 node — which can include rogue carriers, compromised network equipment, or parties who purchase wholesale SS7 access — can send MAP (Mobile Application Part) protocol commands to redirect or intercept SMS messages.
The specific SS7 capability exploited for SMS interception is the SendRoutingInfoForSM query, which is used legitimately by carriers to locate a subscriber before delivering an SMS. When this query is answered with attacker-controlled routing information, subsequent SMS messages intended for the victim can be delivered to the attacker’s equipment instead.
In 2017, attackers exploited SS7 to intercept SMS banking OTPs and drain German bank accounts, with the attacks reported through carrier O2 Telefónica and affecting ordinary banking customers. Senator Ron Wyden and Rep. Ted Lieu also pressed the FCC on SS7 vulnerabilities in 2017. The FCC opened a formal inquiry into SS7 and SS7-based attacks on US networks.
Unlike SIM swap, an SS7 attack leaves no visible sign on the victim’s device. Your phone continues to show service. Messages appear to be sent. The interception occurs in the network before the message reaches your carrier’s delivery infrastructure.
SS7-based SMS interception requires access to SS7 infrastructure, which limits it to actors with carrier-level resources. It is not a mass-scale consumer attack. However, for high-value targets — financial accounts, government personnel, individuals with significant assets — it represents a credible threat that SMS OTP cannot defend against.
Phishing and Real-Time OTP Relay
A third attack category requires neither SS7 access nor a SIM swap. A phishing proxy attack works as follows:
- The attacker creates a convincing copy of a login page (bank, email provider, or similar).
- The victim visits the fake page and enters their username, password, and — when prompted — their SMS OTP.
- The proxy relays the credentials and OTP to the real service in real time, completing a login as the victim.
- The SMS OTP is valid only for a short window (typically 30–120 seconds), but the relay is automated and fast enough to use it before it expires.
This attack works because SMS OTP provides no binding to the legitimate site. The code is a number; it does not encode the site’s identity or the session. The victim has no way to know the code is being used on a different session.
TOTP authenticator apps are equally vulnerable to real-time phishing proxy attacks — the 6-digit TOTP code has the same relay window problem. Passkeys (FIDO2/WebAuthn) are specifically designed to resist this attack: the private key only responds to a cryptographic challenge from the legitimate origin domain. A phishing site on a different domain receives a response that is cryptographically invalid for the real service.
Authenticator Apps (TOTP): Eliminating the Delivery Channel
A TOTP (Time-based One-Time Password) authenticator app removes the telephone network from the authentication path entirely. The app implements RFC 6238 and generates a 6-digit code every 30 seconds using a shared secret established at enrollment and the current time. The code is computed locally on the device; no SMS, no carrier, and no network connection is required.
Common authenticator apps include Google Authenticator, Microsoft Authenticator, and Authy. All implement RFC 6238 and are interchangeable for most services.
What TOTP protects against:
- SIM swap: No SMS is sent, so redirecting your number accomplishes nothing.
- SS7 interception: There is no SMS to intercept.
What TOTP does not protect against:
- Real-time phishing proxy: A TOTP code can be relayed in the same way as an SMS OTP if the attacker’s fake page submits it fast enough.
- Malware on the device that reads the authenticator app’s codes.
Migration steps:
- Open the target account’s security settings and select the option to add an authenticator app or change the 2FA method.
- The service displays a QR code containing the shared secret.
- Open your authenticator app and tap the option to add a new account. Scan the QR code.
- The app immediately begins generating codes. Enter the current code in the service’s enrollment flow to confirm it works.
- Download and securely store the backup codes the service provides. These are single-use recovery codes that bypass 2FA if you lose access to the authenticator.
- Once confirmed, remove SMS as the active 2FA method if the service allows it.
Migrate in priority order: primary email first (since email is used for password recovery on most other services), then banking, then any account where compromise would have serious consequences.
Passkeys (FIDO2/WebAuthn): Phishing-Resistant Authentication
Passkeys implement the FIDO2 standard, which consists of the W3C Web Authentication (WebAuthn) API and the FIDO Client to Authenticator Protocol (CTAP). They replace both the password and the second factor with a single, phishing-resistant credential.
How passkeys work:
When you register a passkey with a service, the device generates an asymmetric key pair. The private key is stored in the device’s secure enclave, protected by biometrics (fingerprint or face) or a device PIN. The service stores the public key. The private key never leaves the device.
When you authenticate, the service sends a challenge. Your device signs the challenge with the private key after verifying your biometrics or PIN. The service verifies the signature with the stored public key. No code is generated or transmitted.
Phishing resistance: The private key is bound to the service’s origin (domain). The FIDO2 protocol embeds the requesting origin in the signed assertion. A phishing site operating on a different domain receives a signature that is cryptographically invalid for the real service — the relay attack that works against SMS OTP and TOTP codes does not work against passkeys.
Current support: Passkey support varies by service. As of 2024–2025, major platforms (Google, Apple, Microsoft) and a growing number of banks and web services support passkey enrollment in account security settings. The FIDO Alliance publishes a directory of services with passkey support at passkeys.dev.
Hardware security keys (such as YubiKey or Google Titan Key) implement the same FIDO2 standard using a physical device rather than the platform authenticator. They provide the same phishing resistance properties and work across devices without requiring device-specific enrollment.
If SMS Is Your Only Option
Some services do not offer TOTP or passkey alternatives. When SMS OTP is the only available second factor:
Enable your carrier’s SIM lock. All major US carriers offer a free account lock feature that blocks unauthorized SIM swaps and number port-outs. AT&T’s Wireless Lock, Verizon’s SIM Protection and Number Lock, and T-Mobile’s SIM lock all block the social engineering step that enables SIM swap. Carriers in other countries offer equivalent features under various names — check your carrier’s account security settings. Under FCC rules effective in 2025, US wireless providers are required to offer customers a free account lock option.
Set a carrier account PIN. A separate PIN (distinct from your screen lock) that carrier agents must verify before making account changes adds an additional barrier to impersonation. Choose a PIN that is not derivable from publicly available information — not your birthday, address, or national ID digits.
Enable carrier notifications for SIM changes. Many carriers send immediate alerts when a SIM swap or port-out is requested. Enabling these notifications gives you a narrow window to contact your carrier and halt an attack before it completes.
Use a number not publicly associated with your identity for accounts where SMS OTP is mandatory. A number used only for authentication and not shared on social media or public registrations is harder for attackers to target by name.
These measures reduce SIM swap risk substantially. They do not address SS7 interception, which requires carrier-level resources to exploit and is a less common threat for most individuals.
For SIM lock setup instructions by carrier, see the SIM Lock guide.
If you suspect an active SIM swap — sudden loss of mobile service is the primary real-time indicator — act immediately:
- Call your carrier from a landline or a different phone. Report the unauthorized SIM swap and ask them to reverse it and lock the account against further changes.
- From a device not dependent on your phone number, change your primary email password first. Email is the recovery path for most other accounts.
- Revoke active sessions on banking, email, and any account that used SMS 2FA. Most services offer a “sign out all devices” option in security settings.
- Re-enroll each account with an authenticator app or passkey as you regain access.
- File a report with the relevant authority:
- United States: FBI IC3 at ic3.gov; FTC at reportfraud.ftc.gov
- United Kingdom: Action Fraud at actionfraud.police.uk
- Australia: ReportCyber at cyber.gov.au
- Other markets: your national cybercrime reporting agency
If you travel internationally and rely on SMS OTP, see How to Receive SMS 2FA Codes Abroad for roaming configuration guidance.
Authenticator method comparison:
| Method | SIM Swap Risk | SS7 Interception Risk | Phishing Resistance | Works Offline |
|---|---|---|---|---|
| SMS OTP | High | Present | None | No |
| TOTP (authenticator app) | None | None | Low (relay window) | Yes |
| Passkey / FIDO2 hardware key | None | None | High (origin-bound) | Yes (auth step) |
The migration priority is: passkey where supported → TOTP authenticator app → SMS OTP with carrier lock and PIN enabled.
For MNP (number portability) and its implications for phone number security when switching carriers, see the MNP guide. For device and SIM PIN security features, see the IMEI, PIN, and PUK guide.
Frequently Asked Questions
The questions below address the most common points of confusion about SMS OTP security and the migration to stronger alternatives. For SIM-swap-specific questions, additional detail is in the SIM Swap Fraud guide.
Why does NIST classify SMS OTP as a restricted authenticator?
NIST SP 800-63B (current edition: SP 800-63B-4, 2025) designates SMS OTP as a restricted authenticator because the delivery channel — the public switched telephone network — was not designed for authentication. The restriction is grounded in the PSTN’s structural inability to provide authentication-grade security; SIM swap and SS7 exploitation are the documented real-world attack mechanisms. Agencies subject to NIST guidelines must offer users an alternative authenticator and provide a migration path away from SMS OTP.
What is SS7 and how can it be used to intercept SMS?
SS7 (Signaling System No. 7) is the protocol suite that routes calls and SMS between carriers worldwide, developed from the 1970s and standardized by the ITU in the 1980s for a closed network of trusted operators. It lacks strong mutual authentication between network nodes. An entity with SS7 access can send MAP protocol commands — specifically SendRoutingInfoForSM — that redirect SMS delivery to attacker-controlled equipment, intercepting one-time passwords without any visible indicator on the victim’s device.
Is SMS 2FA better than no 2FA at all?
Yes. CISA states that enabling any form of MFA substantially reduces the risk of account compromise from automated attacks. The recommendation to move away from SMS OTP applies specifically to high-value accounts where an attacker has strong motivation to invest in SIM swap or SS7 exploitation. For most accounts, SMS OTP is a meaningful improvement over a password alone.
How do I migrate from SMS 2FA to a TOTP authenticator app?
In the account’s security settings, select the option to add an authenticator app. Scan the QR code with your authenticator app (Google Authenticator, Microsoft Authenticator, or Authy). Enter the code displayed to confirm enrollment. Save the backup codes the service provides in a password manager or secure offline location. Remove SMS as the active 2FA method once the authenticator is confirmed working.
What is a passkey and how is it different from a TOTP code?
A passkey uses FIDO2/WebAuthn public-key cryptography. The private key stays on your device, protected by biometrics or a PIN, and never leaves the device. Authentication uses a signed cryptographic challenge — no code is generated or entered. Unlike TOTP, passkeys are origin-bound: the private key only responds to the legitimate service domain, blocking phishing proxy relay attacks that work against both SMS OTP and TOTP codes.
What should I do if SMS is the only 2FA option available?
Enable your carrier’s SIM lock feature (AT&T Wireless Lock, Verizon SIM Protection, T-Mobile SIM Lock, or your carrier’s equivalent) to block unauthorized SIM swaps. Set a carrier account PIN. Enable carrier notifications for SIM changes. Use a phone number not publicly associated with your identity for mandatory SMS OTP accounts. These steps substantially reduce SIM swap risk. SS7 interception risk requires carrier-level resources to exploit and affects a narrower threat population.
Related Guides
- How to Receive SMS 2FA Codes Abroad — Configuration for SMS OTP delivery while traveling internationally
- SIM Swap Fraud: How It Works and How to Protect Yourself — Full SIM swap attack chain, carrier lock setup, and immediate response steps
- SIM Lock: How to Lock Your SIM Card — Carrier SIM lock and account lock by carrier
- What Is MNP (Mobile Number Portability)? — How number porting works and its implications for phone number security
- IMEI, SIM PIN, and PUK Explained — Device and SIM-level identifiers and PIN security