Deprecation of SMS-based multi-factor authentication (MFA) mode

Deprecation of SMS-based multi-factor authentication (MFA) mode

Overview of SMS-based OTP MFA mode 

The SMS-based OTP MFA method involves the delivery of a one-time password to a user's mobile phone via SMS. The user receives the OTP on their mobile phone and enters it to sign into their account.

SMS-based OTPs offer convenience due to their accessibility; nearly everyone possesses a mobile phone and SMS-based OTPs arrive quickly, allowing for easy and secure authentication.

However, there are some other considerations and security risks that make the SMS-based OTP one of the least preferable options for multi-factor authentication. Hence, we’ve decided to deprecate it as an MFA mode.

Reasons for deprecation 

SMS-based OTPs are susceptible to various attacks, including phishing, SIM swapping, and signaling system 7.

Phishing attack: Scammers send fake messages with links to websites that resemble our sign-in page. For example:
They trick you into entering your login details and OTPs. If you do, scammers can access your account, putting your personal information and security at risk.

SIM swapping: By knowing your phone number, a scammer can contact your telecom provider's customer service and request to transfer your phone number to a new SIM card, giving them access to your accounts and personal data without your consent.

Signaling system 7 attack: A hacker can spy on you via the cell phone signaling system, where they can listen to calls, intercept text messages, and track your phone's location, leading to serious security risks.

Considering the security threats in SMS-based OTPs and the guidelines on implementing phishing-resistant MFA given by the Cybersecurity & Infrastructure Security Agency (CISA) of the United States government, we deprecated the SMS-based OTP MFA mode.

➤ Current status
     Deprecation of SMS-based OTP MFA mode for all users who signed up after January 1, 2024.

➤ Upcoming plan
     Migration of existing users and organizations currently enforcing SMS-based OTP MFA to alternate MFA modes.  

Alternate MFA modes

If you’re an organization admin, you can set up a different MFA mode for your organization in the security policies. If you’re a personal user, you can go to the multi-factor authentication section at accounts.zoho.com and set up any of the MFA modes described below.
  • OneAuth (recommended)
    Zoho OneAuth is a multi-factor authentication app that you can use to secure your Zoho account as well as third-party accounts, including Google, Facebook, and Microsoft. With OneAuth, you can set up any of the three authentication modes: push notifications, time-based OTPs, and QR codes.

  • OTP authenticator
    OTP authenticators are apps you can use to set up MFA for your account. These apps generate new OTPs in duration you set, which you can use to sign in to your account.
    Learn how to set up an OTP authenticator.

  • Security key
    A security key is a hardware device that you link to your account to enable multi-factor authentication. Once linked, you'll need to use this key each time you sign in to verify your identity.
    Learn how to set up the security key.
If you have any questions, please write to us at support@zohoaccounts.com.


Update (December 26, 2025) - Announcement page to be shown for administrators

We’re adding a new announcement page during sign-in to help organization admins currently enforcing SMS-based OTP switch to more secure MFA modes. If you're an organization admin, you’ll be asked to update the organization's MFA method by selecting from alternatives such as OneAuth, OTP Authenticator, or Security Key. Please make sure to update your organization's security policy to stay protected and comply with the new MFA requirements.

This announcement will be in effect from 29th December, 2025 (Monday).


Info
Note: Other users who currently use SMS-based OTP will receive a corresponding announcement and guided flow soon. We will update in this post once it’s available. Users can also switch to a more secure MFA mode anytime from the Multi-factor Authentication section in the Accounts page (accounts.zoho.com).

If you have any questions, please write to us at support@zohoaccounts.com.



    • Sticky Posts

    • Deprecation of SMS-based multi-factor authentication (MFA) mode

      Overview of SMS-based OTP MFA mode The SMS-based OTP MFA method involves the delivery of a one-time password to a user's mobile phone via SMS. The user receives the OTP on their mobile phone and enters it to sign into their account. SMS-based OTPs offer

    • Recent Topics

    • Allow Global Admin to access/edit all forms without changing owners

      Hi there, Please consider adding a feature where the Global Admin of the account an automatically access/edit any form in the Company Account. I'm the Global Admin on our Zoho One plan, and we have multiple users that use/create forms. But for me to access

    • ERROR: "Please enter a valid Phone"

      WHAT IS THE PHONE FORMAT? There is nothing ANYWHERE to define the format. At least the error should either show the correct format or provide a link to the help file I enter a valid phone number in as many formats as I can think of and none of them allow me to save the number to CRM Nothing works! No matter what format I enter I keep getting a red error "Please enter a valid Phone" The international format for MY mobile is +61414652366 (or +61 414 652 366) Local format is 0414652366 I call all over

    • Introducing Zoho Sprints 3.0

      Zoho Sprints is consistently evolving in steady increments. The introduction of the latest version, with its enterprise level solutions, brings to you advanced capabilities that propel your agile efforts in the right direction. Here's a quick glimpse

    • Transaction Rules & Customer Payments

      So I have a situation as follows. We have many clients who are all invoiced on the 1st of each month on a recurring invoice for 1 of 10 plans. This means that almost all payment dates are the same (some people pay late) and that a lot of the amounts are

    • Customize Sign-out Button

      Are there some url parameters I can use to make a form button sign-out the user from the app? The sign-out link on the top right is small. Here's and example of the url for the top right sign-out: https://creator.zoho.com/logoutpage.jsp?sharedBy=niskypto&appID=212085000006568003&appLinkName=MYAPP&signOutUrl=niskypto/MYAPP/view-login/SOMEPAGE Note: In my account, the sign-out is set to redirect users to my website. Can I also override this with some url parameters? John M. Whitney

    • Please can the open tasks be shown in each customer account at the top.

      Hi there This has happened before, where the open tasks are no longer visible at the top of the page for each customer in the CRM. They have gone missing previously and were reinstated when I asked so I think it's just after an update that this feature

    • Tip #65 - Exploring Technician Console: Short Keys - 'Insider Insights'

      Hello Zoho Assist Community! Have you ever been in the middle of a remote support session, trying to pass a key combination onto the remote machine, only to find it's reflecting on the technician's computer. The Short Keys feature in Zoho Assist is here

    • Reading from and writing to Zoho Projects Custom Module with Deluge

      Does anyone know if there is a way to read from and write to the Custom Modules that Zoho now supports. I would love to be able to loop through a set of data and create the entities I need to for this new custom module I'm looking to put together.

    • Disappointment with Zoho Payments

      Dear Gowdhaman, I am writing to inform you that I am removing Zoho Payments from my website. I cannot continue to disappoint my customers due to the lack of UPI support, as has been the case with my experience so far. Please note that the 0.5% transaction

    • Evolução do modelo de ambientes: Dev, Homologação e Produção com pacotes versionados

      Hoje o Zoho CRM já oferece Sandbox, o que é um avanço importante para organizações que trabalham com customizações mais complexas. No entanto, na prática, o modelo atual ainda apresenta limitações significativas quando múltiplas equipes ou consultorias

    • Permissões granulares por usuário além do modelo baseado exclusivamente em perfis

      Atualmente, o modelo de segurança do Zoho CRM é fortemente baseado em perfis. Embora funcional, esse modelo apresenta limitações quando equipes possuem variações individuais de acesso dentro do mesmo grupo operacional. Em cenários reais, é comum que usuários

    • Add or update lookup field values during Blueprint transition

      Hello everyone, During blueprint transition users can add or modify the value of a lookup field. For instance, if the Tickets module includes a lookup field that connects it to records in the Assets module, agents can link the ticket to the correct asset

    • Can you limit SEO penalties by delaying the appearance of a pop-up?

      Google is not keen on pop-ups and has got even less keen on them with the new Core Web Vitals updates. But I like using pop-ups. If you delay the pop-up so it only appears 10 seconds after the page loads, do you avoid Google’s penalties? 

    • Adding bank details to the contact through API

      How to add bank-related information to the contact while creating it using API? The account number needs to be encrypted before sending it through API but not sure how to encrypt and get those values. Please guide me in this.

    • Restrict Payment Methods

      Allow us to restrict certain payment methods specific for each customer.

    • Clone Banking Transaction

      Why is there no option to CLONE a Transaction in the Banking module?? I often clone Expenses (for similar expense transactions each month) so I would also like to clone Income transactions. But there is no option in Banking to clone an existing Income

    • PDF limit

      Hello everyone, We have received an e-mail that we have reached our PDF limit. (see screenshot) However, I cannot find any reference to a PDF limit in our tariff plan (Premium). (see screenshot). What is the maximum number of PDFs that can be generated

    • How can I see content of system generated mails from zBooks?

      System generated mails for offers or invices appear in the mail tab of the designated customer. How can I view the content? It also doesn't appear in zMail sent folder.

    • Credit Card Pre-Authorization with later Capture/Settlement

      We really enjoy the convenience of being able to pay off a customer's invoice using our Auth.Net integration with Zoho Books. Unfortunately, we can only take advantage of this feature with a small percentage of our customers as it leaves a gaping hole

    • Zoho Projects and CRM Integration in Analytics

      Hi Team, In Zoho CRM, I’ve integrated CRM with Zoho Projects and associated a project within the CRM. The integration is visible under the Deals module. However, I’m unable to find this data in Zoho Analytics. Does anyone know where this information is

    • Accessibility in Zoho CRM: Not just a feature—a way to empower

      For instructions on setting up these controls, please check this help document: Configuring accessibility controls. Hello everyone, Today (December 3, 2024), on the International Day of Persons with Disabilities, we begin our journey towards a CRM that

    • Automation Series #1: Round Robin vs Direct Assignment in Zoho Desk

      Direct Assignment vs Round Robin: Choosing the right routing method in Zoho Desk This post is part of the "Desk Automation Series," Chapter 1. Through this series, we will help you choose the right automation type in Zoho Desk by comparing commonly confused

    • Invalid tax authority ID.

      How do I correct this ?

    • Pay Pal Paylater button

      I am testing the paypal setup to have my customers pay invoices with paypal and credit cards. But it seems to have two options. Paypal and Pay later. I don't want my customers access to pay later feature. How can I turn that part off.. My other integration

    • Zoho Workshops are coming to the Netherlands - Join us on 14-16 April in Amsterdam!

      Dear Zoho Community Members, After succesful recent editions in the UK and Scandinavia, we’re pleased to invite you to the upcoming Zoho Benelux Workshop 2026, taking place 14–16 April 2026 in Amsterdam. This three-day, in-person event at the Park Plaza

    • How to install Widget in inventory module

      Hi, I am trying to install a app into Sales Order Module related list, however there is no button allow me to do that. May I ask how to install widget to inventory module related list?

    • Sub form auto field population based on parent form

      I have a parent form called "Sites" with a text field called "Site". I have a subform called "Design Comments" (actual form name "Review Comments") with a lookup field name "Sites1" that looks up from the Sites form. I want the Sites1 lookup field to

    • Building Toppings #7 - Using schedules and workflow functions

      Hello Biginners, In our previous forum post, we explored install and uninstall actions and learned how to trigger custom logic the moment a topping is added or removed from an organization. In this post, we'll look at how to automate actions during regular,

    • Simplify scripting with Zia assistant bot

      Hello everyone, Building automation using Deluge custom functions gives users flexibility and control. Traditionally, creating these functions required writing scripts, testing the logic, and validating the configuration before using it. With Zia assistant

    • Zoho Sprints iOS app update: Global view, screen capture control, file encryption, tags enhancement

      Hello everyone! We are excited to introduce new features in the latest version(v2.1) of the Zoho Sprints iOS app update. Let’s take a quick look at what’s new. 1. Global view Global view brings all your project items into one centralised space. You can

    • Resource Management System built using Zoho CRM, Creator, Projects, and People:

      In a Resource Management System built using Zoho CRM, Creator, Projects, and People: CRM Deal Closed → Creator Allocation Engine → Zoho Projects Task Assignment What is the recommended architecture to handle dynamic reassignment when: an employee goes

    • Request to Remove LinkedIn Verification from My Emai

      I would like to submit a complaint regarding my Zoho Mail account. I previously used this email address to verify a LinkedIn account, but that LinkedIn account has now been closed. I need to remove or cancel the verification associated with the closed

    • Pin multiple columns and adjust column widths in CRM subforms

      Hello all, Subforms act as secondary forms or tables in which you can associate multiple line items to a primary record and thereby ensure more structured and comprehensive data organization. We've made some recent enhancements to subforms. Here's what's

    • Removing To or CC Addresses from Desk Ticket

      I was hoping i could find a way to remove unnecessary email addresses from tickets submitted via email. For example, a customer may email the support address AND others who are in the helpdesk notification group, in either the TO or CC address. This results

    • From Zoho CRM to Paper : Design & Print Data Directly using Canvas Print View

      Hello Everyone, We are excited to announce a new addition to your Canvas in Zoho CRM - Print View. Canvas print view helps you transform your custom CRM layouts into print-ready documents, so you can bring your digital data to the physical world with

    • Announcing Kiosk 1.1 - Customize screen titles, configure new fields & actions, use values from your Kiosk to update fields, and more.

      Hello all We are back again with more enhancements to Kiosk. So what's new? Enhancements made to the Components Add titles for your Kiosk screens and adjust its width to suit your viewing preferences. Three new fields can be added to your screen: Percentage,

    • CRM Percent custom fields: When will it show the % symbol and behave like %?

      1. Actually Percent custom fields fail to show the % symbol. 2. When in formulas Percent fields work like number: 100 x 5% = 5 ideal world 100 x 5% = 500 what happens actually 3. When importing Percent fields the % symbol has to be removed and the data

    • Introducing Color Coding of Picklist Values

      Dear Everyone, Greetings!! Zoho CRM is uplifting the user experience. Recently, we had some notable aesthetic improvements in CRM like Kanban View UI enhancement, New List view UI enhancement, color coding of tags, and color coding of picklists in meetings.

    • Where can I find the best mail backup tool for Windows?

      Later this evening I found Mail Backup Tool in google. Actually I was looking for a solution to download/save emails to my local drive. As I had plenty of important data stored in my email account. So i was not in a mood to take this thing lightly. This made me curious to found any software which can help me to backup my data to hard drive. Then I found the above application which was like a gem. A complete email backup solution for Zoho Mail, Gmail, Yahoo Mail, Office 365 and more than 40+ email

    • Mailbox storage showing incorrect usage

      My mailbox shows 4.99 GB used out of 5 GB. However, actual mailbox usage is only around 394 MB. Trash and Spam are already empty. IMAP/POP is not enabled. WorkDrive is not in use. This appears to be a storage calculation issue. Please help to recalculate

    • Next Page