Deprecation of SMS-based multi-factor authentication (MFA) mode

Deprecation of SMS-based multi-factor authentication (MFA) mode

Overview of SMS-based OTP MFA mode 

The SMS-based OTP MFA method involves the delivery of a one-time password to a user's mobile phone via SMS. The user receives the OTP on their mobile phone and enters it to sign into their account.

SMS-based OTPs offer convenience due to their accessibility; nearly everyone possesses a mobile phone and SMS-based OTPs arrive quickly, allowing for easy and secure authentication.

However, there are some other considerations and security risks that make the SMS-based OTP one of the least preferable options for multi-factor authentication. Hence, we’ve decided to deprecate it as an MFA mode.

Reasons for deprecation 

SMS-based OTPs are susceptible to various attacks, including phishing, SIM swapping, and signaling system 7.

Phishing attack: Scammers send fake messages with links to websites that resemble our sign-in page. For example:
They trick you into entering your login details and OTPs. If you do, scammers can access your account, putting your personal information and security at risk.

SIM swapping: By knowing your phone number, a scammer can contact your telecom provider's customer service and request to transfer your phone number to a new SIM card, giving them access to your accounts and personal data without your consent.

Signaling system 7 attack: A hacker can spy on you via the cell phone signaling system, where they can listen to calls, intercept text messages, and track your phone's location, leading to serious security risks.

Considering the security threats in SMS-based OTPs and the guidelines on implementing phishing-resistant MFA given by the Cybersecurity & Infrastructure Security Agency (CISA) of the United States government, we deprecated the SMS-based OTP MFA mode.

➤ Current status
     Deprecation of SMS-based OTP MFA mode for all users who signed up after January 1, 2024.

➤ Upcoming plan
     Migration of existing users and organizations currently enforcing SMS-based OTP MFA to alternate MFA modes.  

Alternate MFA modes

If you’re an organization admin, you can set up a different MFA mode for your organization in the security policies. If you’re a personal user, you can go to the multi-factor authentication section at accounts.zoho.com and set up any of the MFA modes described below.
  • OneAuth (recommended)
    Zoho OneAuth is a multi-factor authentication app that you can use to secure your Zoho account as well as third-party accounts, including Google, Facebook, and Microsoft. With OneAuth, you can set up any of the three authentication modes: push notifications, time-based OTPs, and QR codes.

  • OTP authenticator
    OTP authenticators are apps you can use to set up MFA for your account. These apps generate new OTPs in duration you set, which you can use to sign in to your account.
    Learn how to set up an OTP authenticator.

  • Security key
    A security key is a hardware device that you link to your account to enable multi-factor authentication. Once linked, you'll need to use this key each time you sign in to verify your identity.
    Learn how to set up the security key.
If you have any questions, please write to us at support@zohoaccounts.com.


Update (December 26, 2025) - Announcement page to be shown for administrators

We’re adding a new announcement page during sign-in to help organization admins currently enforcing SMS-based OTP switch to more secure MFA modes. If you're an organization admin, you’ll be asked to update the organization's MFA method by selecting from alternatives such as OneAuth, OTP Authenticator, or Security Key. Please make sure to update your organization's security policy to stay protected and comply with the new MFA requirements.

This announcement will be in effect from 29th December, 2025 (Monday).


Info
Note: Other users who currently use SMS-based OTP will receive a corresponding announcement and guided flow soon. We will update in this post once it’s available. Users can also switch to a more secure MFA mode anytime from the Multi-factor Authentication section in the Accounts page (accounts.zoho.com).

If you have any questions, please write to us at support@zohoaccounts.com.



    • Sticky Posts

    • Deprecation of SMS-based multi-factor authentication (MFA) mode

      Overview of SMS-based OTP MFA mode The SMS-based OTP MFA method involves the delivery of a one-time password to a user's mobile phone via SMS. The user receives the OTP on their mobile phone and enters it to sign into their account. SMS-based OTPs offer

    • Recent Topics

    • Need help with creating workflow with Bigin and Clickup

      Can you please help me with this? I am trying to create a workflow in Zoho Flow wherein a bigin Pipeline deal moves to Decision Closing, it will create a task and subtasks in Clickup, under the condition/filter that the Deal name contains the word Social

    • [Webinar] Automate generation of wills, trusts, POAs, and other estate planning documents with Zoho Writer

      Managing the lifecycle of the estate planning documents such as wills, trusts, and POAs, from client intake to final storage, can be complex and time-consuming. Join our live webinar to learn how Zoho Writer transforms this process by automating document

    • Create / Update Rule in TeamInbox when record is updated in ZohoCRM using flow?

      I'm currently evaluating options and trying to work out if the possible scenario is possible; If a record in ZohoCRM is updated, take 2 of the fields from that - lets call them 'OrderRef' and 'OrderTo'. Using flow, if a record is added or updated, add

    • Plans to allow more columns of monitoring, and monitoring not only your own channels?

      Are their any plans to allow more columns of monitoring, and monitoring not only your own channels? Here's why - I'm sure I'm not alone in that we sell other brands products, so not only am I interested in my own brand social channels, but also the social

    • Unwrapping the best practices for the Zoho Desk mobile app: Part 1

      In focus: Empowering the field and frontline customer support representatives Imagine having to carry your computer everywhere to respond to customers, handle escalations, and update your process. This series presents you with efficient tips to handle

    • dealing with post dated cheques

      Hi, can you help me please the best way to deal with this We sell an item of three months duration that is paid for with post dated cheques in monthly stages example - item is sold £3000 Cheque 1 is for £1000 due at time of sale (say Sept) cheque 2 is dated 25th of next month (Oct) cheque 3 is dated 25th of next month +1 (Nov) Now, with invoice number one it's simple - i send a standard invoice as usual But with the other two here's what i want zoho to do next month i want it to send an invoice on

    • Is there a way to sell in a practical method multiple subscriptions of the same product? i.e. domain names

      In evaluating Zoho Billing, a hurdle to adopting it is that Zoho Billing does not seem designed to support businesses that sell multiple subscriptions of the same product. In our case, we need to sell and manage several domain names per client. Am I right

    • Bug Report: "Name A-Z" sorting fails when Note titles start with an Emoji

      Hello, I recently migrated from Evernote (~2600 notes across 23 notebooks). I use emojis at the start of my note titles for visual organization. The Issue: When I set the view to Sort by: Name (A to Z), the sorting logic breaks for any note starting with

    • Copy & Paste not working

      I could create and save 10 new documents but when I go to copy and paste content (just text) into them, only 1 of 10 would save the content. It would appear to save the content but when I go back into the documents, they are empty.

    • Currency for Petty Cash

      Currencies for Petty Cash should be available

    • editing/applying online payments

      We have customers who pay part or all of an invoice and then cancel their service and want the payment as a credit to future work. It would be ideal if we could make it an excess payment and then void the invoice. I can't make it an excess payment because

    • Contacts per department

      Hello, Is it possible to limit Contacts to a Department? Thanks

    • This site can’t be reached mail.zoho.com took too long to respond

      In my office at any system, we couldnt able to login zoho email. it shows " This site can’t be reached mail.zoho.com took too long to respond". please fix it soon.

    • Can send email from zoho mail, but can't receive any.

      Hi, My domain is sattvameditationresort.com. I've updated MX records with those of Zoho. But i can't send any mails to this email id from gmail. I have checked the MX status with MXTOOLS, its showing the correct entry either. The error is as shown below:

    • My domain did not activate

      Hi, my domain (apsaindustrial.com.ar) did not activate, and the phone verification message never arrived. Please would you solve this problem? Thanks.

    • Host not found?

      Howdy! So i'm trying to add my custom domain for with the mail server. I have 100% control of my DNS and have tried every single option (TXT, CNAME, and even HTML) multiple times, ensuring i did it properly, to no luck. I get the same error message every

    • Auto End Chats After Customer Inactivity

      Hello Everyone, I may be missing something, but is there a way to auto-end chats when a customer has been inactive for an amount of time? I have several operators (we use a shared set of account with schedules for people... that's another story) but at

    • Report on opportunities showing only the last note added.

      Hi I need to create a report that shows the most recent note added to each opportunity. This is so management can see what the latest update is according to the assigned salesperson. One workaround is to use the status field but this implies added manual work and mistakes as the salesperson would have to copy the existing status to a note before adding the latest status... otherwise the activity history would be lost. My current workaround is a report on Notes with Opportunities as the related module.

    • Please add Zelle as an online payment option

      Hello, I would like to request Zelle be added to the online payment service providers for Zoho Invoice. Considering how ubiquitous Zelle has become as a way to pay people via the major banking institutions, I feel like many freelancers would benefit from

    • Getting Project Template List using the REST API

      I am trying to confirm that I can use the REST API to create a project using a project template. The API documentation indicates this is possible by providing the Template ID, but it is not clear at all how to get a list of available Project Templates

    • How to display the CONTACT ID in the Contact page

      Hi, I've seen this conversation below and it is exactly the same question I'm raising now, but unfortunately the last message is not solved https://help.zoho.com/portal/community/topic/show-contact-id-while-editing-contact-form I need to show the ContactId and I don't know how to do this. The last message included in the conversaton shows the way but not it is not completed. "I am sorry by default we do not have the option to show the record ID for the contacts in the field in a record. When you

    • How to change margins in templates

      Hi, I'm new to Zoho Campaigns, and am trying to figure out how to adjust the margins within an email template.  The default margins make the text go all the way to the edges of the page.  Please advise.

    • Create Canvas list view templates from images powered by Zia

      Currently available for all paid editions of Zoho CRM in the US, EU, IN, JP & CN DCs. Designing a personalized CRM interface just got even easier. In today’s fast-evolving digital landscape, AI is transforming the way we work by automating complex tasks

    • Painfully Slow Zoho mail

      Since yesterday Zoho Mail seems to have starting functioning very slowly and having a few bugs. It's slow to open mails, slow to send, slow to change between email accounts. Sometimes clicking on a particular folder (eg Sent folder) stops working and

    • "Wrong password or login" Problem to configure Zoho on MAIL App on my Macbook

      Hi, I'm having problems to configure my e-mail on my MAIL App(Macbook pro). My e-mail is hari@trespontoum.net Actually was working perfectly, and still working on my Iphone. My MAIL App prompt me that my login or password is wrong. I tried to change 3

    • "User already exist in your org"

      Hello, I've just read a discussion about this issue, which didn't solve my problem. I'm trying to add the following emails: sales@kiss-my-boutique.co.uk returns@kiss-my-boutique.co.uk orders@kiss-my-boutique.co.uk I'm getting an error message each time I try and add them. None of them are primary or secondary emails and none of them have been created as users before. I know this as when I try and login and do 'forgot my password' all I get is an error message saying 'user invalid'. Please advise.

    • Operation Not Permitted

      Hi, I have problem in adding user after verifying the domain but it seems like error appeared which is "operation not permitted". For your information, I had delete other domain before did it.

    • Email forwarding setup fails

      I'm trying to set up email forwarding from my Zoho email to my gmail address. I followed the directions to set up email forwarding here: https://www.zoho.com/mail/help/email-forwarding.html. I did only steps 1-6. After doing this, rather than setting

    • Shopify store email issues- Not getting emails

      Hi We have migrated from Microsoft outlook to Zoho back in March, we have a shopify store, the domain is hosted on namesilo, not shopify, I have seen some people here complaining about not getting emails from customers who fill out the contact form on

    • Invoice Discount Account

      Is there a way to change the account used for Discounts applied to an invoice? The current Discount account (ZB native account) type is an "Income" type. I would like to change it to "Other Income", but that is not possible, I am assuming because it contains

    • Need Inactive accounts to be visible in Reports in Zoho Books

      I N=need Inactive accounts to be visible in Reports in Zoho Books to do recons of the accounts but when i see the same they are not visible in the Accountant - Account Transactions report

    • javax.mail.authenticationfailedexception 535 authentication failed

      Hi, I am facing 535 authentication failed error when trying to send email from zoho desktop as well as in webmail. Can you suggest to fix this issue,. Regards, Rekha

    • Phantom Opening Balance

      While experimenting w/ creating a composite item, Zoho added funds to Petty Cash and added Bank Account equal to previous day's balance. I'm unable to undo the adding of funds. Attaching screenshots of both bank account and petty cash transactions.

    • Importing customer comments and multiple shipto addresses

      I am evaluating Zoho Books and have most of my data imported with two exceptions: (1) Import customer comments - in my current system I have several comments of different types, and I need to bring these into Zoho. Preferably Books customer records, but

    • Detailed Account Reports - Add Running Balance

      When one clicks into an account from a report (say P/L or Balance Sheet), the default reports have the Debit, Credit, and then the Amount. The Amount column (last one) is duplicate information. It would be far better and fit more peoples' use cases if

    • How to Billed from two different GST Numbers

      How to Billed from two different GST Numbers. Suppose ABC & Co had GST registration in Delhi and Haryana and Zoho account is created with Delhi GST Registration number. Now i also want to issue invoice from Haryana GST Registration number. How can i proceed ?

    • Zoho IP blocked by SpamHaus

      ERROR CODE :550 - 5.7.0 Your server IP address is in the SpamHaus SBL-XBL database, bye

    • IMAP Communication Problems - IMAP Down Again

      We are experiencing the same problems over the last week or so that were supposedly 'solved' according to this thread. Zoho Imap Down Again This is affecting attempts to use IMAP on multiple ISPs and users so is definitely narrowed down to Zoho problems.

    • Make the Flexible User Pricing actually flexible - allow bundled apps to be licensed individually

      The 'Flexible User Pricing' is not flexible! Please make it flexible. Allow bundled apps to be licensed individually. Although Zoho One offers nearly all Zoho apps, one has to choose which apps to include in the bundle when joining Zoho One. Any included app is forced into Zoho One licensing. The unfortunate implication of this is that one cannot add an individual app user license for any of the bundled apps. If you try to add a user in any bundled app, it will redirect you to Zoho One licensing

    • Can't login to Zoho mail

      I'm logged into Zoho but when I try to go in zoho mail I get: Invalid request! The input passed is invalid or the URL is invoked without valid parameters. Please check your input and try again. I just set up my mx records and stuff with namecheap a few

    • Next Page