What breaks is replay resistance. Passwords, SMS codes, and many push workflows can be intercepted, relayed, or socially engineered, which means a malicious intermediary can still complete the login and reuse the session. Once that happens, the attacker no longer needs to defeat the application, because the identity proof has already been compromised.
Why This Matters for Security Teams
Passwords and OTPs look familiar, but they do not reliably prove possession in a high-risk flow. They are especially weak when the attacker can phish, relay, or proxy the interaction in real time. That matters because once an intermediary completes the login, the application sees a valid session and the original secret no longer protects the action being taken. The issue is not just credential theft, but broken replay resistance and weak assurance at the point of authorisation.
For teams managing sensitive access, the practical failure is that the control is tuned for convenience, not for adversarial interception. Current guidance from the OWASP Non-Human Identity Top 10 and NIST Cybersecurity Framework 2.0 both points toward stronger identity assurance, but the operational shift is still uneven. NHIMG research shows why this matters: the Ultimate Guide to NHIs notes that 79% of organisations have experienced secrets leaks, with 77% causing tangible damage. In practice, many security teams discover that OTP-based access failed only after a session had already been abused, not during a controlled test.
How It Works in Practice
High-risk access should move away from shared or reusable secrets and toward stronger identity proof, short-lived credentials, and contextual authorisation. For human users, that often means phishing-resistant MFA, device binding, step-up verification, or PAM-backed approvals. For workloads and automation, it means well-governed NHIs, ephemeral secrets, and cryptographic workload identity instead of static passwords copied into scripts, CI/CD, or vault sprawl. The point is to reduce the window in which a stolen artefact can be replayed.
In practice, teams should separate authentication from authorisation and make both time-bound. A stronger pattern looks like this:
- Issue just-in-time credentials with short TTLs for privileged actions.
- Bind access to device, workload, or session context rather than a one-time code alone.
- Use policy decisions at request time, not just at login, so the action can be blocked if risk changes.
- Prefer phishing-resistant factors and workload identity where automation is involved.
For architecture guidance, the OWASP Non-Human Identity Top 10 is useful for spotting overexposed secrets, while the 52 NHI Breaches Analysis shows how compromised identities often become the first step in broader abuse. This guidance tends to break down in legacy environments where shared admin accounts, long-lived service tokens, and flat network trust are still embedded in daily operations because the organisation cannot enforce per-request assurance consistently.
Common Variations and Edge Cases
Tighter access control often increases operational friction, requiring organisations to balance stronger assurance against support overhead and workflow delays. That tradeoff is real, especially where incident responders, third-party contractors, or automated jobs need rapid access under pressure. Best practice is evolving, and there is no universal standard for every environment, but current guidance suggests that high-risk access should not rely on OTPs alone when the action itself is valuable enough to justify interception.
Some edge cases deserve explicit handling. Break-glass accounts may still need reusable credentials, but they should be isolated, monitored, and reviewed after every use. Shared vendor access often needs stronger session controls than standard employee logins because the trust boundary is wider. For autonomous tools and agents, the problem is more severe: they can chain actions, call other tools, and persist access in ways that make a single OTP irrelevant after the first hop. In those cases, workload identity and JIT secrets are more defensible than human-style login flows. The Ultimate Guide to NHIs and the Ultimate Guide to NHIs both reinforce the same pattern: static secrets age badly, and the longer they live, the easier they are to replay. When an environment still depends on SMS OTPs for privileged access, the control usually fails first in remote support, contractor workflows, or API-triggered admin paths.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers weak and replayable secret handling in identity flows. |
| CSA MAESTRO | Relevant where autonomous agents need runtime-controlled access and short-lived authority. | |
| NIST AI RMF | Supports governance of risk when identity decisions affect autonomous or high-impact actions. |
Replace reusable secrets with short-lived, bounded credentials and monitor for replayable access paths.
