Deprecation of SMS-based multi-factor authentication (MFA) mode

Deprecation of SMS-based multi-factor authentication (MFA) mode

Overview of SMS-based OTP MFA mode 

The SMS-based OTP MFA method involves the delivery of a one-time password to a user's mobile phone via SMS. The user receives the OTP on their mobile phone and enters it to sign into their account.

SMS-based OTPs offer convenience due to their accessibility; nearly everyone possesses a mobile phone and SMS-based OTPs arrive quickly, allowing for easy and secure authentication.

However, there are some other considerations and security risks that make the SMS-based OTP one of the least preferable options for multi-factor authentication. Hence, we’ve decided to deprecate it as an MFA mode.

Reasons for deprecation 

SMS-based OTPs are susceptible to various attacks, including phishing, SIM swapping, and signaling system 7.

Phishing attack: Scammers send fake messages with links to websites that resemble our sign-in page. For example:
They trick you into entering your login details and OTPs. If you do, scammers can access your account, putting your personal information and security at risk.

SIM swapping: By knowing your phone number, a scammer can contact your telecom provider's customer service and request to transfer your phone number to a new SIM card, giving them access to your accounts and personal data without your consent.

Signaling system 7 attack: A hacker can spy on you via the cell phone signaling system, where they can listen to calls, intercept text messages, and track your phone's location, leading to serious security risks.

Considering the security threats in SMS-based OTPs and the guidelines on implementing phishing-resistant MFA given by the Cybersecurity & Infrastructure Security Agency (CISA) of the United States government, we deprecated the SMS-based OTP MFA mode.

➤ Current status
     Deprecation of SMS-based OTP MFA mode for all users who signed up after January 1, 2024.

➤ Upcoming plan
     Migration of existing users and organizations currently enforcing SMS-based OTP MFA to alternate MFA modes.  

Alternate MFA modes

If you’re an organization admin, you can set up a different MFA mode for your organization in the security policies. If you’re a personal user, you can go to the multi-factor authentication section at accounts.zoho.com and set up any of the MFA modes described below.
  • OneAuth (recommended)
    Zoho OneAuth is a multi-factor authentication app that you can use to secure your Zoho account as well as third-party accounts, including Google, Facebook, and Microsoft. With OneAuth, you can set up any of the three authentication modes: push notifications, time-based OTPs, and QR codes.

  • OTP authenticator
    OTP authenticators are apps you can use to set up MFA for your account. These apps generate new OTPs in duration you set, which you can use to sign in to your account.
    Learn how to set up an OTP authenticator.

  • Security key
    A security key is a hardware device that you link to your account to enable multi-factor authentication. Once linked, you'll need to use this key each time you sign in to verify your identity.
    Learn how to set up the security key.
If you have any questions, please write to us at support@zohoaccounts.com.


Update (December 26, 2025) - Announcement page to be shown for administrators

We’re adding a new announcement page during sign-in to help organization admins currently enforcing SMS-based OTP switch to more secure MFA modes. If you're an organization admin, you’ll be asked to update the organization's MFA method by selecting from alternatives such as OneAuth, OTP Authenticator, or Security Key. Please make sure to update your organization's security policy to stay protected and comply with the new MFA requirements.

This announcement will be in effect from 29th December, 2025 (Monday).


Info
Note: Other users who currently use SMS-based OTP will receive a corresponding announcement and guided flow soon. We will update in this post once it’s available. Users can also switch to a more secure MFA mode anytime from the Multi-factor Authentication section in the Accounts page (accounts.zoho.com).

If you have any questions, please write to us at support@zohoaccounts.com.



    • Sticky Posts

    • Deprecation of SMS-based multi-factor authentication (MFA) mode

      Overview of SMS-based OTP MFA mode The SMS-based OTP MFA method involves the delivery of a one-time password to a user's mobile phone via SMS. The user receives the OTP on their mobile phone and enters it to sign into their account. SMS-based OTPs offer

    • Recent Topics

    • Small one person business needs everything in one place

      I just purchased a business and have a couple of your services. I would like to get everything in one place. I am a state trainer. I would like to get my invoices, payments, online classes, calendar for scheduling, maintenance, etc. in one place. can

    • Re-Apply SLA When Ticket Reopened from Closed Status?

      If you have an SLA applied, timers are deactivated when going to "On Hold" status type and reactivated when going back to an Open status type. What we discovered is when a customer replies to a closed case and it reopens, the SLA is not applied and timers

    • Conditional Drop Downs

      Am I the only one that has a problem when setting up the same project for multiple customers - resulting in a HUGE number of projects (e.g. Project A - customer 1, Project A - customer 2, Project A - customer 3 etc.). OR, am I doing it wrong? What results

    • Automating CRM backup storage?

      Hi there, We've recently set up automatic backups for our Zoho CRM account. We were hoping that the backup functionality would not require any manual work on our end, but it seems that we are always required to download the backups ourselves, store them,

    • Lead score decay timing and excluding specific campaigns from scoring

      Hi team, I have two quick questions about lead scoring: 1. When does a lead's score start going down? Like, after how many days of no activity does the score begin to drop? 2. Is there a way to stop certain campaigns from adding points to a lead's score?

    • Summer release '26 should be called Enterprise Summer Release '26

      Summer release '26 should be called Enterprise Summer Release '26 because almost all updates or the more useful ones, are limited for Enterprise subscriptions. us with Basic or Premium susbcriptions are basically left in the cold.

    • ZoHo Mail & MCP connectors

      Is ZoHo working an MCP connector for mail?? I find it very useful in Gmail to have Claude summarize messages for me. Thanks Jim P.S. Sorry if this is the incorrect forum. Mods please adjust as necessary.

    • FINALLY! 100% Responsive iFrame for HTML Page Snippet

      For the past two years or so I have been battling with Page Snippets' responsiveness (HTML, Embed, and ZML). Furthermore, if you use the native embedded reports, especially more than one report on a page, you have to set a static height because they're

    • Associate project with timer on iPhone

      When I start the timer without first associating a project (on my iPhone), its starts fine but now when I need to associate a project, and click on the link, I get a list of EVERY project I've ever put into Zoho Books. It used to just show active projects.

    • Import and Export of website.

      Hi, i have raised this ticket regarding challenges i am facing while importing a website on zoho sites. I have created my website on Squarespace and now i want to move it to zoho sites so i want to know what i am supposed to do whats the correct step

    • Important update on our transition to the new video platform framework

      As part of our ongoing platform changes, users in select regions, including the United States and other supported data center locations, have been migrated to our new video platform framework. Due to this migration, some participants may notice changes

    • Deleted User Emails

      I need to delete a user as I need to re-use their license, but I'd like to keep all their emails that are attached to various contacts in the CRM. Their emails are hosted externally on an M365 license. Anyone any idea how best to engineer this? TIA

    • #14 Get Paid Without Spending Time on Manual Follow-ups

      It's the end of the month. Payroll is due next week. A software subscription is about to renew. A vendor payment is waiting for approval. On paper, the business is doing great. Projects are getting completed. Customers are happy. Invoices have already

    • Client Script | Update - Client Script Support For Custom Buttons

      Hello everyone! We are excited to announce one of the most requested features - Client Script support for Custom Buttons. This enhancement lets you run custom logic on button actions, giving you greater flexibility and control over your user interactions.

    • Ability to select the attachment of a record when sending an email from FSM

      Hello FSM Team, FSM allows us to add attachments to any record (Estimate, Work Order, etc.). However, when we're sending an email from FSM, it is currently not possible to choose from the attachment in FSM to add to the email. When sending an estimate,

    • Function #11: Apply unused credits automatically to invoices

      Today, we bring you a custom function that automatically applies unused credits from excess payments, credit notes, and retainer payments to an invoice when it is created. Prerequisites: Create a Connection named "zbooks" to successfully execute the function.

    • Add spaces to input format

      In Zoho Inovices, I am trying to do a custom input format for a custom field. I have tried a few variations, but this is my most recent: ^[a-z][A-Z][0-9][,][-][_][:][ ]$ In this field, I will be entering different alphanumeric information, depending on

    • Zoho CRM Deal API returning null pipeline in case of default pipeline

      Hey team, We are writing to report an issue with the Deals module pipeline API behavior that we believe stems from how the default (Standard) pipeline is handled when no custom pipelines have been configured. When the "Manage Pipelines" page under CRM

    • Quebec Canada Tax GST and QST

      Hello Expert, Whenever we I create invoice for Quebec, Canada, it calculating wrong tax amount, can you please validate Attached the screenshot, which is calculating wrong tax amount on QST

    • Function #1: Convert an accepted Estimate to Sales Order automatically in Zoho Books

      As you’re aware, Zoho Books provides a default option to have the estimates automatically converted to invoices once your customer accepts them. Many of you wanted a similar option for sales orders, so here’s a workflow that converts accepted estimates

    • Facturation électronique 2026 - obligation dès le 1er septembre 2026

      Bonjour, Je me permets de réagir à divers posts publiés ici et là concernant le projet de E-Invoicing, dans le cadre de la facturation électronique prévue très prochainement. Dans le cadre du passage à la facturation électronique pour les entreprises,

    • Adding Taxes to paid consultations in Zoho Bookings

      I created a 'paid' consultation under Zoho Booking and integrated it with payment gateways for online/instant payment before a booking is done. How can I add 'taxes' to the price of consultation? I can add taxes to other Zoho apps (liks Books, Checkout,

    • What's New in Zoho Forms

      Hey there, We've been heads-down shipping this quarter. Because every update we ship is about making your forms do more, with less effort from you. This quarter too, we expanded what Zoho Forms can do. Here's everything that shipped. Spotlight Forms Some

    • Zoho Creator and Bluetooth Beacons?

      Hi all, Has anyone developed anything in Zoho Creator that leverages Bluetooth? Specifically to detect bluetooth beacons (iBeacon, Eddystone, etc.)? Thank you, Josh

    • Zoho Books | Product updates | June 2026

      Hello users, Welcome to this month's roundup of what's new in Zoho Books! We have an exciting line-up this time. The highlight is the launch of the all-new France Edition with full ISCA compliance. We're also introducing features such as Layout Rules

    • API to post drafts for social media

      I we want to post draft posts to our zoho social account and then approve and schedule them within Zoho social. is this possible with for example: https://apis.zoho.com/social/v2/post TIA Jon

    • Updating Zoho Books UI when a field is changed

      I have this script to update Quotes Expiry date. estimateID = estimate.get("estimate_id"); numberDaysTobeExtended = 14; estimatedate = estimate.get("date").toDate(); organizationID = organization.get("organization_id"); estDate = estimate.get("date");

    • What's New in Zoho Inventory | April & May 2026

      Hello users, We're excited to roll out the latest Zoho Inventory updates for April and May 2026. These enhancements are designed to make your daily operations smoother and more efficient, from advanced inventory management and flexible pricing to automated

    • Bullet Charts Stuck Loading Without Data

      I have a dashboard with some widgets in bullet chart format, but some of them do not have data. Since there is no data, they keep loading indefinitely instead of displaying “No Data,” as happens with the percentage widget next to them. This issue prevents

    • How to get Monday as 1st day of the week?

      Hi, The first day of the week is Sunday in Zoho Creator calendar.So it is hardly usable as in Europe the 1st of the week is always Monday. How can I get Monday as 1st day of the week? Best regards, Chris

    • Shall we play a game?

      Presenting the very first game created using ZOHO Creator: Tic-Tac-Toe (or noughts and crosses) I made this to challenge myself and employ some of the new features of ZOHO Creator. I must admit that the code is very literal and not too elegant. There are plans to improve on the machine AI and streamline the code over time. Currently the code makes extensive use of functions for the machine "AI" - there are 12 of these.   The machine AI can be tricked, so to counteract that I made it exceedingly arrogant

    • Check printing alignments always changes

      Hello, We have a frustrating problem with printing checks. We use Quickbooks voucher checks, which works okay for us. The problem is the printing alignment for the check's "Date, Pay to the Order of, Amount, and Amount in Words" changes every time we

    • name change of company in same GSTIN registration . how to retain historical company name for past transactions?

      hello I have recently change my company name from BHANU DIAM to BHANUMATI IMPEX in same GSTIN registration number While i have update the company name in profile name that change all my historic data like sale invoices and purchase bill , i would like

    • iOS Books app shows filtered view after changing to All sales orders

      My boss often checks sales orders on his iPhone. The app is mostly working fine, but there's an ongoing issue: When switching between different filters (also called custom views on the web), going back to All doesn't often work. It typically gets stuck

    • Recurring Invoices

      I'm looking to set up recurring invoices on a monthly basis, using GoCardless as a payment gateway. I've done this successfully, however there's a big problem with the Invoice Date and Due Date. We prefer to provide sufficient notice of collection (10

    • Layout Rules Don't Apply To Blueprints

      Hi Zoho the conditional layout rules for fields and making fields required don't work well with with Blueprints if those same fields are called DURING a Blueprint. Example. I have field A that is used in layout rule. If value of field A is "1" it is supposed to show and make required field B. If the value to field A is "2" it is supposed to show and make required field C. Now I have a Blueprint that says when last stage moves to "Closed," during the transition, the agent must fill out field A. Now

    • Ability to Use Both AND and OR When Creating Rules (Advanced Conditions)

      I'd like to be able to use more complicated logic when setting up rules. E.g. in Zoho Mail, I can choose "Advanced conditions (AND/OR) to create a rule that can be applied to multiple subject lines from the same sender. But in Zoho TeamInbox, I will have

    • How to record GST amount for Value of Service on Inward remittance charged by bank

      Hi please advice I have a situation.    1. I have HDFC bank account 2. I have a customer who has done inward remittance for purcahses from overseas. 3. HDFC is showing Value of Service say $100 and GST @ 18%. 4. Value of Service is not charged. But  CGST

    • Resources - Sort by rows consumed

      Please add the ability to sort by the total rows consumed in the Resources section of Settings. I would like to see which table is consuming the most rows by sorting from high to low.

    • Zoho Books - France

      L’équipe de Zoho France reçoit régulièrement des questions sur la conformité de ses applications de finances (Zoho Books/ Zoho Invoice) pour le marché français. Voici quelques points pour clarifier la question : Zoho Books est un logiciel de comptabilité

    • Next Page