Passwords and SMS are high-risk because they depend on shared secrets or interceptable delivery channels. Attackers can steal, relay, or redirect them through phishing proxies, SIM swaps, and social engineering. In banking, that means the attacker does not need to break cryptography, only the trust path surrounding the credential exchange.
Why This Matters for Security Teams
Passwords and SMS-based MFA remain high-risk in banking because they protect the account at the weakest part of the trust chain: the human-readable secret and the phone network. Attackers do not need to defeat encryption when phishing kits, relay proxies, SIM swaps, and helpdesk social engineering can redirect the session or capture the one-time code. The problem is not just authentication, but recovery, enrolment, and account takeover paths that sit around it.
This is why modern guidance increasingly treats password-plus-SMS as a legacy control rather than a durable assurance layer. NIST’s NIST Cybersecurity Framework 2.0 emphasises risk-based protection outcomes, while NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now shows how trust-boundary failures persist when identity proofing and secret handling are treated as routine plumbing instead of attack surfaces. In banking, that distinction matters because the account opening, password reset, and MFA fallback flows are often more valuable than the login itself. In practice, many security teams encounter account takeover only after fraud has already traversed the recovery channel, rather than through intentional testing of the authentication stack.
How It Works in Practice
The risk becomes concrete when a bank relies on shared secrets that can be replayed, intercepted, or socially engineered. Passwords are frequently reused, phished, or guessed through credential stuffing. SMS codes add only a thin second factor because the code is short-lived but still delivered over a channel that is vulnerable to SIM swap, number port-out fraud, malware on the handset, and message interception. For banking, that makes SMS better than nothing, but not resilient enough for high-value transactions or step-up access.
Current guidance suggests moving toward phishing-resistant controls and stronger session binding. That means:
- Replacing passwords with passkeys or other phishing-resistant authenticators where feasible.
- Using app-based or hardware-backed authenticators instead of SMS for step-up verification.
- Applying risk-based checks at login, transaction approval, and recovery, not just at sign-in.
- Hardening helpdesk workflows so identity proofing cannot be bypassed by social engineering.
NHIMG’s Top 10 NHI Issues is useful here because the same failure pattern appears in machine identity abuse: once a secret or recovery path is exposed, attackers do not need to break the primary control again. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks reinforces that lifecycle weaknesses, not just login weaknesses, create durable exposure. In a banking environment with legacy core systems, outsourced call centres, and SMS fallback for customer recovery, these controls tend to break down when operational convenience overrides step-up assurance because the weakest workflow becomes the easiest fraud path.
Common Variations and Edge Cases
Tighter authentication often increases customer friction and support burden, requiring organisations to balance fraud reduction against account recovery success and accessibility. That tradeoff is real, especially for customers without reliable device access or for high-fraud geographies where step-up checks can create abandonment.
Best practice is evolving, and there is no universal standard for this yet, but the direction is clear: high-risk banking actions deserve stronger assurance than SMS can provide. Some banks still use SMS as a fallback for low-value notifications or initial migration, while reserving stronger authenticators for payments, beneficiary changes, and device enrolment. That can be acceptable if the SMS path is tightly scoped and continuously monitored.
The main edge cases are legacy customers, shared devices, and recovery journeys. Those flows often resist immediate change because they are entangled with operations, not just security policy. For that reason, banks should treat SMS as a transitional control, document where it is still permitted, and measure the fraud loss associated with each exception. NHIMG’s The State of Secrets in AppSec shows how security confidence can outpace real control quality; that same gap appears in authentication programs when teams assume an OTP equals strong assurance. Current guidance suggests the safest path is to minimise SMS exposure, enforce phishing-resistant authentication for sensitive actions, and keep recovery as strict as login.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA | Identity and authentication risks in banking map directly to access assurance outcomes. |
| NIST SP 800-63 | AAL2 | SMS MFA is commonly discussed against digital identity assurance levels. |
| NIST CSF 2.0 | PR.AC-7 | Authentication on transactions and remote access must be risk based. |
Use PR.AA to require stronger authentication for login, recovery, and high-risk banking actions.