OTP becomes too weak when the channel can be intercepted, replayed, or socially engineered, especially for remote access, privileged accounts, and transaction approval. Regulators are increasingly treating SMS and email OTP as last-resort options rather than default strong authentication. If the factor can be harvested outside the session, it is not strong enough for high-risk use.
Why This Matters for Security Teams
OTP is often treated as “better than password-only,” but regulated access decisions hinge on whether the factor can be intercepted, replayed, or coerced outside the live session. SMS and email OTP are especially fragile for remote administration, high-value transactions, and privileged access because they depend on a separate channel that attackers routinely target. Current guidance suggests that the question is not whether OTP exists, but whether it resists phishing, SIM swapping, inbox compromise, and real-time relay attacks.
For security teams, the practical issue is that regulators and auditors increasingly look at assurance level, not just factor count. A two-factor flow can still be weak if one factor is easily harvested and replayed. NHI Management Group’s research shows that identity controls fail most often when organisations rely on legacy patterns instead of risk-based governance, and the same lesson applies to human access. See the Ultimate Guide to NHIs and the OWASP Non-Human Identity Top 10 for how weak credential handling becomes a broader control failure.
In practice, many security teams discover OTP weakness only after an attacker has already relayed the code and completed the session, rather than through intentional control testing.
How It Works in Practice
Strong authentication for regulated access should be evaluated by attack path, not by label. OTP becomes too weak when the channel is separable from the application session, because an attacker can trick the user into revealing the code, intercept it, or use it quickly enough to complete the login before expiry. That risk rises sharply for privileged users, remote access, and transaction approval where the next step has real financial or administrative impact.
Practitioners should separate “possession of a temporary code” from “proof of the right user at the right time.” For higher-risk workflows, current best practice is evolving toward phishing-resistant MFA, such as cryptographic authenticators bound to the origin or device. That is why many control frameworks now emphasize context, assurance, and runtime decision-making instead of static factor counting. NIST’s Cybersecurity Framework 2.0 supports risk-based governance, while NHIMG’s Top 10 NHI Issues shows how weak credential practices become systemic when identities are not continuously governed.
- Use OTP only where the threat model is low and the session is low impact.
- Move privileged access to phishing-resistant MFA, especially for remote administration.
- Treat SMS and email OTP as fallback methods, not default strong authentication.
- Require step-up controls for transactions, re-authentication, and policy-sensitive actions.
- Review whether the factor can be replayed, relayed, intercepted, or socially engineered outside the session.
These controls tend to break down in environments that still depend on SMS-delivered codes for privileged remote access because the channel and the session remain easy to separate.
Common Variations and Edge Cases
Tighter authentication often increases user friction and rollout cost, requiring organisations to balance fraud resistance against operational disruption. That tradeoff matters because not every access flow carries the same risk, and there is no universal standard for this yet across all regulators and sectors.
One common edge case is low-risk internal access where OTP may still be acceptable as a temporary step, especially during migration away from passwords. Another is recovery flows, where OTP sometimes remains in use because stronger methods are unavailable. Even then, current guidance suggests limiting scope, shortening validity windows, and pairing OTP with device binding or additional context checks.
For regulated environments, the practical cutoff is usually reached when access is privileged, remote, customer-impacting, or transaction-authorising. At that point, a factor that can be harvested outside the session is no longer strong enough on its own. NHIMG’s Regulatory and Audit Perspectives section is a useful reference for how identity controls are assessed in real audits, not just in design documents. The control question is simple: if the code can be stolen before the action is completed, it does not provide durable assurance for regulated access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Auth strength must match access risk and business impact. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Weak credential handling maps to identity assurance failures. |
| NIST AI RMF | GOVERN | Runtime risk governance is needed when access decisions vary by context. |
Classify regulated access by risk and require stronger authentication where compromise impact is high.
