The End of SMS Authentication via EU Login: A Necessary Shift Towards Stronger Security

Branche nieuws, Congres update, Home July 2, 2025

In a decisive move to strengthen digital security, the European Commission has announced that SMS-based authentication via EU Login will be fully phased out by mid-2025. The decision reflects growing concerns over the vulnerabilities of SMS-based multi-factor authentication (MFA), particularly in the context of phishing, SIM-swapping, and social engineering attacks.

This transition is part of a broader EU-wide push towards strong authentication methods, in alignment with the requirements of the eIDAS 2.0 Regulation and the NIS2 Directive.

Why Is SMS-MFA Being Retired?

Although SMS one-time passwords (OTPs) have long served as a popular second-factor method, their limitations are well-documented — and increasingly unacceptable in high-assurance environments such as EU institutions.

The European Commission has cited the following key reasons:

  • Vulnerability to interception: SMS is inherently insecure due to its reliance on legacy telecom infrastructure. Messages can be hijacked via SIM-swap fraud, malware, or spoofing.
  • Lack of cryptographic integrity: Unlike app-based authenticators or hardware tokens, SMS messages cannot be cryptographically verified.
  • Compliance and future readiness: Under updated EU cybersecurity and identity legislation, organisations must adopt strong customer authentication (SCA) methods that meet higher assurance standards.

What Will Replace SMS?

EU Login will continue to support more secure and robust authentication mechanisms, including:

  • The EU Login Mobile App (push notification or app-generated code)
  • National eID schemes (e.g. Belgium’s eID, France’s FranceConnect)
  • Digital identity wallets and qualified trust services (in line with the EUDI Wallet framework)
  • Smartcards or tokens used in regulated access contexts

These methods offer greater resilience against fraud, ensure cryptographic proof of origin, and often enable selective data disclosure, which supports data protection by design.

Strategic Implications

The retirement of SMS-based MFA is more than a technical adjustment; it symbolises a wider shift towards zero-trust architectures, decentralised identity models, and EU-wide interoperability.

For identity architects, CIOs and policy leads, this reinforces the urgency to:

  • Reassess current MFA strategies and authentication policies
  • Embrace mobile-first, cryptographically secure methods
  • Align with the broader European Digital Identity Framework (EUDI Wallet, verifiable credentials, qualified authentication)

Continue the Dialogue at the Digital Identity & Trust Conference

The future of identity is strong, secure, and standards-based. Join us at the Digital Identity & Trust Conference to explore practical approaches to secure authentication, EU compliance, and public–private integration.

Let’s move beyond passwords and codes — towards trusted, resilient digital identity.

Register here! Full programme

Recent Posts

Interesting? Share this item!