What is SMS OTP? A simple guide for 2022
The recipient then uses this code or password as an additional layer of security to login to a service, website or app.
SMS OTP has become common when logging into banks or any financial services account. In the UK and EU new laws came into effect in March 2022 requiring all banks to have some form of Strong Customer Authentication (SCA) when logging in or making a purchase.
Increasingly, non-financial organisation are also using SMS OTP to increase their security.
MEF survey reveals popularity of SMS OTP
In a recent survey conducted by Mobile Ecosystem Forum (MES), 450 organisations revealed some very striking statistics about the use of SMS OTP.
93% of enterprises worldwide use SMS OTP for some aspect of verification.
Of those organisation questioned 100% of UK enterprises use SMS OTP.
For how long is an SMS OTP valid?
An SMS OTP is normally valid for between 2 and 5 minutes, after which it will expire and can no longer be used.
There would normally be an option for the customer to generate a new SMS OTP if they were too slow to enter the first one they received.
SMS message delays can cause issues as the code could expire before the user has had a chance to use it.
Why is SMS used for one time password authentication?
Although SMS does have some security issues and is by no means perfect as a solution delivering OTPs to customers, it’s still the most popular choice for most organisations.
Why is this?
Well SMS is the only communication channel that can be used by every single person who owns a phone.
There’s no special app to download, no compatibility issues to worry about. It’s simple, reliable and everyone understands it.
On top of that, SMS OTP is gloriously easy to deploy. All you need is integration to an SMS API and you can be up and running in a few hours. There are also plenty of off the shelf SMS OTP providers so you don’t need to get bogged down in writing your own systems or code.
Security concerns about SMS OTP
A security flaw in the mobile network SS7 routing protocol could potentially allow cyber criminals to access and reroute SMS messages.
If they were able to access a text containing an OTP code, then they could potentially access bank accounts and illegally transfer funds.
As Zak Doffman, Forbes cybersecurity contributor said,
The greatest benefit with SMS is also its greatest weakness. it works across all apps and platforms and doesn’t rely on any specific ecosystem.
But, behind the façade, the SMS system over which those codes are being sent is wide open
Hacks and phishing attacks on SMS are rare but they do happen and despite generating some alarming headlines, the real risk of becoming a victim of an SMS hack is overstated.
The chances of being hacked and stolen from in this way are extremely remote and we shouldn’t waste our time worrying that we’re on the verge of being hacked into.
In the MEF survey about SMS OTP, 89% of organisations in the banking sector expressed concerns about the security of using SMS as route for delivering OTPs.
It’s not perfect but SMS OTP is a pragmatic solution and far better than no 2FA solution at all.
Examples of SMS OTP
Here are a few examples of SMS OTPs used by various organisations.
The aim is to make the text as simple as possible to understand with no scope for misinterpretation by the customer.
How do you set up SMS OTP?
There are dozens of companies offering SMS OTP services.
The main thing you need to decide is whether you want to build your own system, including generating unique codes or whether you want a complete off the shelf solution.
Off the shelf solutions will tend to be more expensive and have less flexibility but will be quick and easy to deploy.
Building your own SMS OTP system will certainly give you greater control but you have to factor in the development and maintenance costs.
Build your own SMS OTP platform with our SMS API
If you want to build your own SMS OTP system, then please feel free to set up a test account. We add some free SMS credits for testing so you can trial us at no cost.
We’re really sharp on support too, so we’ll be standing by to answer any queries that may crop up.
Each SMS you send costs 2.99 pence but can be less if you're sending larger volumes. Our SMS pricing page will provide you with the details.
Complete Guide to 2fa SMS A deep deep dive into SMS 2fa. What can it be used and what are you options?
Is SMS Encrypted? How secure is SMS to use for your one time passwords? Could SMS be hacked and what are the risks?
Having UK based servers and data centres is now an essential part of being an SMS API provider Does it matter if your SMS OTPs are sent via international data centres?