Few software problems are as small and annoying as waiting for a verification code that never shows up.
Maybe you are trying to log in to your bank, reset a password, approve a payment, or get into a work account, and everything depends on six digits that are supposed to arrive soon.
Sometimes the code is late. Sometimes you get three at once. Sometimes the first one expires before the next one appears. It is a modern frustration: the app says security is protecting you, but the security step ends up blocking you instead.
This frustration happens because one-time passwords, or OTPs, were made to improve security, not to create a perfect user experience.
A 2014 paper, SMS-based One-Time Passwords: Attacks and Defense, explains that SMS OTPs were first used to fight phishing and attacks on online services like banking.
But the same paper also says SMS OTPs later faced “heavy attack,” especially from smartphone trojans. So, OTPs helped move us away from password-only logins, but they were never a perfect solution.
OTPs depend on systems users cannot see
Verification codes can feel unreliable because they depend on many systems outside the app.
A company creates the code, sends it through a messaging provider, then it travels through telecom networks, and finally reaches your phone if your carrier delivers it in time.
All you see is a spinning login screen, but behind it are network delays, filters, roaming issues, expired sessions, and sometimes wrong phone records.
This hidden complexity is also why security agencies are careful with SMS-based verification.
The National Institute of Standards and Technology’s Digital Identity Guidelines says verifiers should look at risk signs like “device swap, SIM change, number porting” and other unusual behavior before using the public phone network to send an authentication secret.
The technical advice means something simple: your phone number is not always a stable or fully trustworthy way to prove your identity.
Security is stronger than passwords, but still imperfect
SMS codes are still popular because people know how they work. Most people understand the steps: enter your password, wait for a text, and type in the code.
This simple process is why OTPs are common in banking, shopping, government services, and work tools. They add a second step that can stop many attackers who only have a stolen password.
But SMS OTPs are not safe from phishing. CISA’s phishing-resistant MFA guidance says that some types of MFA, like authenticator codes, SMS codes, and push notifications, can be bypassed by common attacks.
The problem is not that OTPs do nothing; it is that a code can still be stolen, intercepted, redirected, or grabbed by malware.
A fake bank website can ask for the same six digits your real bank just sent, and many people will enter them because the process looks normal.
That is the hard truth about verification codes. They usually make accounts safer than just passwords, but they also put a lot of pressure on the user at the worst time: when something important is locked.
The code has to arrive fast, you have to find the right message, the website must be real, and you have to enter the code before it expires. If anything goes wrong, it feels like your own problem, even though the weakness is part of the system.
The delays are not just annoying — they change behavior
When OTPs do not work, people do not see it as just a security problem. They feel like they are wasting time. They tap “resend code” and get several messages. They switch between apps. They worry if their bank account, delivery, payroll, or government service is broken. Some people give up completely.
That is why the authentication industry now looks at both security and whether people can actually log in. The FIDO Passkey Index 2025 says passkey sign-ins had a 93% success rate, compared to 63% for other methods. It also found that passkeys cut sign-in time by 73%, averaging 8.5 seconds instead of 31.2 seconds for traditional methods like SMS codes, email verification, social login, MFA, and OTPs.
These numbers show why companies are moving away from OTP-heavy systems: a security step that often slows or blocks users is now seen as a product problem, not just an IT issue.
Passkeys are the industry’s cleaner answer
Passkeys are becoming more popular because you do not have to wait for a code. Google’s Passkeys for Developers says passkeys offer “robust protection against phishing attacks” and can remove the need to ask users for SMS or app-based one-time codes when signing in. Instead of making users copy a secret from one place to another, passkeys use cryptographic keys linked to your device and the real website or app.
That difference is important. A verification code is something you can read, type, copy, forward, or accidentally give to a fake site. A passkey does not work that way.
Google’s support page for signing in with a passkey says passkeys cannot be “shared, copied, written down, or accidentally given to someone else,” which makes them safer against phishing.
For most people, the process is simpler too: unlock your device with a fingerprint, face scan, screen lock, or PIN, and you sign in without waiting for a text message.
Why OTPs will not disappear overnight
Even so, verification codes are not disappearing right away. They work on basic phones, do not need users to learn new technology, and are still helpful as a backup if someone loses access to a device.
Many services also keep OTPs because they are easy to use in places where passkey support, device compatibility, or user knowledge is still uneven.
The problem is that backup methods can become weak spots. If an app lets users reset everything through SMS, the phone number becomes the key to the account. That is why NIST warns services to watch for SIM changes, number porting, and unusual behavior before sending secrets through phone networks.
A system might look secure because it has two steps, but if the second step depends on a phone number that can be moved, stolen, or delayed, the protection is still limited.
The future of login should feel less fragile
The main lesson is that good security should not feel random.
People should not have to worry if a code will arrive, if it expired, if the newest code replaced the old one, or if the message is really from the service.
OTPs helped move the internet past password-only security, but their everyday problems are now too obvious to ignore.
That is why apps are moving toward passkeys and other phishing-resistant methods.
The goal is not just better security. It is to create a login process that works when people need it.
Verification codes made security a waiting game. The next step in authentication is to make that wait go away.
