Co-authors: Ibrahim Sbeih & José A. García
In any digital ecosystem, the effectiveness of a solution depends on it being truly fit for purpose. When technologies are repurposed beyond their intended design, they are not tested for those new use cases and can expose real users to unforeseen vulnerabilities. As businesses increasingly shift OTPs from SMS to OTT channels in search of cost savings primarily, many fail to recognise that these platforms were not built to meet the strict security, reliability, and compliance requirements of user authentication. This article highlights why channel selection must align with function, and why purpose-built authentication solutions are essential to protecting trust.
According to the Mobilesquared 1Q 2025 WhatsApp Business Report, WhatsApp Business authentication traffic will grow from 7.6 billion messages in 2024 and 19.8 billion messages in 2025 to 134.4 billion messages in 2029. And while many businesses are drawn to the host of rich features and the marginal savings in costs, few understand the risks associated with this path.
Indeed, over-the-top messaging apps like WhatsApp excel at customer engagement, offering rich, interactive experiences beyond simple text. However, when it comes to authentication, OTT channels fall short. Despite their popularity, they introduce significant security risks and a lack of reliability when compared to more advanced authentication methods, such as GSMAs TS.43 standard, or even to SMS.
And because pricing is probably the most significant factor driving this discussion, let’s first lay out the present-day situation:
Across the 200 markets, the average WhatsApp Business authentication rate is $0.03186. The global average A2P SMS domestic rate is $0.0307…. Based on 1Q 2025 rates for WhatsApp Business authentication messages and A2P SMS domestic termination rates, A2P SMS is cheaper in 112 markets, with WAB API cheaper in 88 markets. (Mobilesquared)
This article explores why OTTs are not the answer for authentication, highlights the risks involved, and shows why SMS and TS.43 remain the right path forward.
Risks of Authentication via OTT
Using OTT channels for authentication comes with significant security and operational risks that enterprises must carefully consider. Here are three of the most important.
Risk 1: Bot-Triggered OTP Hijacking
A growing and serious threat to OTP authentication via OTT channels involves automated bots hijacking phone numbers through OTP interception and account takeover, following an SMS artificial inflated traffic (AIT) modus operandi. This vulnerability exploits the inextricable link between the phone number and the OTT app accounts.
In short, the strong financial incentive for fraudsters to exploit this phone number–app linkage makes OTT-based OTP delivery a risky choice. These accounts are particularly vulnerable to hijacking, creating a high-value target for bad actors and cascading problems down the stream for the enterprise itself and its user base.
How it works:
- Bots trigger OTP requests for a target phone number via an app’s registration interface.
- The OTP is intercepted before reaching the legitimate user, often through an aggregator or downstream provider.
- Using the OTP, the bot completes registration and links the phone number to a bot-controlled app account.
Consequences for the legitimate user:
Once a bot successfully hijacks a phone number through OTP interception, the legitimate user can find themselves locked out of their own account. The bot-controlled account remains linked to the hijacked number, meaning that subsequent OTPs for verification are automatically sent to the attacker’s application, not the rightful owner.
The legitimate subscriber may only discover the hijack when they notice suspicious activity or are unable to access their account, often after a security breach or failed recovery attempts. Reclaiming ownership then requires costly, complex security procedures, and the user remains vulnerable to further malicious activity until the issue is resolved.
Risk 2: Number Recycle Vulnerability
Number recycle vulnerability is a security risk that arises when a phone number is reassigned to a new user while the previous user’s OTT app remains linked to that number. This can lead to unauthorized access to authentication codes and sensitive information.
How it works:
1 | 2 | 3 |
| Time Zero (T0) | Time Later (e.g. 3 months) | Fraud Risk |
| User A buys a SIM card and registers their OTT app (e.g., WhatsApp) with that phone number User A stops using the SIM card but continues to use the OTT app, which remains linked to the phone number without requiring an active SIM. The mobile operator recycles the phone number. | User B purchases a new SIM card with the same Number (recycled by the MNO). User B does not install WhatsApp but tries to do an online banking transaction.Bank sends the OTP to her Number, but… | User A (the wrong person) receives OTPs for transactions attempted by User B. This opens a fraud window: User A could intercept OTPs meant for User B’s bank login, payments, or sensitive actions. |
| 👉 Key callout: WhatsApp account remains active on User A Number, even though the SIM is gone. | 👉 Key callout: The OTP is delivered to User A’s still-active WhatsApp account, not User B. | 👉 Key callout: Mismatch between SIM ownership and OTT app persistence = severe security and fraud risk. |
Risk 3: Loss of Oversight and Regulatory Challenges
Delivering OTPs over OTT apps like WhatsApp creates blind spots for regulators. Due to end-to-end encryption, authorities cannot observe authentication activities even under lawful intercept. In contrast, OTPs sent via SMS or operator-managed channels allow regulators to maintain oversight essential for tracking potential criminal or security threats.
This loss of visibility not only undermines national security frameworks but also facilitates revenue leakage for operators and potential abuse by bad actors, bypassing legal safeguards.
Comparison of Authentication Methods and Channels
When choosing how to deliver one-time passwords and authenticate users, enterprises must weigh critical factors like accessibility, security, regulatory compliance, and industry standards. The table below compares the three main approaches in use today: OTT channels, traditional SMS, and the emerging GSMA-standardized Number Verify Version 2.
| Factor | OTT Channel | SMS | Number Verify V2 (TS.43) |
| Accessibility | Requires smartphones and OTT app installation; limited reach to feature phones or offline users. | Universally supported on all mobile phones, including feature phones; the broadest user base coverage. | End-to-end encryption protects message content, but is vulnerable to number recycling and account persistence risks. |
| Security Features and Vulnerabilities | End-to-end encryption protects message content but vulnerable to number recycling and account persistence risks. | Secure delivery tied to SIM card and phone number; susceptible to SIM swap fraud but avoids number recycle issues inherent to OTT. | Explicitly designed for authentication with built-in security measures to prevent hijacking and fraud. |
| National Security Implications and Lawful Intercept | Encrypted traffic blocks regulator and law enforcement visibility, limiting lawful intercept capabilities. | Allows lawful intercept and regulatory oversight; supports compliance with national security frameworks. | Fully aligned with regulatory requirements, enabling lawful intercept and oversight without compromising security. |
| GSMA Alignment and Industry Standard Support | Not officially recognized or aligned with GSMA standards; largely controlled by OTT providers. | GSMA-driven and recognized channel; widely accepted industry standard for authentication. | Fully GSMA standardized and industry supported; represents the next generation authentication channel. |
In short, while OTT channels offer rich user experiences, they fall short in key areas critical for secure, compliant authentication. SMS remains a reliable workhorse, but the future lies with frameworks like Number Verify V2 that combine security, accessibility, and regulatory alignment.
The Future of Authentication: GSMA Aligned Channels and TS.43 Standard
As the risks and limitations of OTT authentication become clearer, attention is turning to more secure, standardized solutions. The GSMA’s TS.43 Number Verify Version 2 standard stands out as the most promising path forward, offering a formal, industry-backed approach designed explicitly for authentication.
What is TS.43 Number Verify V2?
TS.43 Number Verify V2 is a GSMA standard that enables silent, frictionless authentication by leveraging mobile network capabilities directly. Unlike OTT or SMS OTPs, this method verifies the user’s identity with minimal user interaction, enhancing security without sacrificing convenience.
Fit-for-Purpose Design: Built Specifically for Authentication
TS.43 is purpose-built to overcome the vulnerabilities of SMS and OTT channels. It ties authentication directly to the network and device, preventing risks like SIM swap fraud and number recycling. Its design reflects a deep understanding of mobile ecosystem constraints and regulatory requirements.
Industry Support and Regulatory Backing
TS.43 is fully aligned with GSMA standards and enjoys broad adoption and support from mobile network operators, regulators, and industry stakeholders. This standard not only meets technical and security needs but also facilitates lawful intercept and compliance with national security frameworks.
Conclusions and Recommendations
Over-the-top (OTT) channels have transformed customer engagement with rich, interactive messaging. However, as this article has shown, they are not suitable for secure authentication due to inherent risks like bot hijacking, number recycle vulnerability and loss of regulatory oversight.
For now, SMS remains the best available option for delivering one-time passwords. It offers broad accessibility, reasonable security, and complies with regulatory requirements, although it is not without limitations.
Looking ahead, the GSMA’s Number Verify V2.0 standard represents the ideal future. It combines seamless user experience with robust security, built specifically for authentication and backed by industry stakeholders and regulators.
Enterprises and carriers must recognize these distinctions and prioritize officially supported channels like SMS and TS.43 for authentication. Moving away from OTT authentication is essential to protect users, maintain trust, and ensure compliance with national security frameworks.
