Here’s a number that should bother you: SMS-based one-time passwords remain the default second factor for the vast majority of consumer authentication flows. Banks, healthcare portals, government services, e-commerce platforms. Most still send a six-digit code over a protocol designed in the 1980s. No encryption. None.

NIST formally classified SMS OTP as a “restricted authenticator” in SP 800-63B Revision 4. That’s bureaucratic language for “we don’t trust this anymore, and neither should you.”

They’re right.

Three Attack Vectors That Aren’t Going Anywhere #

SIM Swapping #

The mechanics are almost embarrassingly simple. An attacker calls your carrier’s support line, spins a story about a lost phone, and convinces the rep to port your number to a new SIM. Once that happens, your texts — including OTPs — go to them.

Why does this keep working? Carrier support staff get measured on call resolution speed, not security. A decent cover story and some personal details scraped from LinkedIn or a breach dump will do the trick. The FCC pushed new rules requiring identity verification before port-out requests; enforcement has been spotty and attackers adjust faster than regulators can write guidance.

It used to be targeted. Crypto whales, executives, journalists. Not anymore. SIM swap services sell openly on Telegram — $50 to $100 per swap, sometimes less. That’s the going rate for bypassing your second factor.

SS7 Exploits #

SS7 (Signaling System 7) routes calls and texts between carriers. Designed in the 1970s for a closed network of trusted telecom operators. The problem: today’s network connects hundreds of carriers, MVNOs, and third-party providers, many with questionable security practices.

With SS7 access, an attacker intercepts SMS messages without touching the victim’s phone or SIM card. No malware needed. In 2024, a European banking attack drained millions from accounts protected by SMS 2FA using exactly this technique. The victims never noticed; their phones showed nothing unusual.

Government surveillance agencies have leaned on SS7 for location tracking for years (an estimated 2.3 million location requests per month flow through some networks). The protocol has zero authentication. If you can reach the network, you’re trusted. Full stop.

Phishing #

No technical exploit necessary. User gets a text: “Your account has been compromised, enter your code here.” User clicks. User types the OTP they just received into the attacker’s page. Attacker replays it against the real service within the validity window.

Real-time phishing proxies have made this disturbingly automated. The victim thinks they’re logging into their bank; the proxy authenticates with the real bank simultaneously, using the victim’s credentials and OTP in real time. The whole thing takes seconds.

NIST and the Regulatory Shift #

NIST classifying SMS as restricted carries real weight. Federal agencies follow NIST guidelines, and the private sector watches closely. FINRA dropped SMS OTPs for broker-dealer authentication in 2025. The US Patent and Trademark Office did the same. Singapore, India, and Malaysia all issued guidance pushing financial services away from SMS-based auth.

Google dropped SMS OTPs for Gmail login too, replacing them with QR code verification. When a company processing billions of auth events daily decides SMS doesn’t cut it, that’s a signal worth paying attention to.

The regulatory direction points one way: SMS OTP lives on borrowed time.

RCS OTP: The Practical Middle Ground #

So what fills the gap? FIDO2/WebAuthn sits at the top — hardware-backed, phishing-resistant, no shared secrets. But FIDO2 demands user enrollment, device support, and enough user education that mass-market deployment remains a stretch. Great for high-security environments; not yet realistic as the default for every app currently relying on SMS OTP.

RCS-based OTP delivery occupies the space between “what we have” and “what we want.” And honestly, the upgrade is bigger than most people realize.

Verified sender branding. An RCS OTP arrives from a verified business profile — company logo, brand colors, verification checkmark. Users can confirm legitimacy before entering any code. Compare that to an SMS from a random short code (or worse, a spoofed number).

Encryption in transit. RCS messages get encrypted between the sender and carrier infrastructure. Not end-to-end in every case — that depends on the implementation and carrier — but categorically better than SMS traveling in plaintext across SS7.

Delivery receipts. The sender knows whether the OTP landed and got read. With SMS, you’re guessing. Delivery failures surface only when users complain.

No message splitting. SMS caps at 160 characters per segment. An OTP message with any context (“Your verification code for [Service] is 123456. This code expires in 10 minutes.”) often splits across multiple texts, arriving out of order. RCS has no such constraint.

Real-World Deployment and the Fallback Problem #

Twilio’s Verify platform started auto-upgrading OTP delivery from SMS to RCS in February 2024. By late 2025, it went GA across 20+ countries and 55+ carriers. Sinch and Infobip offer similar capabilities now.

The architecture handles the transition cleanly: attempt RCS delivery first; if the recipient’s device or carrier lacks RCS support (or if delivery fails within a configurable window, typically 2-4 seconds), fall back to SMS automatically. No user lockout. No broken auth flow. The upgrade stays invisible — better message if your device supports it, same old SMS if it doesn’t.

This fallback approach cuts both ways, though. Deploying RCS OTP today breaks nothing, which matters for adoption. But SMS stays in the critical path for users whose devices or carriers haven’t caught up. The security improvement lands for some users and misses others entirely.

Where This Goes #

I don’t think RCS OTP is the final answer. FIDO2 is. But the gap between where authentication stands today and universal FIDO2 adoption stretches years out — maybe a decade. Every SMS OTP intercepted via SS7, stolen through a SIM swap, or phished through a proxy during that window represents a preventable failure.

RCS OTP has limitations. Not end-to-end encrypted in every scenario. Carrier support varies by region. The verified sender infrastructure (the GSMA standard dates to 2019) still has coverage gaps.

But compare it to what most companies actually ship today. Verified branding kills the most common phishing vector. Transport encryption eliminates passive interception. Delivery receipts enable intelligent fallback logic instead of blind hope.

The transition pace frustrates me. NIST spoke. Google moved. Regulators across multiple countries pushed. The attacks are documented, ongoing, and getting cheaper by the month.

If you’re still sending OTPs over SMS as your primary channel in 2026, that’s not a technology decision. That’s risk acceptance. And you should be explicit about it — with your users, your board, and your regulators.