For years, Short Message Service (SMS) one-time passwords (OTP) worked well enough. If you could receive a code at a phone number, you likely controlled the account. When porting required showing up at a carrier store with ID, that assumption generally held.
It no longer does.
The Cybersecurity and Infrastructure Security Agency (CISA) published its Mobile Communications Best Practice Guidance, which explicitly advises: “Do not use SMS as a second factor for authentication.” That guidance followed the Salt Typhoon campaign—a state-sponsored operation that compromised at least nine major U.S. telecom providers and remained inside carrier networks for up to two years, intercepting call metadata for more than a million users.
State-level capability is not required to exploit phone-based authentication, however. Subscriber Identity Module (SIM) swapping is far more accessible. The Federal Bureau of Investigation’s 2024 IC3 report documented 982 SIM-swap complaints tied to nearly $26 million in losses.
Then there is the less visible problem of phone number recycling. The Federal Communications Commission (FCC) estimates that roughly 35 million U.S. phone numbers are disconnected each year. After a 45–90-day cooling period, carriers reassign them. A Princeton University study found that 66% of recycled numbers sampled were still tied to the previous owner’s online accounts. A new subscriber can receive authentication codes and password reset links intended for someone else.
Phone-based second factors are more widespread than ever—yet they are no longer the safety net they once were.
What’s really going wrong with out-of-band checks?
Most enterprise multi-factor authentication (MFA) deployments still default to SMS or voice calls as a second factor, for understandable reasons. SMS is universal. It requires no app, no hardware token, and no enrollment ceremony. For customer-facing applications—banking, healthcare, insurance, and e-commerce—where organizations cannot control user devices, SMS has been the path of least resistance for over a decade.
But attackers have mapped every seam in that path—and they are exploiting them faster than most security teams can respond.
A SIM swap can be completed in minutes. Recycled numbers create a passive attack surface that requires little effort: a new subscriber receiving someone else’s alerts or reset codes may become an opportunistic attacker simply by following the prompts in front of them.
Some organizations try to strengthen SMS by layering carrier lookup services on top. These checks can confirm that a number is active, flag recent porting events, or validate subscriber information. That narrows the risk window—but it is not sufficient on its own.
A number can appear legitimate while already under an attacker’s control—for example, if the swap occurred outside the provider’s detection window or involved insider assistance at the carrier.
Proofpoint has documented such insider-enabled attacks, including cases tied to the T-Mobile breach that resulted in a $33 million arbitration award in March 2025.
Carrier lookup also does nothing to address recycled numbers. From the carrier’s perspective, the number is valid and correctly assigned—even if it now belongs to a completely different person.
The call center channel introduces additional blind spots. When customers call to reset credentials or unlock accounts, agents often rely on knowledge-based questions or the phone number on file. If the number has already been compromised, the attacker passes those checks by default. Social engineering pressure on support staff only amplifies the risk. The Marks & Spencer breach in April 2025, attributed to the Scattered Spider cybercriminal collective, reportedly combined SIM-swapping tactics with service desk manipulation to gain initial access.
For many organizations, the practical answer is not to eliminate phone-based verification entirely, but to make it more intelligent by surrounding it with signals that detect when the phone channel itself has been compromised.
Evaluating other options
None of this makes MFA obsolete. But certain implementations—especially SMS and voice-based verification—have not kept pace with modern attack methods. The underlying issue is consistent: static, uniform defenses are easy to target.
Several approaches can make phone-based authentication more adaptive:
- Carrier-enriched verification adds real-time telecom data such as SIM status, porting history, and subscriber consistency. This helps detect common SIM-swap scenarios, though coverage varies by carrier and geography.
- App-based authenticators remove dependency on the phone network, but recovery flows often still fall back to SMS.
- FIDO2/passkeys provide the strongest authentication method available today, as they are phishing-resistant by design—but adoption is not yet universal across devices and applications.
- Signal-based orchestration evaluates multiple contextual risk signals and determines, in real time, the appropriate level of verification. Low risk may require minimal friction, while elevated risk triggers stronger checks such as biometrics, document verification, or enhanced possession signals.
No single factor is sufficient. The most effective approach is to correlate multiple risk signals and dynamically adjust verification strength.
How ID Dataweb supports multi-signal correlation
Defending against SIM swaps, recycled numbers, and device spoofing requires better intelligence at the moment of authentication. ID Dataweb™ provides an identity orchestration and risk engine that correlates diverse signals and dynamically adjusts verification when risk increases.
The platform ingests telecom data, device intelligence, and fraud consortium signals in real time. If a phone number was recently ported or resolves to a known VoIP line, the system can detect that and automatically require stronger verification—or block the attempt entirely. If the device presents anomalies (a new fingerprint, impossible travel, or TOR routing), additional checks can be triggered, such as verification to a previously trusted number or a government ID challenge.
These capabilities directly address the weaknesses outlined earlier. The platform can identify SIM-swap indicators before an OTP is sent, flag suspicious number profiles such as newly activated prepaid lines, and reroute the authentication flow before the attacker gains an advantage.
Operationally, the model is equally important. Policies are managed through a no-code interface, allowing teams to adjust thresholds, swap data sources, or integrate new risk signals without code deployments or vendor delays.
By combining these risk signals, organizations can implement adaptive, layered MFA. Out-of-band verification becomes more intelligent: instead of blindly sending a code to the number on file, the system selects the appropriate verification path based on real-time risk.
Conclusion
Phone-based authentication is not going away. For millions of users, SMS remains the most accessible second factor available. But accessibility for users now also means accessibility for attackers—through SIM swaps, number recycling, carrier insiders, and social engineering.
The solution is not to eliminate the phone channel, but to stop trusting it in isolation.
Organizations that combine telecom intelligence, device signals, and identity fraud data into a unified decision point can detect compromised numbers before a code is sent. Those that dynamically adjust verification—stepping up to stronger methods when risk increases—remove the predictability that attackers rely on.
