Use case

Protecting OTP and SMS 2FA flows end to end

SMS one-time passcodes are only as trustworthy as the number receiving them. A phone check belongs at three separate points in the flow: when a number is enrolled for SMS 2FA, when a code is about to be sent, and immediately before a high-risk action relies on that code. Each point uses a different signal, and none of them replaces the others.

Why SMS OTP is a weaker factor than it looks

SMS as a second factor assumes the number is a good proxy for possession of the customer's device. A SIM swap, a ported number or a disposable VoIP number enrolled by an attacker all break that assumption without the customer's account credentials ever being touched. See PSD2 SCA and the weakness of SMS OTP for how this undermines the independence strong customer authentication relies on.

Three points in the flow where a check helps

1. Enrolment

Before accepting a number for SMS 2FA, check numberType. Non-fixed VoIP and voicemail numbers are cheap and fast to provision, which makes them attractive for an attacker enrolling a second factor they control rather than the genuine customer's own line. See number type detection for fraud.

2. Delivery

Before sending a code, check active status. Sending to a number that is not currently reachable wastes the send and, at scale, is one of the patterns behind SMS pumping abuse. See phone number active status API.

3. Before a high-risk action

Before honouring an OTP for a sensitive action such as a password reset, a new device enrolment or a high-value transaction authorisation, check SIM swap recency. A number can pass enrolment and delivery checks and still have been swapped since. SIM swap detection is launching for GB, DE, NL and FR and currently returns UNKNOWN for those markets; see the SIM swap API reference.

Signals used in this flow

$0.03 per query. No contract. No minimum spend. Billed via Paddle.
Request early access