Find Us

Address
123 Main Street
New York, NY 10001

Hours
Monday—Friday: 9:00AM–5:00PM
Saturday & Sunday: 11:00AM–3:00PM

Categories

Products
Use cases
Resources
Contact us

NIST SP 800-63B Rev 4: SMS OTP is Now a Restricted Authenticator, But We Have the Fix

August 15, 2025
Uncategorized
Update, February 4th 2026: TypingDNA SMS+ just released publicly. Check it out!

NIST’s updated Digital Identity Guidelines (SP 800-63B-4) formally classify SMS/PSTN one-time passcodes as a restricted authenticator. This is the first time NIST has created an explicit “restricted” category, which comes with new obligations for any organization that continues to use these methods.

While SMS OTP is still allowed, the bar for using it has been raised. If you rely on SMS for multi-factor authentication, you now need to meet specific conditions and to mitigate its well-known risks like SIM swaps, number porting, device theft, and MITM/relay attacks. Many organizations are now looking for ways to keep using SMS without taking on unnecessary risk.

What “restricted” means in Rev 4

Under § 3.1.3.3 and § 3.2.9, the use of the PSTN for out-of-band authentication (including SMS OTP) is considered restricted. At the time of publication, it is the only method in this category. Being restricted means you can still use it if you do all of the following:

  1. Offer at least one unrestricted alternative that meets the required AAL and notice users about the risks and the availability of alternatives.
  2. Address these risks in your risk assessment and maintain a migration plan in case the method becomes unacceptable in the future.
  3. Implement risk-mittigation solutions to detect and prevent interception, SIM swap, device theft, number porting attacks, and abnormal user behavior.

Provided that you comply with the above checklist, you can continue using SMS OTP while reducing your exposure. This is where TypingDNA’s SMS+ comes in. It adds a transparent typing check so the OTP is revealed only to a verified user, directly addressing the risks in point 3 by mitigating all aspects: SIM swap, device theft, number porting, interception, MITM attacks – all through detecting abnormal user behavior and restricting access to the OTP.

Why NIST took this step

In SP 800-63B Rev 3 (previous version), SMS OTP was allowed with cautions, and NIST initially indicated that the SMS OTP/PSTN method would be completely unsupported starting with Rev 4. This proved impractical due to the large number of organizations, including federal agencies, that rely on SMS and have no immediate alternative to secure user accounts. As a result, Rev 4 instead formalizes a second-class status for SMS OTP/PSTN (calling it “restricted authenticators”), making clear that 1. it can still be used while 2. its weaknesses are significant enough to require additional conditions.

Practical steps to comply and reduce risk

  • Mitigate the risks directly: Implement layered security so that even if an attacker receives the SMS, they cannot use the OTP without passing an additional verification step. TypingDNA SMS+ adds an inherence check and encrypts the OTP so it is revealed only after verification, addressing threats like SIM swap, device theft, MITM attacks, and interception.
  • Harden your SMS flow: Use short-lived, single-use codes. Throttle attempts. Block delivery to known VoIP numbers. Run SIM swap and number porting checks before sending codes, and increase security if such events are detected. While IAM platforms or SMS providers may handle some of these checks (often via Camara APIs), detection alone cannot confirm malicious intent, so blocking by itself is not a complete solution.
  • Provide an optional alternative: Offer an app-based OTP, push notification, or hardware key option and make it visible to users.
  • Add clear user notices: At enrollment, recovery, and number-change screens, explain the risks of SMS OTP and that an alternative is available.
  • Treat number changes seriously: Follow the same binding process as when first adding an authenticator.

How TypingDNA SMS+ helps

SMS+ is a drop-in upgrade to your existing SMS OTP. Instead of sending the code in plain text, you send a secure link. The user types 2 words directly in their phone browser (no apps), and if their typing matches their previous typing behavior, the code is revealed. With deeper integrations, the user doesn’t even have to further enter the code after verification.

Why it matters:

  • Keeps your current IAM flow and user experience. No changes to the IAM flow.
  • Reduces risk from SIM swap, theft, and relays. An attacker who gets the SMS still cannot see the code without passing the typing check.
  • Supports § 3.2.9 requirements while you offer alternatives and maintain a migration plan.

TypingDNA SMS+ can be self-hosted and is 100% customizable to look and feel the way you want to, it integrates in your IAM as a custom SMS provider, allowing the client to add their own SMS provider within SMS+ config. 

Availability: Public on GitHub. Available to demo directly. Contact us for a demo.

Key takeaways

  • SMS OTP is now explicitly restricted under NIST SP 800-63B-4.
  • Using it requires offering alternatives, informing users, mittigate risks, updating risk assessments, and maintaining a migration plan.
  • Hardening your SMS flow and adding layered security like TypingDNA SMS+ is a practical solution, mitigating risks by detecting abnormal user behavior.
  • There is no need to start from scratch. TypingDNA SMS+ can be integrated quickly to secure the SMS channel you already use.

Related to NIST SP 800-63B Rev 4

NIST SP 800-63B Rev 4 also introduced Section 5.3 Session Monitoring, which we help solve through the use of our continuous authentication tech (TypingDNA ActiveLock, our AI desktop agent), covered in detail here: NIST SP 800-63B Rev 4: Session Monitoring and TypingDNA ActiveLock.

Share: