Australia's Payday Super reform (effective 1 July 2026) quietly turns SMS OTP into a line item that scales like a tax. When super contributions move from quarterly to every pay cycle, member engagement shifts with it. If your app nudges members with "your contribution arrived" notifications, logins per member can jump from 4 to 24+ per year. That's the core driver behind the Payday Super SMS OTP costs 2026 problem.
The 1 July 2026 pile up is the real risk
Three deadlines collide on 1 July 2026: Payday Super, SuperStream 3.0 upgrades (including NPP and Member Verification Request MVR), and the ACMA SMS Sender ID Register 1 July 2026. Layer on APRA CPS 230 operational risk management (effective 1 July 2025) and existing APRA CPS 234 MFA requirements, and you get a compliance and cost squeeze at the same time. The practical outcome is that SMS based authentication becomes both more expensive and harder to defend.
The cost model is brutal and has no economies of scale
The article's cost model makes the problem concrete. With SMS OTP priced at 0.05 AUD per message, a mid tier fund with 1 million members sees annual authentication costs surge:
| Metric | Pre-Payday Super | Post-Payday Super |
|---|---|---|
| Logins per member/year | ~4 | ~24+ |
| Annual SMS OTP cost | $230,000 | $1,380,000 |
| Cost increase | ~500% |
That is a SMS OTP cost increase 500% driven mostly by login frequency. The model also adds a realistic overhead: segment length multipliers and failure charges mean you can pay even when messages do not arrive.
ACMA SMS Sender ID Register changes deliverability and pricing dynamics
From 1 July 2026, branded sender IDs become a governance requirement under the ACMA register. Without verification, messages can land in a generic "Unverified" thread, which undermines trust and increases support calls when members hesitate to enter codes. Carriers are also signaling premium pricing for verified A2P traffic, so even if you optimize message length, per message cost pressure can still rise.
Payday Super drives "bank scale" IAM loads inside super funds
Payday Super makes superannuation feel real time. A fortnightly paid member goes from 4 contribution events per year to 26, and each event can trigger a login. At fund scale, that turns Australian super funds authentication into a high volume system:
| Fund Size | Auth Events (Before) | Auth Events (After) |
|---|---|---|
| 2-4 million members | 8-12 million/year | 48-72 million/year |
If your primary step up method is per login SMS OTP, your OpEx grows with engagement.
SuperStream 3.0 and NPP reduce fraud response time, not just settlement time
SuperStream 3.0 introduces near instant settlement via the New Payments Platform and introduces the Member Verification Request (MVR) service to pre validate whether a fund will accept a contribution. NPP's speed changes the fraud equation. If an attacker gets into a member account, the window to detect and reverse activity shrinks dramatically compared to batch settlement. This is where APRA CPS 234 MFA requirements become operationally sharp, not theoretical.
Why SMS OTP is increasingly hard to justify for security
SMS OTP concentrates risk in the telecommunications layer. The post calls out SIM swapping, reverse proxy phishing (MitM toolkits like Evilginx), and OTP flooding as practical bypass routes. Even if your password hygiene improves, SMS can become the weak link, and under CPS 230 operational risk management you still have to treat that dependency as a material operational exposure.
Passkeys remove the marginal cost problem entirely
FIDO2 passkeys for superannuation fix the "variable cost per login" issue. Once a member is enrolled, each additional authentication is effectively zero marginal cost, which decouples security spend from Payday Super driven engagement. They also provide phishing resistance because WebAuthn binds the credential to the relying party origin, so a lookalike domain cannot successfully trigger the same authentication.
Corbado published data showing that passkeys achieve 93% login success vs 63% for passwords, which matters in super portals where failed logins turn into helpdesk volume and member churn.
UniSuper passkeys implementation is the local proof point
UniSuper is cited as an early mover rolling out passkeys on its member web portal. The useful takeaway is not "passkeys are possible", it's that members will actually enroll when the UX is positioned as a convenience upgrade and integrated into normal flows, rather than treated as an optional security setting buried in menus.
A practical migration pattern: shadow enrollment to OTP eradication
The article's recommended passkey migration strategy shadow enrollment friction engineering OTP eradication is structured like an adoption funnel rather than a big bang cutover. Shadow enrollment prompts passkey creation right after a successful legacy login, friction engineering preferentially routes returning users to passkeys (Conditional UI helps), and OTP eradication phases SMS out while keeping a non SMS fallback such as TOTP for edge cases. This aligns better with CPS 230 resilience goals than a sudden change that spikes support and lockouts.
What to do before 1 July 2026
If you own authentication in a super fund, treat 2026 as a deadline for economics, not just compliance. Model your post Payday Super login frequency, then stress test it against SMS pricing, failure rates, and sender ID verification requirements. Then pick an MFA path that scales without per event costs and reduces exposure to telecom based attacks.
Find out more on corbado.com/blog/payday-super-sms-cost
Top comments (0)