Payday Super: How SMS OTP costs explode in 2026

1. How Payday Super will inflate SMS OTP Costs by 500% and force Passkey Adoption#

Australia's Payday Super reform, effective 1 July 2026, will increase superannuation contribution frequency from quarterly to every pay cycle. For the 24 million member accounts across the $4.3 trillion super sector, this means login frequency may jump from 4 to 24+ times per year. At$0.05 AUD per SMS OTP, a mid-tier fund with 1 million members faces annual authentication costs surging from $230,000 to$1,380,000 - a 500% increase. Combined with APRA CPS 234 mandating robust authentication controls and ACMA's new SMS Sender ID Register taking effect on the same date, the economics of SMS-based authentication become untenable.

The sector's reliance on legacy Signaling System No. 7 (SS7) protocols for OTP delivery compounds the problem. SS7 is intrinsically unencrypted and exploitable through SIM swapping, reverse-proxy phishing and SMS OTP flooding. Global regulators including Singapore's MAS are actively phasing out SMS OTPs and the UAE Central Bank has signaled a similar direction. FIDO2 passkeys - built on public-key cryptography with zero marginal authentication cost - offer the only architecture that scales with Payday Super engagement without compounding operational expenses.

2. Payday Super#

Let's start with an overview of Payday Super changes.

2.1 What is Payday Super and why does it matter for Authentication?#

Payday Super is an Australian legislative reform requiring employers to pay superannuation contributions simultaneously with salary, replacing the previous quarterly payment cycle. The Treasury Laws Amendment (Payday Superannuation) Act 2025 mandates that contributions reach the employee's super fund within seven business days of each payday, effective 1 July 2026. Funds must then allocate contributions within three business days.

This reform addresses an estimated $5 billion annual shortfall in unpaid superannuation. Under the pre-2026 regime, employers had up to 28 days after a financial quarter to remit Superannuation Guarantee (SG) contributions. The new Qualifying Earnings (QE) day framework compresses this to weekly, fortnightly or monthly cycles.

For authentication infrastructure, the impact is transformative. A member paid fortnightly transitions from 4 contribution events per year to 26. Each contribution can trigger a push notification, prompting an app login. When multiplied across funds with 2-4 million members, the authentication load grows from 8-12 million annual events to 48-72 million - per fund.

2.2 How do Payday Super Penalties change from 1 July 2026?#

The penalty regime shifts from employer self-assessment to proactive ATO enforcement using real-time Single Touch Payroll (STP) data. From 1 July 2026, the Superannuation Guarantee Charge (SGC) applies automatically if contributions are not received within the seven-business-day window. The SGC compounds daily at the general interest charge rate, with fixed penalties of 25% or 50% of the unpaid SGC depending on prior infraction history.

The ATO's Small Business Superannuation Clearing House (SBSCH) closes permanently on 30 June 2026, forcing all employers onto commercial, SuperStream-compliant clearing house solutions. This creates standardized data rails for the high-velocity transaction environment.

3. How does SuperStream 3.0 enable real-time Superannuation?#

SuperStream Contributions v3.0 is a mandatory upgrade to the existing SuperStream standard, taking effect on 1 July 2026. Finalized by the ATO in coordination with APRA's Payday Super readiness program, it introduces three capabilities: the New Payments Platform (NPP) for near-instantaneous settlement, a Member Verification Request (MVR) service for verifying fund details and contribution acceptability before payment and standardized error codes to reduce rejected payments.

3.1 What is the Member Verification Request (MVR) Service?#

The MVR service allows employers' payroll software or clearing house to verify that a super fund will accept a contribution for a given employee before the payment is initiated. The fund confirms whether the member details match an active account capable of receiving contributions or returns standardized error codes explaining the rejection. This pre-validation step is critical because rejected payments under the seven-day compliance window immediately trigger ATO-assessed penalties.

3.2 SuperStream 3.0 Implementation Timeline#

The rollout follows four phases, all converging on the 1 July 2026 deadline:

The NPP enables 24/7 near-instantaneous fund transfers as an approved payment method alongside the existing batch-processing Direct Entry (BECS) system. ATO guidance indicates NPP usage will increase over time, but BECS remains operational during the transition. For authentication, real-time NPP transactions drastically reduce the window for fraud interdiction compared to batch settlement.

4. How will Payday Super change Member Engagement Patterns?#

Payday Super transforms member engagement from passive quarterly checking to active, notification-driven behavior. Industry data shows 35% of retirement plan participants feel uncertain about comfortable retirement, yet one-third of Australians check their super less than once every three months. Research by Finder and the Qantas Super CSBA Retirement Confidence Index found that lower-wealth members interact with their super less than once annually.

Payday Super disrupts this pattern by synchronizing retirement deposits with the payroll cycle. Funds are investing in modern data platforms and mobile ecosystems to deploy real-time push notifications when contributions clear. The psychological friction to open an app after receiving "Your fortnightly contribution of $450 has arrived" approaches zero.

The demographic shift amplifies this trend. The Financial Services Council and AustralianSuper report that Australians over 60 - who hold the highest average balances - are more digitally engaged than ever. Younger cohorts demand app-centric experiences matching neo-banks and digital wallets. The convergence produces enterprise-scale identity and access management (IAM) loads rivaling major retail banks.

5. wWat do APRA CPS 230 and CPS 234 require for Super Fund Authentication?#

APRA Prudential Standard CPS 230 (Operational Risk Management), effective 1 July 2025, mandates that all APRA-regulated entities identify, assess and manage operational risks with highly effective internal controls. The standard requires funds to maintain critical operations through severe disruptions and manage risks from material service providers, as defined in the CPS 230 prudential standard. CPS 230 focuses on operational resilience and business continuity rather than specific authentication controls.

The authentication-specific requirements sit under APRA CPS 234 (Information Security), which requires regulated entities to maintain information security capabilities commensurate with threats. Funds must conduct comprehensive self-assessments of information security controls, with robust MFA or equivalent cryptographic controls expected for all high-risk member activities: login, changing personal details, initiating withdrawals, processing benefit payments and executing investment switches.

The urgency intensified after AustralianSuper's 2025 cyberattack, where 10 members lost a combined $750,000 through credential stuffing. The fund's web portal lacked mandatory MFA at the time. APRA responded by reinforcing expectations for MFA or equivalent protections on high-risk activities, prompting multiple funds to accelerate SMS OTP deployments - a response that introduces its own set of financial and security problems, as detailed in Corbado's analysis of why SMS authentication costs too much for enterprises.

5.1 How did Super Funds react to CPS 234 with SMS OTP?#

Major funds deployed SMS OTP as a rapid MFA response. AustralianSuper defaulted to six-digit SMS PINs. The Australian Retirement Trust mandated SMS codes or email verification. Hostplus expanded to voice calls and authenticator apps, though SMS remains the default.

These implementations created immediate friction. Members report devices losing "trusted" status within days, forcing repetitive MFA prompts. Overseas travelers lose access to Australian mobile numbers, defaulting to less secure email OTPs. Helpdesk volumes surged, with support frequently offshored to manage demand.

SMS OTP as a primary defense mechanism shifts vulnerability from password guessing to telecommunications exploitation. The analysis in Corbado's FSC Standard No. 29 guide details how these regulatory requirements interact with existing super fund authentication architectures.

6. Why do SMS OTP Costs become unsustainable under Payday Super?#

SMS OTP authentication incurs a variable telecommunications cost per login. Under Payday Super, login frequency multiplies 6x while per-message costs simultaneously rise due to carrier inflation and new ACMA regulations. A fund with 1 million active members currently pays approximately $230,000 annually for SMS OTPs at 4 logins per year. At 24 logins per year with post-regulation pricing, this reaches$1,380,000 - with zero economies of scale.

Globally, the A2P SMS market is experiencing unprecedented price inflation as carriers monetize enterprise messaging to offset declining peer-to-peer revenues. The average global international termination rate (ITR) surpassed $0.10 per message in early 2025. This carrier-level inflation flows directly through to cloud platforms: AWS increased its SMS pricing by approximately 25% in January 2026, passing on the premium enterprise A2P rates that telecommunications carriers now charge for verified transactional messaging.

6.1 What are the real SMS Pricing Dynamics in Australia?#

Base outbound SMS costs in Australia range from $0.01789 to$0.0515 per message segment depending on the aggregator platform. However, this base price is deceptive for four reasons.

First, SMS pricing is governed by segment length. Messages exceeding 160 characters split into multiple segments, doubling or tripling costs. Non-standard characters reduce the limit to 70 characters.

Second, platforms impose surcharges on failures. Twilio charges $0.001 per failed message, meaning funds pay even when network congestion prevents delivery.

Third, the ACMA SMS Sender ID Register takes effect on 1 July 2026 - the same date as Payday Super. Organizations must register branded sender IDs or have their messages displayed under a single "Unverified" thread on consumer phones, severely degrading deliverability and trust. Telecommunications providers have signaled that verified A2P traffic will carry premium surcharges.

Fourth, cloud messaging providers are passing through carrier-imposed premium enterprise rates. AWS raised its SNS SMS pricing by roughly 25% in January 2026, reflecting the higher A2P termination fees that telecommunications carriers now levy on verified transactional traffic. Organizations using AWS, Twilio or similar platforms face compounding cost pressure - carrier inflation plus platform margin adjustments hit simultaneously.

6.2 How much will SMS OTP cost Super Funds after Payday Super?#

The variable cost of SMS OTP authentication follows the formula: Total Cost = Users x Annual Logins x Cost per SMS x Segment Multiplier x (1 + Failure Rate). Using conservative estimates of $0.05 per segment, a 1.0 segment multiplier and 15% failure overhead:

Pre-Payday Super (2024): 1,000,000 users x 4 logins x $0.05 x 1.0 x 1.15 =$230,000/year

Post-Payday Super (2026): 1,000,000 users x 24 logins x $0.05 x 1.0 x 1.15 =$1,380,000/year

For mega-funds with 2-4 million members, annual SMS costs reach $4,000,000 to$6,000,000. This expenditure generates zero revenue, zero competitive advantage and a rapidly depreciating security posture. It also excludes SMS Toll Fraud (Traffic Pumping), where botnets trigger OTP requests to premium-rate numbers.

The following diagram illustrates the cost explosion across fund sizes.

7. Why is SMS OTP fundamentally insecure for Financial Services?#

SMS OTP relies on the Signaling System No. 7 (SS7) protocol, a telecommunications standard from the 1970s that is intrinsically unencrypted and exploitable. Global regulators no longer recognize SMS OTP as secure Strong Customer Authentication (SCA). The Communications Fraud Control Association (CFCA) 2023 Global Fraud Loss Survey put total telecommunications fraud at $38.95 billion, with spoofing losses alone at$2.9 billion and SMS pumping among the fastest-growing categories. Multiple regulators - including Singapore's MAS, which mandates digital tokens over SMS OTPs - are driving the transition to cryptographic alternatives.

7.1 What are the primary Attack Vectors against SMS OTP?#

Three attack vectors compromise SMS OTP authentication in superannuation:

SIM Swapping (Port-Out Fraud) uses social engineering - often through compromised telecommunications retail staff - to port a member's number to an attacker-controlled SIM. The attacker intercepts all incoming OTPs, bypassing MFA entirely.

Reverse-Proxy Phishing (MitM) deploys frameworks like Evilginx that clone the fund's login portal. The victim enters their SMS code into the fake site; the proxy passes it to the real server in real-time, capturing the authenticated session cookie. This bypasses MFA without compromising the telecommunications network.

SMS OTP Flooding involves attackers with compromised credentials repeatedly triggering login attempts, bombarding the victim's phone with OTP codes. Unlike MFA fatigue (push bombing) - where users accidentally approve a push notification - SMS flooding aims to confuse or exhaust the user into sharing a code via social engineering, or to mask a legitimate OTP among dozens of spurious ones.

All three vectors bypass MFA entirely, as shown below.

7.2 Which Countries are banning SMS OTP for Financial Services?#

The regulatory shift away from SMS OTP is global. The UAE Central Bank has signaled intent to phase out SMS and email OTPs for financial transactions, though no formal mandate has been officially confirmed. Singapore's Monetary Authority (MAS) mandates digital tokens over SMS OTPs, aligning with PSD2 Strong Customer Authentication requirements across Europe. Australia's APRA is following the same trajectory under CPS 234, which governs information security controls for regulated entities.

8. How do Passkeys solve the SMS OTP Cost Crisis for Super Funds?#

FIDO2 passkeys use public-key cryptography to authenticate users without transmitting secrets over a network. Built on the WebAuthn API maintained by the FIDO Alliance and W3C, passkeys generate a unique cryptographic key pair per registration. The public key is stored server-side. The private key is managed in one of two ways: synced passkeys store the private key in the user's cloud keychain (e.g. iCloud Keychain, Google Password Manager), making it available across multiple devices; device-bound passkeys keep the private key on a hardware security key, restricting it to a single device.

The critical financial metric: once enrolled, every subsequent passkey authentication costs zero. Unlike SMS OTP, which penalizes funds for high engagement, passkeys scale infinitely with Payday Super notification-driven logins without adding operational cost. For a detailed breakdown of how this cost reduction works, see Corbado's guide to reducing SMS costs with passkeys.

8.1 Why are Passkeys phishing-resistant?#

WebAuthn cryptographically binds authentication to the specific DNS origin of the Relying Party (e.g. australiansuper.com). If a phishing attack redirects to a homoglyph domain (australiansuper-login.com), the device's operating system detects the domain mismatch and the passkey refuses to authenticate. No user action is required. This eliminates reverse-proxy phishing, the most sophisticated attack vector against SMS OTP.

8.2 What operational Advantages do Passkeys offer over SMS OTP?#

Passkeys deliver three measurable operational advantages over SMS OTP:

Zero marginal cost means authentication expenses remain fixed regardless of login frequency. A fund handling 72 million annual authentications pays exactly the same as one handling 12 million.

Sub-second authentication eliminates the friction of waiting for SMS delivery, memorizing codes and re-entering digits. This removes the "broken trusted device" complaints flooding super fund app store reviews.

40-60% helpdesk reduction results from eliminating password resets and OTP lockouts - the primary drivers of IT support volume in financial services. For detailed metrics, see Corbado's analysis of how passkeys reduce password resets and OTP costs.

9. How has UniSuper implemented Passkeys ahead of 2026?#

UniSuper, managing over $130 billion in assets as of 2025, deployed passkeys for its member web portal, making it the first major Australian super fund to adopt FIDO2 authentication. Members can register passkeys across their devices using device-native biometrics as their primary login method. New members are prompted to enroll during initial registration. Existing members activate passkeys through security preferences.

UniSuper's deployment demonstrates that the super fund demographic - often assumed too technologically hesitant for cryptographic authentication - readily adopts biometric passkeys. Members view Face ID and fingerprint authentication as a convenience upgrade over passwords and SMS codes, as UniSuper's security experts have documented.

This positions UniSuper ahead of APRA CPS 234 authentication requirements and CPS 230 operational resilience expectations, while eliminating per-authentication SMS costs before Payday Super engagement multiplies. For an overview of which Australian super funds support passkeys, see Corbado's superannuation fund passkey tracker. For implementation guidance, see the detailed passkey implementation guide for super funds.

10. What is the recommended Passkey Migration Strategy for Mega-Funds?#

Migrating millions of members from SMS OTP to passkeys requires three assessments, balancing security mandates with user experience. The Corbado guide on transitioning from SMS OTPs to passkeys details the risk considerations for each assessment.

Phase 1: Shadow Enrollment. Introduce passkeys as an optional convenience upgrade during existing login flows. After successful username/password/SMS authentication, prompt: "Want to log in 5x faster? Enable Face ID/Touch ID." Properly designed enrollment prompts yield 80% adoption rates among active users within the first quarters of deployment.

Phase 2: Friction Engineering. Once critical mass enrolls, dynamically route returning devices with registered passkeys to passkeys, e.g. via Conditional UI, bypassing password and SMS fields. Simultaneously, add security warnings to the SMS fallback path, noting telecommunications interception risks.

Phase 3: OTP Eradication. Decommission SMS OTP entirely. For users unable to use passkeys (older hardware, corporate device policies), deploy TOTP via authenticator apps (zero transmission cost).

The roadmap below shows how per-authentication costs decline to zero across the three phases.

10.1 How do Passkeys integrate with SuperStream 3.0 and NPP?#

SuperStream 3.0's NPP integration enables near-instantaneous settlement, meaning fraudulent transactions execute in real-time with minimal recovery windows. Passkeys provide non-repudiable transaction authorization through Step-Up Authentication - triggering a biometric challenge at the moment of high-risk operations like SMSF rollovers via SuperStream Rollover V3.

This cryptographic proof of member intent satisfies APRA CPS 234 information security requirements and supports CPS 230 operational resilience objectives. As funds consolidate and deploy Modern Data Platforms for AI-driven member services, passkeys eliminate the identity pollution (synthetic identities, credential-sharing artifacts) that compromises legacy authentication databases. Clean identity resolution is essential for the predictive analytics that optimize retirement outcomes.

11. 1 July 2026 Imperative: why Super Funds must act now#

Three regulatory deadlines converge on 1 July 2026: Payday Super legislation, SuperStream 3.0 and NPP mandate and the ACMA SMS Sender ID Register. These arrive on top of APRA CPS 230 (operational risk, effective July 2025) and CPS 234 (information security) requirements already in force. Funds relying on SMS OTP face multi-million dollar cost blowouts, exposure to sophisticated credential attacks and regulatory penalties for inadequate operational resilience.

The real-time irrevocability of NPP transfers amplifies fraud risk. Account takeovers become irreversible within minutes. Combined with intensifying industry consolidation, inadequate authentication presents an existential threat to member retention and fund viability.

FIDO2 passkeys decouple authentication cost from engagement frequency. They provide cryptographic assurance for the $4.3 trillion retirement ecosystem. As Payday Super accelerates capital velocity, passkeys ensure the digital perimeter scales without compounding operational expense. For funds evaluating their options, Corbado's passkey platform for super funds provides implementation support aligned with APRA CPS 230 and CPS 234 requirements.

12. How Corbado can help Super Funds transition to Passkeys#

For super funds facing the 1 July 2026 deadline, Corbado provides a passkey platform built for super funds that works with any existing identity provider without replacing authentication infrastructure. Three capabilities are specifically relevant to the Payday Super challenge.

12.1 Passkey Adoption & Transition Management#

Enabling passkeys is not enough - members must actually use them. Corbado's guides members from SMS OTP to passkeys through staged enrollment prompts, friction engineering and progressive password removal. Properly designed enrollment flows yield 80%+ adoption rates among active users within the first quarters of deployment. For super funds, this means SMS OTP costs decline in proportion to adoption rather than persisting as a parallel expense.

12.2 Passkey Observability & Analytics#

Without visibility into where members succeed or fail during passkey authentication, funds operate blind. Corbado's passkey analytics captures every passkey event - creation prompts, authentication attempts, errors and timing data - and visualizes authentication as a multi-step funnel filtered by OS, browser and device type. Automatic error classification separates user decisions (cancelled, skipped) from system errors (timeout, platform issues), preventing false alarms and identifying exactly where members drop off. This observability is critical for funds managing diverse demographics across iOS, Android and desktop.

12.3 Device & Authenticator Intelligence#

Super fund members span every age group and device ecosystem. Corbado tracks passkey distribution across iCloud Keychain, Google Password Manager and Windows Hello, monitoring sync rates, transport methods and device authentication types. This data provides the stakeholder-ready metrics that CIOs and CISOs need to justify migration timelines, demonstrate CPS 234 compliance progress and quantify SMS cost reduction.

13. Conclusion#

Payday Super compresses what was a quarterly authentication event into a fortnightly or weekly cycle, inflating SMS OTP costs by 500% or more for Australian super funds. Three regulatory deadlines converge on 1 July 2026 - Payday Super, SuperStream 3.0 and the ACMA SMS Sender ID Register - while APRA CPS 234 already mandates robust authentication controls. SMS OTP cannot satisfy both the cost constraint and the security constraint simultaneously.

FIDO2 passkeys resolve this by decoupling authentication cost from engagement frequency. Every login after enrollment costs zero. UniSuper has demonstrated that super fund members readily adopt biometric passkeys, and structured migration strategies can achieve 80%+ adoption within quarters. The funds that act before 1 July 2026 eliminate a multi-million dollar recurring expense while strengthening their security posture against SIM swapping, reverse-proxy phishing and SS7 exploitation. Those that delay face compounding costs with no path to scale.

Frequently Asked Questions#

How will Payday Super change the authentication workload for my super fund?#

Payday Super shifts contribution frequency from quarterly to every pay cycle, transitioning fortnightly-paid members from 4 contribution events per year to 26. For a fund with 2-4 million members, annual authentication events grow from 8-12 million to 48-72 million, creating IAM loads comparable to major retail banks.

What is the ACMA SMS Sender ID Register and why does it affect super fund SMS costs from 2026?#

The ACMA SMS Sender ID Register takes effect on 1 July 2026, the same date as Payday Super. Organizations that fail to register branded sender IDs will have messages displayed under a single "Unverified" thread on consumer phones, severely degrading deliverability and trust. Telecommunications providers have signaled that verified A2P traffic will carry premium surcharges, adding a cost layer on top of the 6x login frequency increase.

Why did AustralianSuper's 2025 breach accelerate SMS OTP deployments across super funds?#

AustralianSuper's 2025 cyberattack saw 10 members lose a combined $750,000 through credential stuffing on a portal that lacked mandatory MFA. APRA reinforced expectations for MFA or equivalent protections on high-risk activities, prompting multiple funds to accelerate SMS OTP deployments as a CPS 234 compliance response. However, SMS OTP shifts vulnerability from password guessing to SS7 exploitation, SIM swapping and reverse-proxy phishing rather than eliminating risk.

What is the Member Verification Request service in SuperStream 3.0 and how does it interact with member identity?#

The Member Verification Request (MVR) service allows employers' payroll software or clearing house to verify that a super fund will accept a contribution for a given employee before the payment is initiated. This pre-validation step is critical because rejected payments under the seven-business-day compliance window immediately trigger ATO-assessed Superannuation Guarantee Charge penalties. The fund confirms whether the member details match an active account or returns standardized error codes.

How do passkeys support step-up authentication for high-risk super fund operations under APRA CPS 234?#

Passkeys support Step-Up Authentication by triggering a biometric challenge at the moment of high-risk operations such as SMSF rollovers via SuperStream Rollover V3, providing cryptographic proof of member intent. This satisfies APRA CPS 234 information security requirements for robust authentication during withdrawals, investment switches and benefit payments, while supporting CPS 230 operational resilience objectives. Combined with NPP real-time settlement, this is critical because fraudulent transactions under the new system execute within minutes with minimal recovery windows.