An attack pattern where a one-time passcode is captured and reused fast enough to complete authentication before it expires. The user still appears to have authenticated normally, but the resulting session belongs to the attacker, which makes detection harder and containment more urgent.
Expanded Definition
OTP relay is a real-time credential interception pattern in which an attacker captures a one-time passcode and immediately reuses it to satisfy an authentication challenge before the code expires. It is not a weakness in the OTP algorithm itself, but a failure mode in the surrounding authentication flow, phishing resistance, and session handling. In NHI and IAM environments, OTP relay most often appears when MFA is treated as a box-checking control rather than a binding between the user, device, and session. Guidance varies across vendors, but the security principle is consistent: if the attacker can proxy the login conversation end to end, the OTP can become a temporary bridge into a valid session, as discussed in the NIST Cybersecurity Framework 2.0 as part of broader access protection.
For NHI Management Group, OTP relay is best understood as an authentication workflow abuse that defeats “something you know” plus “something you have” when the second factor is only a shared secret in motion. The most common misapplication is assuming OTP-based MFA is phishing-resistant when the login flow allows a live attacker to relay the code and obtain the authenticated session.
Examples and Use Cases
Implementing OTP-based authentication rigorously often introduces user friction and operational overhead, requiring organisations to weigh faster sign-in and broad compatibility against stronger resistance to real-time interception.
- A help desk user enters a code into a counterfeit login page, and the attacker immediately forwards it to the real service to finish authentication.
- An attacker uses a reverse-proxy phishing kit to relay the OTP to a cloud console, then steals the resulting session token for later access.
- A contractor signs into an internal portal with SMS OTP, but a SIM-swap or mobile interception event lets the attacker reuse the passcode before expiry.
- An organization reviewing service access after the Schneider Electric credentials breach treats OTP relay as a sign that the authentication path, not just the password, must be hardened.
- A zero trust rollout pairs OTP with device binding and session risk checks, reflecting the access-control emphasis in NIST Cybersecurity Framework 2.0 rather than relying on passcodes alone.
Why It Matters in NHI Security
OTP relay matters because it turns an apparently successful login into an attacker-controlled session, which can hide behind normal authentication logs and delay containment. In NHI environments, that delay is especially dangerous when the compromised session can access API keys, vaults, CI/CD tools, or cloud administration paths. NHIMG research shows that 79% of organisations have experienced secrets leaks, and 77% of those incidents caused tangible damage, which underscores how quickly a single relayed sign-in can become a broader secrets exposure event. The same research also reports that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, making weak session assurance a direct NHI governance issue. OTP relay is often the point where an authentication problem becomes an identity incident.
Practitioners should also note that OTP relay often survives initial detection because the login appears legitimate until downstream access behavior is examined. Stronger controls such as phishing-resistant MFA, conditional access, session binding, and continuous authentication reduce this exposure, but no single control eliminates it completely. Organisations typically encounter the consequences only after a valid session is abused for lateral movement or secrets extraction, at which point OTP relay becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Agentic AI Top 10 | Agentic flows must resist real-time credential relay and session hijack. | |
| NIST CSF 2.0 | PR.AC | Access protection and session assurance address phishing and OTP relay risk. |
| NIST Zero Trust (SP 800-207) | SA-1 | Zero trust requires continuous verification beyond a one-time code. |
Bind sessions to device and context so a relayed OTP does not grant durable trust.
