Because attackers can relay the password and OTP in real time through an adversary-in-the-middle page. The code is valid long enough for the attacker to use it, and the user may not notice the relay. Phishing-resistant methods break that relay by proving possession of a key rather than sharing a reusable code.
Why OTPs Still Fail Against Real-Time Phishing
OTPs improve account security, but they do not prove that the person entering the code is talking to the genuine service. A phishing page can proxy the login in real time, capture the password and OTP, and immediately replay them to the real site before the code expires. That is why OTPs are a speed bump, not a relay-proof control. NHI Mgmt Group research shows how often identity compromise turns into broader access: The 52 NHI breaches Report highlights the operational cost of weak identity assurance, while CISA cyber threat advisories repeatedly stress that credential capture is only the first step in a larger intrusion chain.
The practical mistake is assuming a one-time code is equivalent to phishing resistance. It is not. The code is reusable within a short window, and the browser or session context does not cryptographically bind it to the legitimate relying party. In practice, many security teams encounter OTP bypass only after a user has already completed a live relay through an adversary-in-the-middle page.
How the Relay Works and What Breaks It
In a classic adversary-in-the-middle attack, the attacker stands between the user and the real login page. The phishing site forwards every step to the genuine service, so the victim sees a believable flow while the attacker quietly collects the password and OTP. Because the OTP is valid for a brief period, the attacker can submit it immediately and obtain a session cookie or token. The defense problem is not just secrecy of the code, but whether the authenticator can prove possession of a device or key that cannot be replayed by a proxy.
Phishing-resistant methods such as FIDO2/WebAuthn change the trust model. Instead of sharing a reusable code, the user’s device signs a challenge for the actual domain, so the credential is bound to the origin. That is the key distinction. Current guidance suggests pairing this with conditional access, risk-based session controls, and strong device posture checks, because authentication and authorization should not end at the login screen. For broader identity context, Top 10 NHI Issues and Ultimate Guide to NHIs — Key Challenges and Risks show how reused credentials and weak lifecycle controls amplify blast radius once a login is captured.
- Use phishing-resistant authenticators for privileged and high-risk accounts first.
- Bind authentication to the real origin, not to a code that can be proxied.
- Reduce token lifetime and monitor abnormal session creation after login.
- Escalate step-up checks only when risk signals justify friction.
For adversaries using automation, the speed matters: Anthropic — first AI-orchestrated cyber espionage campaign report and MITRE ATLAS adversarial AI threat matrix both reinforce that automated attack chains can compress the time between capture and misuse. These controls tend to break down when legacy apps only support OTP-based fallback and cannot enforce origin-bound authentication.
Common Variations and Edge Cases
Tighter authentication often increases rollout friction, help desk load, and device-management overhead, so organisations have to balance user convenience against actual resistance to phishing. That tradeoff is real, especially where contractors, shared workstations, or older protocols are involved. Best practice is evolving, and there is no universal standard for every environment, but the direction is clear: OTP should be treated as transitional, not final.
Some deployments still need OTP as a fallback for recovery, break-glass access, or accounts that cannot yet use phishing-resistant methods. In those cases, reduce exposure with short session lifetimes, tight step-up rules, and strong recovery verification. Another edge case is machine-to-machine access: OTPs do not belong there at all. Secrets should be short-lived and bound to workload identity rather than entered by a human or copied into scripts. That is why Ultimate Guide to NHIs — Why NHI Security Matters Now is relevant even in a human-authentication question, because the same identity weak points often appear in service accounts and automation paths. For control design and incident response detail, CISA cyber threat advisories remain a useful reference point. The control breaks down most sharply in mixed estates where OTP is still accepted for privileged access and cannot be phased out consistently.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Phishing succeeds when reusable credentials can be replayed. |
| OWASP Agentic AI Top 10 | A-04 | Replayable auth is weak for autonomous tool-using systems too. |
| NIST AI RMF | Identity assurance and misuse risk are governance issues under AI. |
Replace replayable OTP reliance with origin-bound, short-lived authentication for sensitive accounts.
