For years, SMS and email-based OTPs (one-time passwords) have been the go-to method for digital authentication. Ubiquitous across banking, e-commerce, and enterprise workflows, they’ve powered one of the biggest use cases in the CPaaS industry.
But that era may soon be ending.
Regulators are stepping in:
Malaysia was one of the first to ban SMS OTPs for banking apps. Singapore followed with a push toward digital tokens and app-based verification. And now, in June 2025, the Central Bank of the UAE has ordered all financial institutions to stop using SMS and email OTPs as of next year, mandating stronger real-time fraud prevention and secure authentication alternatives. 👉 Source
The motivation? Security. OTPs sent over SMS or email are increasingly vulnerable to phishing, SIM swap fraud, and man-in-the-middle attacks. The technology is showing its age—and regulators are no longer willing to look the other way.
What’s at Risk
The OTP use case drives a significant share of CPaaS revenue—part of a sector now worth tens of billions annually and still growing. But that foundational stream is under pressure. As regulatory mandates expand and enterprises shift toward more secure login methods, OTP traffic could decline sharply in some regions over the next 12–18 months.
Silent authentication, biometric login, and network APIs (like SIM Swap and Device Location) are already stepping in. Identity is moving upstream—toward platforms that are faster, more secure, and less dependent on legacy telecom rails.
Join the Conversation at CASA25
We’ll unpack this shift at CASA25 in Amsterdam this September:
What’s replacing SMS OTPs? What role can telcos and CPaaS providers play in the new authentication stack? And how can we turn this disruption into opportunity?
Join us to shape what comes next.