{"id":883,"date":"2022-07-21T16:00:14","date_gmt":"2022-07-21T16:00:14","guid":{"rendered":"https:\/\/test.thesmsworks.co.uk\/blog\/?p=883"},"modified":"2024-04-02T10:07:13","modified_gmt":"2024-04-02T10:07:13","slug":"sms-otp","status":"publish","type":"post","link":"https:\/\/thesmsworks.co.uk\/blog\/sms-otp\/","title":{"rendered":"SMS OTP &#8211; A simple guide for 2023"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"883\" class=\"elementor elementor-883\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-6142087d elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"6142087d\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-301b51e4\" data-id=\"301b51e4\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-607e8cd elementor-widget elementor-widget-text-editor\" data-id=\"607e8cd\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><\/p>\n<h1 class=\"wp-block-heading\">What is SMS OTP? A simple guide for 2023<\/h1>\n<p><\/p>\n<p>SMS OTP \u00a0(one time password) is a secure\u00a0<strong><a href=\"https:\/\/thesmsworks.co.uk\/guide-2fa-sms\">2 factor authentication<\/a><\/strong>\u00a0method where a text containing a unique alphanumeric or numeric code is sent to a mobile number (<strong><a href=\"https:\/\/thesmsworks.co.uk\/MSISDN\">MSISDN<\/a><\/strong>).<\/p>\n<p><\/p>\n<p>The recipient then uses this code or password as an additional layer of security to login to a service, website or app. Because mobile numbers are universally unique, it provides a way for site owners to confirm that the person accessing their services is the same person who signed up for them.<\/p>\n<p><\/p>\n<p>SMS OTP has become common when logging into banks or any financial services account. In the UK and EU new laws\u00a0came into effect in March 2022 requiring all banks to have some form of Strong Customer Authentication (SCA) when logging in or making a purchase.<\/p>\n<p><\/p>\n<p>Increasingly, non-financial organisation are also using SMS OTP to increase their security. The primary use case are:<\/p>\n<ul>\n<li><strong>Two-Factor Authentication<\/strong> &#8211; asking users to provide two methods to verify their identity.<\/li>\n<li><strong>Mobile Number Validation<\/strong> &#8211; used where the mobile number is the primary identity, such as in parking apps. This also occurs where users set up their devices for later 2FA transactions.<\/li>\n<li><strong>Payment Confirmation<\/strong> &#8211; supporting legal requirements to increase security around payments.<\/li>\n<li><strong>Account Recovery<\/strong> &#8211; used to help re-establish access to sites and apps when the primary method of authentication has been forgotten or lost.<\/li>\n<\/ul>\n<p><\/p>\n<h2 class=\"wp-block-heading\"><strong>MEF survey reveals popularity of SMS OTP<\/strong><\/h2>\n<p><\/p>\n<p>In a\u00a0<strong><a href=\"https:\/\/mobileecosystemforum.com\/pdi-sms-otp-report\/\">recent survey conducted by Mobile Ecosystem Forum (MES)<\/a><\/strong>, 450 organisations revealed some very striking statistics about the use of SMS OTP.<\/p>\n<p><\/p>\n<p>93% of enterprises worldwide use SMS OTP for some aspect of verification.<\/p>\n<p><\/p>\n<p>Of those organisation questioned 100% of UK enterprises use SMS OTP.<\/p>\n<p><\/p>\n<h2 class=\"wp-block-heading\"><strong>For how long is an SMS OTP valid?<\/strong><\/h2>\n<p><\/p>\n<p>An SMS OTP is normally valid for between 2 and 5 minutes, after which it will expire and can no longer be used.\u00a0<\/p>\n<p><\/p>\n<p>There would normally be an option for the customer to generate a new SMS OTP if they were too slow to enter the first one they received.<\/p>\n<p><\/p>\n<p><strong><a href=\"https:\/\/thesmsworks.co.uk\/what-causes-delays-to-SMS\">SMS message delays<\/a><\/strong>\u00a0can cause issues as the code could expire before the user has had a chance to use it.<\/p>\n<p><\/p>\n<h2 class=\"wp-block-heading\"><strong>Why is SMS used for one time password authentication?<\/strong><\/h2>\n<p><\/p>\n<p>Although SMS does have some security issues and is by no means perfect as a solution delivering OTPs to customers, it\u2019s still the most popular choice for most organisations.<\/p>\n<p><\/p>\n<p>Why is this?<\/p>\n<p><\/p>\n<p>Well SMS is the only communication channel that can be used by every single person who owns a phone.<\/p>\n<p><\/p>\n<p>There\u2019s no special app to download, no compatibility issues to worry about. It\u2019s simple, reliable and everyone understands it.<\/p>\n<p><\/p>\n<p>On top of that, SMS OTP is gloriously easy to deploy. All you need is integration to an\u00a0<strong><a href=\"https:\/\/thesmsworks.co.uk\/\">SMS API or<\/a>\u00a0<a href=\"https:\/\/thesmsworks.co.uk\/blog\/cpaas\/\">CPaaS <\/a><\/strong>and you can be up and running in a few hours. There are also plenty of off the shelf SMS OTP providers so you don\u2019t need to get bogged down in writing your own systems or\u00a0code.<\/p>\n<p><\/p>\n<h2 class=\"wp-block-heading\"><strong>Security concerns about SMS OTP<\/strong><\/h2>\n<p><\/p>\n<p>A security flaw in the mobile network\u00a0<a href=\"https:\/\/thesmsworks.co.uk\/SS7\">SS7 routing protocol<\/a>\u00a0could potentially allow cyber criminals to access and reroute SMS messages.<\/p>\n<p><\/p>\n<p>If they were able to access a text containing an OTP code, then they could potentially access bank accounts and illegally transfer funds.<\/p>\n<p><\/p>\n<p>As Zak Doffman, Forbes cybersecurity contributor said,\u00a0<\/p>\n<p><\/p>\n<figure class=\"wp-block-image size-full is-resized\"><img fetchpriority=\"high\" decoding=\"async\" class=\"wp-image-51\" src=\"http:\/\/test.thesmsworks.co.uk\/blog\/wp-content\/uploads\/2022\/06\/Zak-Doffman.jpeg\" alt=\"Zak-Doffman\" width=\"281\" height=\"281\" srcset=\"https:\/\/thesmsworks.wpenginepowered.com\/wp-content\/uploads\/2022\/06\/Zak-Doffman.jpeg 400w, https:\/\/thesmsworks.wpenginepowered.com\/wp-content\/uploads\/2022\/06\/Zak-Doffman-300x300.jpeg 300w, https:\/\/thesmsworks.wpenginepowered.com\/wp-content\/uploads\/2022\/06\/Zak-Doffman-150x150.jpeg 150w\" sizes=\"(max-width: 281px) 100vw, 281px\" \/><\/figure>\n<p><\/p>\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p><em><strong>The greatest benefit with SMS is also its greatest weakness. it works across all apps and platforms and doesn\u2019t rely on any specific ecosystem.\u00a0<\/strong><\/em><\/p>\n<p><em><strong>But, behind the fa\u00e7ade, the SMS system over which those codes are being sent is wide open<\/strong><\/em><\/p>\n<\/blockquote>\n<p><\/p>\n<p>Hacks and phishing attacks on SMS are rare but they do happen and despite generating some\u00a0<strong><a href=\"https:\/\/www.forbes.com\/sites\/zakdoffman\/2020\/10\/11\/apple-iphone-imessage-and-android-messages-sms-passcode-security-update\/?sh=763d42b82ede\">alarming headlines<\/a><\/strong>, the real risk of becoming a victim of an SMS hack is overstated.<\/p>\n<p><\/p>\n<p>The chances of being hacked and stolen from in this way are extremely remote and we shouldn\u2019t waste our time worrying that we\u2019re on the verge of being hacked into.<\/p>\n<p><\/p>\n<p>In\u00a0the MEF survey about SMS OTP, 89% of organisations in the banking sector expressed concerns about the security of using SMS as route for delivering\u00a0OTPs.<\/p>\n<p><\/p>\n<p>It\u2019s not perfect but SMS OTP is a pragmatic solution and far better than no\u00a0<a href=\"https:\/\/thesmsworks.co.uk\/guide-2fa-sms\"><strong>2FA solution<\/strong><\/a>\u00a0at all.<\/p>\n<h2><strong>SMS pumping &#8211; a new threat to SMS OTP<\/strong><\/h2>\n<p><span style=\"font-weight: 400;\"><strong><a href=\"https:\/\/thesmsworks.co.uk\/blog\/sms-pumping\/\">SMS pumping<\/a><\/strong> is a relatively new menace for users of SMS OTP. It happens when fraudsters target web forms that generate an outbound SMS. Usually this is an SMS OTP used for 2 factor authentication.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The fraudsters ambush the form by generating large numbers of outbound texts, sent to mobile numbers on a specific network. The network has a revenue share in place, so that the scammers can generate a revenue stream from the OTP texts.<\/span><span style=\"font-weight: 400;\"><br \/><\/span><\/p>\n<p><span style=\"font-weight: 400;\">This issue could pose a genuine threat to users of SMS OTP in 2023 and beyond and developers need to make sure that their systems detect and halt any possible attacks.<\/span><\/p>\n<p><\/p>\n<h2 class=\"wp-block-heading\"><strong>Examples of SMS OTP<\/strong><\/h2>\n<p><\/p>\n<p>Here are a few examples of SMS OTPs used by various organisations.<br \/>The aim is to make the text as simple as possible to understand with no scope for misinterpretation by the customer.<\/p>\n<p><\/p>\n<figure class=\"wp-block-image size-full is-resized\"><img decoding=\"async\" class=\"wp-image-48\" src=\"http:\/\/test.thesmsworks.co.uk\/blog\/wp-content\/uploads\/2022\/06\/Selection-of-sms-otp-codes.png\" alt=\"selection of SMS OTP codes\" width=\"946\" height=\"531\" srcset=\"https:\/\/thesmsworks.wpenginepowered.com\/wp-content\/uploads\/2022\/06\/Selection-of-sms-otp-codes.png 960w, https:\/\/thesmsworks.wpenginepowered.com\/wp-content\/uploads\/2022\/06\/Selection-of-sms-otp-codes-300x169.png 300w, https:\/\/thesmsworks.wpenginepowered.com\/wp-content\/uploads\/2022\/06\/Selection-of-sms-otp-codes-768x432.png 768w\" sizes=\"(max-width: 946px) 100vw, 946px\" \/>\n<p>\u00a0<\/p>\n<figcaption>Examples of SMS OTP codes<\/figcaption>\n<\/figure>\n<p><\/p>\n<h2 class=\"wp-block-heading\"><strong>How do you set up SMS OTP?<\/strong><\/h2>\n<p><\/p>\n<p>There are dozens of companies offering SMS OTP services.\u00a0<\/p>\n<p><\/p>\n<p>The main thing you need to decide is whether you want to build your own system, including generating unique codes or whether you want a complete off the shelf solution.<\/p>\n<p><\/p>\n<p>Off the shelf solutions will tend to be more expensive and have less flexibility but will be quick and easy to deploy.<\/p>\n<p><\/p>\n<p>Building your own SMS OTP system will certainly give you greater control but you have to factor in the development and maintenance costs.<\/p>\n<p><\/p>\n<h2 class=\"wp-block-heading\"><strong>Implement own SMS OTP platform with our SMS OTP service<\/strong><\/h2>\n<p><\/p>\n<p>If you want to explore SMS OTP,, then please feel free to use our <strong><a href=\"https:\/\/thesmsworks.co.uk\/developers#otp-intro\">SMS one time password platform<\/a><\/strong>. Once you&#8217;ve set up a <strong><a href=\"https:\/\/thesmsworks.co.uk\/auth\/signup\">free text account<\/a><\/strong>, we&#8217;ll add some free SMS credits for testing so you can trial us at no cost.<\/p>\n<p><\/p>\n<p>We\u2019re really sharp on support too, so we\u2019ll be standing by to answer any queries that may crop up.<\/p>\n<p><\/p>\n<p>Each SMS you send costs 3.95 pence but can be less if you&#8217;re sending larger volumes. Our <strong><a href=\"https:\/\/thesmsworks.co.uk\/pricing\">SMS pricing page\u00a0<\/a><\/strong>will provide you with the details.<\/p>\n<p><\/p>\n<p><strong>Related articles<\/strong><\/p>\n<p><\/p>\n<p><strong><a href=\"https:\/\/thesmsworks.co.uk\/guide-2fa-sms\">Complete Guide to 2fa SMS<\/a>\u00a0<\/strong>A deep deep dive into SMS 2fa. What can it be used and what are you options?<\/p>\n<p><a href=\"https:\/\/thesmsworks.co.uk\/blog\/sms-otp-formatting\/\"><strong>Formatting OTP SMS<\/strong><\/a>. A comprehensive guide for developers.<\/p>\n<p><\/p>\n<p><strong><a href=\"https:\/\/thesmsworks.co.uk\/is-sms-encrypted\">Is SMS Encrypted?<\/a>\u00a0<\/strong>How secure\u00a0is SMS to use for your one time passwords? Could SMS be hacked and what are the risks<strong>?<\/strong><\/p>\n<p><\/p>\n<p><strong><a href=\"https:\/\/thesmsworks.co.uk\/UK-servers-data-centres\">Having UK based servers and data centres is now an essential part of being an SMS API provider<\/a>\u00a0<\/strong>Does it matter if your SMS OTPs are sent via international data centres?\u00a0<\/p>\n<p><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>What is SMS OTP? A simple guide for 2023 SMS OTP \u00a0(one time password) is a secure\u00a02 factor authentication\u00a0method where [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":50,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"disabled","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1],"tags":[],"class_list":["post-883","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/posts\/883","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=883"}],"version-history":[{"count":0,"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/posts\/883\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/media\/50"}],"wp:attachment":[{"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=883"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=883"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thesmsworks.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=883"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}