Platform
Platform
Drop-In Authentication
Passkeys
Phishing-resistant, FIDO2/WebAuthn
Biometric authentication
Face and device-native biometrics
WhatsApp OTP
Global reach, lower cost than SMS
Email OTP
Universal second factor
App push authentication
Native device push notifications
Palm biometrics
Contactless identity verification
All authentication methods
KEY FEATURES
No-code rules engine
Step-up auth, risk policies, alerts
User observability
Audit trails, dynamic linking
Risk-based authentication
Adaptive MFA by context
Session management
Persistent sessions across channels
Digital credentials API
Verify sovereign digital IDs
Pre-built UI
Fastest deployment path
Passkeys
Deploy phishing-resistant passkeys across web and mobile in days
Solutions
Solutions
USE CASE
Account Takeover Prevention
Stop ATO without adding friction
Go Passwordless
Replace passwords with passkeys
Account Recovery
Secure self-service recovery flows
Call Centre Authentication
Verify callers without KBA
SMS Cost Optimisation
Cut OTP costs up to 90%
Existing Apps (Drop-In)
Add auth without re-architecting
Palm biometric payments
Contactless in-store payments
INDUSTRY
Financial Services & Banking
Secure high-value transactions
Healthcare
Authentication for ePHI access
Loyalty Programs
Protect points and member accounts
ROLE
Engineering
Fast integration, flexible SDKs
Product
No-code flows, conversion insights
Cybersecurity
Risk policies, compliance, audit trails
PricingCustomers
Resources
Resources
LEARN
Blog
Guides
Regulatory
Templates
Docs
COMPANY
About Us
Why Authsignal
Partners
Careers
Security
Contact
INTEGRATIONS
Amazon Cognito
Auth0
Azure AD B2C
Custom identity provider
Duende IdentityServer
All integrations
Docs
Start a trial
Book a callLogin
AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

AUS Flag

Authsignal secures millions of passkey transactions out of our hosted Sydney region.

Join us today!
Right icon
Blog
/
Current article
Fraud awareness

Sim Swap Fraud is our generation's Y2K moment

Justin Soong
⬤
March 3, 2025
Share
Sim Swap Fraud

It's apt to talk about SMS one-time passwords (SMS - OTP) on the 30th anniversary of the first SMS sent. Since then, we have sent SMS to the tune of 6 billion messages a day. SMS has truly stood the test of time with its simplicity and robustness as a messaging medium.

A large proportion of those messages sent every day are SMS one-time passwords. These messages typically contain a 6-8 digit code sent every time we sign in or transact, most prevalent in our internet banking experiences as an example.

Unfortunately, with the prevalence of SMS, we have seen the rise of SMS one-time password fraud. The most damaging in 2022 is Sim Swap Fraud. During the pandemic, Sim Swap fraud rose by 400%, and over $100 million worth of funds were extracted by cybercriminals.

What is Sim Swap Fraud?

SIM swapping occurs when scammers contact your phone's carrier and trick them into activating a SIM card owned by the fraudsters. When this happens, the scammers gain control of your phone number. Anyone dialling or texting this number will be connected to the scammer's device rather than your smartphone.

SMS is not secure anymore

Because of this inherent vulnerability with SMS and the fact that SMS is transmitted without encryption and easily intercepted, the National Institute of Standards and Technology has issued a deprecation notice for SMS as an authentication factor as far back as 2017.

In 2022, we are still seeing the impact of such risks associated with SMS with the most recent Twilio breach, which affected over 130 organizations, validating the guidance issued in 2017 by NIST.

We need an upgrade path out of SMS OTPs

It's now clearly untenable to keep relying on SMS as a means of authentication, which naturally begs the question of how to move away from using SMS. Because of its sheer scale and proliferation, this has become our generation's Y2k moment. Inaction will cause the risk posed by SMS to snowball. We've come up with some strategies on how we can start addressing these risks.

Give your users choice

Consumers are now screaming out for alternatives. Savvy digital natives are quickly realizing the risks associated with SMS and asking for secure alternatives.

Although there is a strong argument because of  the perceived customer experience advantage that SMS provides, and the argument that it's better than not providing any form of step-up authentication. The risks now far outweigh the benefits, and with the rapid rise of authentication factors such as Authenticator Apps (Time-based One Time Passwords/TOTP) and browser-based biometrics, there are great alternatives that consumers are now accustomed to.

If completely removing SMS is not an option, the next best thing to do is to give your users a choice, a TOTP authenticator app at the least.

If SMS is your only option, protect and educate your customers
If there is no upgrade path or opportunity to provide choice, then there are great tools to ensure that Sim Swap fraud is mitigated.

One way to protect your customers is using a Sim Swap time stamp. Telco providers are now providing data in real-time of when Sim Swaps occur for a given phone number. When paired with logic like detecting a new device, your platform can add additional steps to verify the customer further.

Start Now
There is no time like the present, and the key is to find an upgrade path that can be injected into your current app without a massive migration effort or engineering lift.

How can Authsignal help?
Authsignal provides passwordless alternatives to SMS One time passwords, like Authenticator Apps and FIDO2/Biometrics. These authenticator types come with pre-built flows that follow user experience best practices, so you can spend more time building features that you value and sleep easy knowing that your customer's accounts are secure with Authsignal.

Our rules engine, when paired with data points like Sim Swap timestamps, can easily change the authentication flows for your customers to provide an extra layer of risk mitigation without sacrificing the customer experience.

Our SDKs and APIs allow you to easily pick and augment any flow in your customer journeys without requiring considerable migration efforts and significant code changes. Check out our developer documentation to see how easy it is to add Authsignal into your app.

#simswapfraud #Authsignal #Passwordlessauthentication #simswapscam

Question icon
Have a question?
Talk to an expert
NewsletterDemo PasskeysView docs
Fraud awareness

You might also like

The passkey UX patterns that drive adoption in 2026
Passkeys
Passkeys implementation

The passkey UX patterns that drive adoption in 2026

July 2, 2026
What is silent network authentication, and how does it work?
Silent Network Authentication
SNA

What is silent network authentication, and how does it work?

June 26, 2026
HIPAA MFA requirements and what to do before the final rule lands
Passkeys
Step up authentication
Adaptive MFA
SMS Alternative

HIPAA MFA requirements and what to do before the final rule lands

July 4, 2026

Secure your customers’ accounts today with Authsignal

Passkey demoCreate free account
Authsignal Purple Logo

Authsignal is a drop-in authentication and orchestration layer for consumer-facing businesses. Passkeys, adaptive MFA, and omnichannel verification on top of your existing identity stack. Deployed in weeks, not quarters.

AICPA SOCFido Certified
LinkedInTwitter
Platform
Drop-In Authentication
PasskeysBiometric authenticationWhatsApp OTPEmail OTPApp push authenticationPalm biometricsSMS OTPEmail OTPMagic LinksAuthenticator apps (TOTP)
View all auth methods
KEY FEATURES
No-code rules engineUser observabilityRisk-based authenticationSession managementDigital credentials APIPre-built UI
All authentication methods
Pricing
Customers
Solutions
USE CASE
Account takeovers (ATO)
Go passwordless
Call center
SMS cost optimization
Existing apps
Palm biometric payments
View all use cases
industry
Financial services
Healthcare
Marketplace
View all use cases
ROLE
Engineering
ProductCybersecurityDocs
Compare
Twilio Verify vs AuthsignalAuth0 vs AuthsignalAWS Cognito vs Authsignal + AWS Cognito
Resources
LEARN
BlogGuidesRegulatoryTemplatesDocs
COMPANY
About usWhy AuthsignalPartnersCareersSecurityContact
Integrations
Amazon Cognito
Azure AD B2C
Duende IdentityServer
Keycloak
Auth0
NextAuth.js
Custom identity provider
All integrations
United States
+1 214 974-4877
Ireland
+353 12 676529
Australia
+61 387 715 810
New Zealand
+64 275 491 983
© 2026 Authsignal - All Rights Reserved
Terms of servicePrivacy policySecuritySystem statusCookies