Use case
Protecting OTP and SMS 2FA flows end to end
SMS one-time passcodes are only as trustworthy as the number receiving them. A phone check belongs at three separate points in the flow: when a number is enrolled for SMS 2FA, when a code is about to be sent, and immediately before a high-risk action relies on that code. Each point uses a different signal, and none of them replaces the others.
Why SMS OTP is a weaker factor than it looks
SMS as a second factor assumes the number is a good proxy for possession of the customer's device. A SIM swap, a ported number or a disposable VoIP number enrolled by an attacker all break that assumption without the customer's account credentials ever being touched. See PSD2 SCA and the weakness of SMS OTP for how this undermines the independence strong customer authentication relies on.
Three points in the flow where a check helps
Before accepting a number for SMS 2FA, check numberType. Non-fixed VoIP and voicemail numbers are cheap and fast to provision, which makes them attractive for an attacker enrolling a second factor they control rather than the genuine customer's own line. See number type detection for fraud.
Before sending a code, check active status. Sending to a number that is not currently reachable wastes the send and, at scale, is one of the patterns behind SMS pumping abuse. See phone number active status API.
Before honouring an OTP for a sensitive action such as a password reset, a new device enrolment or a high-value transaction authorisation, check SIM swap recency. A number can pass enrolment and delivery checks and still have been swapped since. SIM swap detection is launching for GB, DE, NL and FR and currently returns UNKNOWN for those markets; see the SIM swap API reference.
Signals used in this flow
- numberType: screens the number type at enrolment
- active: confirms reachability before a send
- simSwap: confirms recency before a high-risk action relies on the code (launching)