OTP is the highest tier of phone verification — it cryptographically proves possession. But SMS-based OTPs carry significant security risks and economic costs that every architect must understand.
The application backend generates a cryptographically secure, time-bound token and sends it to the user's MSISDN via SMS or Text-to-Speech voice call. The user reads the code and inputs it back. A successful OTP confirms three things:
This is the only way to achieve the "Online" state described in Part 1.
Despite its authority, OTP introduces significant friction:
Delayed SMS due to carrier congestion or signal issues leads to frustration, retries, and session abandonment.
Context-switching between app and SMS inbox causes input errors and locked accounts.
SMS OTPs cost ~$0.05 per verification (e.g., Twilio Verify) plus variable international carrier fees. Sending OTPs to invalid or disconnected numbers is pure waste.
This is why format validation and API validation should always precede OTP — to filter out bad numbers before spending on SMS delivery.
NIST Special Publication 800-63B explicitly warns against relying solely on SMS for high-security authentication.
Attacker socially engineers a carrier employee to port the victim's number to a new SIM. The attacker then intercepts all incoming OTPs, bypassing 2FA. This is a targeted attack, common against high-value accounts (banking, crypto). Learn more about SIM swap scams.
Sophisticated actors exploit legacy vulnerabilities in the global SS7 network to silently reroute SMS in transit — a man-in-the-middle attack without ever touching the victim or carrier.
Attackers use interception proxies (e.g., Burp Suite) to capture HTTP requests during OTP submission. They input an invalid OTP (e.g., "1111"), intercept the server's rejection response, and modify the JSON from "success": false to "success": true before forwarding. Apps with client-side validation logic will grant access without valid OTP. Always validate server-side!
Modern identity APIs incorporate SIM Swap Detection endpoints. These query carrier data to find the timestamp of the last SIM card change. If a SIM swap occurred within the past 24-72 hours, the application flags the transaction as high-risk — blocking login or forcing step-up authentication (biometrics, hardware security keys). For more on detecting and mitigating phone-based fraud, see Part 6: Fraud Prevention & Caller Identity.
OTP remains the definitive way to prove a user has physical possession of a phone number. But never rely on SMS OTP alone for high-security scenarios. Always validate numbers upstream (format → API → HLR) before triggering OTP, and implement SIM swap detection for financial transactions.