The control breaks when the second factor can be intercepted, relayed, or socially engineered. SMS, email, and OTP-based MFA improve security over passwords, but they still leave room for SIM swapping and man-in-the-middle phishing. For sensitive access, that means the organisation is still authenticating through a phishable channel rather than using a proof method that resists interception.
Why This Matters for Security Teams
SMS and email MFA were designed to raise the bar over passwords, but they do not change the fact that the second factor still travels through channels that attackers can intercept, reroute, or socially engineer. For high-value access, that matters because the control is only as strong as the weakest delivery path, not the policy label attached to it. The OWASP Non-Human Identity Top 10 makes the broader point that identity controls fail when credentials and proofs are easy to replay or abuse.
This is especially dangerous when sensitive systems hold admin consoles, secrets managers, cloud control planes, or AI orchestration tools. NHIMG research on the 52 NHI Breaches Analysis shows how quickly exposed identities become attacker entry points once trust is anchored to reusable authentication factors. In practice, many security teams discover the weakness only after an account takeover, not through a planned review of authentication resilience.
How It Works in Practice
The main issue is that SMS and email MFA prove access to a communication channel, not strong possession of a resistant authenticator. Attackers can phish the code in real time, intercept mailboxes through session theft, or exploit telecom weaknesses such as SIM swapping. If the same factor is reused across multiple logins, it also becomes easier to automate relay attacks at scale. For that reason, current guidance suggests that organisations treat these methods as better than passwords, but not suitable for the most sensitive access paths.
Stronger patterns shift from one-time codes to phishing-resistant authentication and device-bound proof. That usually means passkeys, hardware-backed authenticators, or certificate-based approaches that are harder to relay. NIST guidance on digital identity and authentication reinforces that verifier compromise and replay risk should drive factor selection, not convenience alone. A useful way to evaluate the control is to ask whether the factor can be copied, forwarded, or entered on a malicious site before the session is established.
- Use phishing-resistant MFA for privileged users, admins, and access to secrets or cloud consoles.
- Limit SMS and email MFA to low-risk recovery paths, not primary approval for sensitive actions.
- Pair MFA with device binding, conditional access, and step-up verification for risky events.
- Review mailbox and telecom compromise as part of identity threat modelling, not just endpoint defense.
NHIMG’s Ultimate Guide to NHIs frames this as an identity integrity problem, not just an authentication preference, because weak proof methods let attackers inherit trust after the first factor is stolen. These controls tend to break down in environments where password reset flows, help-desk recovery, or legacy SaaS portals still rely on email or SMS as the final approval step because those channels are often the easiest to hijack.
Common Variations and Edge Cases
Tighter authentication often increases friction, recovery complexity, and support burden, so organisations must balance resistance to interception against user and operational constraints. There is no universal standard for every workforce segment, but the strongest expectation is that privileged access should not depend on a factor that can be forwarded or phished in real time. For some low-risk consumer workflows, SMS may remain an acceptable step-up method, but that is a risk decision, not a security endorsement.
The edge cases usually appear in recovery and exception handling. If a user loses a device, a help desk that falls back to email links or SMS codes can undo the protection of a stronger primary factor. If shared mailboxes, forwarded inboxes, or legacy phone numbers are still in circulation, the second factor may be less trustworthy than the password it was meant to reinforce. The State of Secrets in AppSec is a reminder that organisations often underestimate how quickly attackers exploit weak trust paths once credentials or tokens are exposed.
Best practice is evolving toward phishing-resistant MFA for sensitive access, with SMS and email used only where the risk is clearly bounded and the recovery path is hardened. The practical test is simple: if an attacker can persuade, intercept, or reroute the factor without controlling the actual device or cryptographic authenticator, then it should not protect privileged actions.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Weak second factors enable replay and account takeover of sensitive identities. |
| NIST SP 800-63 | AAL2 | SMS and email MFA are weaker authenticators than phishing-resistant options for sensitive access. |
| NIST CSF 2.0 | PR.AC-7 | Access enforcement should include stronger verification for privileged or risky sessions. |
Replace phishable MFA for privileged access with resistant, device-bound proof and shorter-lived session trust.
Related resources from NHI Mgmt Group
- What breaks when organisations rely on push notifications for sensitive access?
- What do organisations get wrong about MFA in remote access programmes?
- What breaks when organisations rely on passwords and OTPs for high-risk access?
- What breaks when organisations rely on MFA alone for digital interactions?
