Back to blog

Why SMS verification breaks: network and product reasons OTP fails

2026-02-18
Why SMS verification breaks: network and product reasons OTP fails

Why SMS/OTP codes don’t arrive or arrive late: carrier filtering, routing, handset settings, and UX mistakes. Practical diagnostics and deliverability fixes.

Why SMS verification problems are so common

SMS one‑time passwords (OTP) look simple: send a code, user types it in. In practice it’s a chain: your app/backend → SMS provider → carrier routes → the carrier SMSC → the handset → the verification screen. A failure anywhere becomes “sms otp didn’t arrive”, “arrived too late”, or “auto‑read didn’t work”.

Carriers have also tightened A2P (application‑to‑person) controls: more filtering, sender registration requirements, and reputation‑based blocking. That means SMS delivery can degrade even when your product hasn’t changed.

What “broken OTP” looks like for users

  • No code at all (timeout).
  • Code arrives minutes late, after the session expires.
  • Multiple codes arrive together; users enter an older one.
  • The SMS arrives but is hidden in spam/unknown sender folders.
  • Automatic code capture fails even though the SMS exists.

Network reasons: carriers, routing, and filtering

1) Carrier filtering of A2P traffic

Carriers use automated filtering based on sender reputation, traffic patterns, message templates, complaint signals, and volume spikes. The outcome can be delay, “undelivered”, or silent filtering where users think nothing was sent.

2) Wrong sender type for the market

Long codes, short codes, toll‑free numbers, and alphanumeric sender IDs behave differently across countries. What’s stable in one market can be filtered in another, especially for OTP and in roaming.

3) SMSC queues and congestion

SMS is store‑and‑forward. During peaks or incidents, messages queue and arrive late. If your UI encourages rapid resends, you amplify the queue and confuse users with multiple codes.

4) Roaming and number portability

Roaming and ported numbers can change routing paths and filtering behavior. International A2P routes are often stricter, so latency and failure rates can vary by carrier and country.

5) Invalid numbers and formatting

Missing country codes, wrong prefixes, or “unknown subscriber” issues still cause a large share of failures. Many providers recommend normalizing to E.164 and validating numbers upfront.

6) VoIP / virtual numbers

To reduce fraud, some services and carriers restrict OTP to VoIP numbers or require alternative channels. That creates the pattern “works for most users, fails for specific numbers”. Filtering VoIP for verification is a common best practice.

Product reasons: UX and logic that make delivery feel worse

1) Bad retry flow (resend storms)

If “Resend code” is available immediately, users generate parallel sends. Codes arrive out of order and users enter the wrong one. Providers commonly recommend rate limits and exponential backoff.

2) TTL too short for real‑world latency

A 60‑second code lifetime may be fine on perfect routes and fail on slower ones. Align TTL and UI expectations: realistic timers, delayed resends, and clear messaging when a new code invalidates the previous one.

3) Message content issues

  • Links and “marketing‑like” wording can raise filtering risk.
  • Unicode (non‑GSM) reduces per‑SMS capacity and can split messages into segments.
  • Put the code first (or on its own line) to reduce user friction.

4) Weak session binding

Validating “the last code for this phone number” (instead of “the code for this attempt”) creates confusion under retries. Bind OTP to an attempt/transaction and manage state explicitly.

5) Automatic code capture constraints

On Android, SMS Retriever API can capture OTP without SMS permissions, but it requires a specific message format and an app hash. If the backend doesn’t include the hash or the template deviates, auto‑capture won’t work.

6) Handset filtering and user settings

Even when delivered, users may not see the SMS. On iPhone, messages from unknown senders can be filtered into a separate list until the sender is marked as known.

Sender reputation: the hidden variable

Sharp volume spikes, mixing OTP and marketing on the same sender, high resend rates, and complaint signals degrade sender reputation. That increases filtering, which triggers more resends — a negative loop. Carrier filtering guides explicitly describe this kind of enforcement.

Diagnostics: isolate where it fails

  • Not sent: API errors, quotas, invalid numbers.
  • Sent but not delivered: filtering, routing, roaming, unreachable subscriber.
  • Delivered but not seen: spam/unknown folders, notifications, different messaging app.

Practical fixes to improve OTP reliability

  • Normalize and validate numbers (E.164); consider line‑type checks for VoIP.
  • Implement resend timers, backoff, and strict rate limits.
  • Keep OTP messages short, consistent, and link‑free; code up front.
  • Use the right sender type per market; monitor carrier filtering by operator/country.
  • Add fallback channels (voice, TOTP, push/email) for high‑value flows.
  • Provide a small support checklist (spam/unknown folders, roaming options).

Conclusion

SMS verification issues rarely have a single cause. Carrier filtering, routing quality, sender choices, handset settings, and UX mistakes combine into “OTP is failing”. Measure delivery, segment by operator and number type, control retries, and provide fallbacks — and SMS OTP becomes predictable again.