Ambimat GroupAmbimatAmbiSecureeSIM InitiativeEngineering BlogAhmedabad · India · Est. 1981
ASAmbiSecureHardware-rooted security
Contact
Standards evolution

OTP / SMS — from S/Key to deprecation.

How one-time passwords were invented, standardised, weaponised, and (slowly) replaced — from S/Key in 1981 to SS7-attack disclosures in 2017 to NIST’s discouragement of SMS OTP in 2025.

1981

S/Key one-time password scheme proposed

Leslie Lamport publishes a one-time-password method based on a one-way hash chain — the conceptual ancestor of modern OTPs.

Lamport / S/Key
1986

RSA SecurID launched

Proprietary time-based hardware tokens with a six-digit display become the first widely-deployed OTP product.

RSA SecurID
1995

S/Key formalised in RFC 1760

IETF documents the S/Key OTP method.

RFC 1760
1998

RFC 2289 — OTP system

Updates and supersedes RFC 1760 with a more general OTP framework.

RFC 2289
2005

HOTP standardised (RFC 4226)

HMAC-based event-counter OTP. Foundation for all modern OTP authenticators.

RFC 4226 HOTP
2011

TOTP standardised (RFC 6238)

Time-based OTP — the algorithm behind Google Authenticator and most mobile authenticator apps.

RFC 6238 TOTP
2013

SMS OTP everywhere

Online banking, e-commerce, and government services adopt SMS OTP as a "second factor" at consumer scale — despite known SMS-channel risks.

SMS OTP era
2016

NIST SP 800-63-3 deprecates SMS for AAL2+

NIST draft removes SMS OTP from the recommended AAL2 authenticator types. Final version published 2017.

NIST SP 800-63-3
2017

SS7 phone-number takeover demonstrated

Researchers and journalists demonstrate live SMS OTP interception via SS7 attacks. SIM-swap attacks become a routine consumer-fraud vector.

SS7 / SIM-swap
2019

FIDO2 mainstreams phishing-resistant MFA

FIDO2 hardware keys and platform authenticators become the reference replacement for OTP in high-assurance deployments.

FIDO2
2022

OMB M-22-09 phishing-resistant MFA mandate

U.S. federal civilian executive branch directed to deploy phishing-resistant MFA (read: FIDO2 / PIV), not OTP, by FY24.

OMB M-22-09
2025

NIST SP 800-63-4 final removes SMS

Final revision firms up the prohibition on SMS for AAL2+. Banking regulators in EU and APAC follow suit.

NIST SP 800-63-4
2026

OTP relegated to recovery codes only

Consumer services keep TOTP as a recovery method; the primary factor is FIDO / passkey or hardware token. The 45-year OTP era effectively ends as a primary factor.

FIDO Validation Server
Connected reading

Continue exploring.

Technology: FIDO / WebAuthn

Open →

Blog: Why use MFA

Open →

Blog: Top 3 benefits of MFA

Open →

Archive: SMS-based OTP disadvantages

Open →

Building against this evolution?

If your roadmap touches any of these milestones, our engineering team can map the standards posture to a deployable architecture.

Talk to engineering