Since March 2023, when WhatsApp officially launched Authentication Templates, major cloud communication platforms (such as Twilio Verify, Vonage, Sinch, Infobip, Message Central, Dexatel, YCloud, and EngageLab) have successively rolled out a “SMS fallback” feature. The core logic is to support “WhatsApp → SMS automatic fallback”: when sending a one-time password (OTP) via the WhatsApp channel fails, the system falls back to the SMS channel. Some vendors refer to this functionality as “Automatic Routing,” “Channel-Fallback Logic,” or “OTP Resend.”
However, current mainstream implementations present significant security risks that warrant serious industry attention.
The fundamental design principle of OTPs is “one-time validity”—a verification code should be used only once and its exposure strictly limited. Yet, the current approach of resending the same OTP across multiple channels (WhatsApp + SMS) inherently violates this principle, leading to the following risks:
1. Significantly expanded attack surface
Multi-channel transmission requires the OTP to be exposed simultaneously to the WhatsApp server, SMS gateways, and end-user devices across multiple systems and networks. Any single weak point—such as communication interception, server vulnerabilities, or device malware—may become an attack entry, dramatically increasing the probability of OTP compromise.
2. More covert identity misuse risks
Example attack path: if the WhatsApp server, due to misconfiguration or compromise, receives the OTP from the cloud communication provider but maliciously returns a “delivery failed” webhook, the platform mistakenly deems the WhatsApp channel unavailable and triggers SMS fallback to resend the OTP. By the time the user attempts verification, the system rejects the OTP as already used—since the attacker has already intercepted and exploited it. The user may wrongly assume they entered the code incorrectly, the OTP expired, or the system malfunctioned, while in reality the OTP was stolen through the manipulated server response.
3. Violation of security baselines and compliance requirements
Reusing the same OTP across multiple channels directly contravenes the Principle of Least Privilege, which requires sensitive information to be transmitted only in the minimal necessary form and scope. In highly regulated industries such as finance, payments, and healthcare, this design not only fails to meet strict requirements in international standards like PCI DSS, GDPR, and ISO 27001, but also introduces compliance risks due to insufficient controls.
4. Difficulties in security forensics and accountability
In cases of identity fraud or financial theft, when OTPs are distributed via multiple channels, it becomes extremely challenging for security teams to pinpoint the source of compromise (whether WhatsApp, the SMS gateway, or the end-user device). This ambiguity complicates incident response, hinders forensic analysis, and obscures accountability.
Recommended Improvements
To fundamentally eliminate the security risks of multi-channel OTP reuse, the fallback mechanism should be redesigned:** when the WhatsApp channel fails, the server must generate a brand-new OTP and send it via SMS**.
This approach ensures security through:
Uniqueness: each fallback generates a new, independent OTP, avoiding cross-channel reuse.
Minimized exposure: the OTP is transmitted through only one channel, reducing the attack surface.
Compliance alignment: meets the “one-time validity, single-channel transmission” requirements critical to financial-grade authentication scenarios.
Conclusion
While multi-channel OTP fallback mechanisms improve deliverability and reduce operational costs, the trade-off in security is too severe to ignore. Industry stakeholders must re-evaluate the risk–benefit balance of current designs and prioritize regenerating new OTPs during fallback as a safer alternative—preserving user experience while reinforcing security.
Top comments (0)