Skip to content
Contact Us
All posts

How to Address the Risk SMS One-Time Passcodes Pose in Your Contact Center

Picture of Matt Wangler By  Matt Wangler  ·  3 minute read

Product on Screen_1_Perspective-1

In contact centers, authentication is supposed to be the security checkpoint that builds trust. Too often, it becomes the moment where fraud happens and customer frustration begins.

SMS OTP, also known as an SMS one-time passcode or SMS one-time password, is still widely used in call center authentication. But modern fraud tactics, smishing, and telecom-based attacks have exposed how fragile this approach really is. For the contact center engagement channel, IDgo replaces risky, inefficient SMS OTP with a secure, device-bound, “tap-to-authenticate” experience that eliminates smishing, reduces time to authenticate, and protects consumers and enterprises from the fraud attacks that SMS OTP enables.

Why SMS One-Time Passcodes (One-Time Passwords) Are Not Enough

1) NIST guidance is clear: SMS one-time passcodes are not sufficiently secure

The National Institute of Standards and Technology (NIST) guidance is clear: OTPs, especially SMS-delivered OTPs, are not sufficiently secure for high-risk scenarios.

  • OTPs are not phishing-resistant (NIST SP 800-63B). Authenticators requiring manual entry (including OTP) “shall not be considered phishing resistant.”

  • For financial services, call centers, and high-risk transactions, NIST advises stronger, device-bound, phishing-resistant authentication methods (like IDgo).

In other words, a one-time password delivered through SMS may feel familiar, but it is not the strongest option when security matters most.

2) SMS OTP is a prime driver of account takeover (ATO) and impersonation fraud

SMS one-time passwords are heavily targeted because they can be intercepted, socially engineered, or redirected through telecom-based attacks.

  • U.S. ATO fraud losses hit $15.6B in 2024, up from $12.7B in 2023 (Javelin Strategy & Research / AARP). The average loss per ATO incident is ~$12,000 for consumers (U.S. state securities regulator advisory). Every $1 lost to fraud costs financial institutions $4.41 in total impact (LexisNexis, April 2024).

  • Smishing (SMS-based phishing) attacks targeted 76% of businesses last year, with an average organizational loss of more than $9.5 million per successful attack. (Atlantic Union Bank, Sept, 2025).

When fraudsters can trick consumers into sharing a one-time passcode, the “security” layer becomes the attack surface.

3) One-time passcodes are slow, cumbersome, and add friction

In contact center workflows, consumers must read codes aloud, providing attackers with a script to follow. Copy/paste or memorization results in failed attempts and restarts, adding time to authentication. Codes can be intercepted, forwarded, or phished.

There is no way to distinguish legitimate vs. suspicious calls. OTPs are always issued.

Even when an SMS one-time passcode works as designed, it still adds friction and time to every interaction.

4) SMS OTP teaches consumers the wrong security behavior

When call agents say, “Read me the code you just received,” consumers learn to trust unsolicited texts and to share sensitive tokens. “Read me the code you just received,” trains consumers to be smished.

Fraudsters spoof contact center numbers and coach consumers to read codes aloud.

This is one of the biggest long-term risks of the one-time password model: it normalizes sharing secrets under pressure.

Why IDgo Is Better Than One-Time Passcodes for Contact Center Authentication

1) Superior security with device-based authentication

IDgo provides device-based authentication that eliminates common vulnerabilities of one-time passcodes.

  • IDgo has no codes, no need to speak any information aloud, and no interception or replay risk.

  • IDgo has a verified device key that blocks attack paths that make SMS OTP vulnerable, including SIM Swap and Port-Out risks.

  • IDgo supports adaptive questioning for suspicious calls to protect against man-in-the-middle attacks.

  • IDgo is continuously evolving to address new fraud vectors. An SMS OTP has no extensibility.

This is what modern, phishing-resistant device-based authentication should look like.

2) A simpler, faster experience than one-time passwords

IDgo eliminates the friction created by SMS OTP workflows.

  • IDgo has no manual entry of codes, no reading codes aloud, no repeated attempts, and no teaching to be smished.

  • IDgo authentication completes in seconds.

  • IDgo authentication results in higher consumer and staff satisfaction.

Instead of forcing customers through a fragile one-time passcode workflow, IDgo delivers a fast, secure, tap-to-authenticate experience.

A better model for modern authentication

SMS one-time passcodes and one-time passwords are familiar, but familiarity is not the same as security. In today’s contact center environment, OTP-based authentication creates avoidable risk, unnecessary friction, and a workflow that fraudsters increasingly know how to exploit.

As financial institutions modernize contact center security, device-based authentication provides a stronger foundation: fewer shared secrets, fewer opportunities for interception or social engineering, and a faster experience for both customers and staff.