It becomes weaker when organisations treat it as the only gate for privileged access, account recovery, or high-value transactions. At that point, fraud, SIM swap exposure, and delivery dependency can outweigh the convenience benefits.
Why This Matters for Security Teams
Phone-based OTP is often adopted as a practical compromise, but it changes the risk profile rather than eliminating it. For low-friction consumer sign-ins, it can still improve over passwords alone. For privileged access, recovery workflows, or payment approval, however, the threat model shifts: delivery becomes a dependency, SIM swap fraud becomes a viable attack path, and attackers only need to intercept one code to bypass an otherwise weak gate. That is why current guidance increasingly treats OTP as a step-up factor, not a stand-alone control. The NIST Cybersecurity Framework 2.0 frames authentication as part of broader resilience, not a silver bullet. NHIMG research shows the same pattern in identity failures: Ultimate Guide to NHIs — Why NHI Security Matters Now notes that 79% of organisations have experienced secrets leaks, with 77% causing tangible damage, which is a reminder that the weakest authentication path usually becomes the one attackers target first. In practice, many security teams discover OTP weakness only after recovery abuse or account takeover has already occurred, rather than through intentional control testing.
How It Works in Practice
The key question is not whether OTP works, but where it sits in the access journey. Phone-based OTP reduces risk when it is one factor among stronger controls, with low-value or low-impact use cases and clear fallback handling. It increases risk when it becomes a single point of failure for high-impact actions, especially where the phone number itself is the recovery anchor. Attackers can exploit telecom processes, social engineering, forwarded SMS, handset malware, or support desk resets to capture the code and pivot into the account.
A better design separates authentication strength from business impact:
- Use OTP only for limited-risk, low-sensitivity access paths.
- Avoid SMS or voice OTP for privileged admin access and recovery.
- Require phishing-resistant factors for high-risk actions, such as FIDO2-based authenticators.
- Treat account recovery as a distinct high-risk flow with stronger verification than normal login.
- Log and review OTP failures, device changes, number porting events, and recovery requests together.
The Top 10 NHI Issues and Ultimate Guide to NHIs both reinforce a broader identity lesson: when credentials or second factors are easy to intercept, operational convenience can hide systemic exposure. In practice, these controls tend to break down when telecom-dependent recovery is allowed to unlock privileged workflows because attackers target the recovery chain, not the login screen.
Common Variations and Edge Cases
Tighter authentication often increases user friction and support overhead, so organisations have to balance resilience against usability and transaction abandonment. That tradeoff is real, and best practice is evolving rather than fully settled for every environment. For example, some consumer-facing systems may still use phone OTP as a transitional control, but current guidance suggests phasing it down wherever phishing-resistant authentication is feasible.
Edge cases matter:
- Shared phones, recycled numbers, and roaming users increase delivery ambiguity.
- Step-up OTP can be acceptable for a low-risk session change, but not for root access or funds transfer approval.
- Backup codes and recovery SMS may become the true attack surface if they are less protected than the primary factor.
- In regulated environments, the control question is often whether OTP materially reduces risk or merely satisfies a checkbox.
For governance teams, the practical test is simple: if losing a phone number can unlock account recovery, then OTP is no longer a meaningful second factor for that workflow. The safer pattern is to align authentication strength to impact, and to use OWASP NHI Top 10 thinking when identity paths touch automation, delegated access, or agentic workflows, where compromise can propagate faster than a human can intervene.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA | Authentication assurance is the core issue when OTP is overused for high-impact access. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Weak credential and recovery handling is a common path to identity compromise. |
| NIST AI RMF | GOVERN | AI and automation governance must account for risky identity recovery and escalation paths. |
Eliminate recovery flows that rely on easily intercepted factors or stale trust signals.
Related resources from NHI Mgmt Group
- Why do bearer tokens create more risk than directory-based IAM records?
- When does context-based provisioning create more risk than it reduces?
- When does certificate-based authentication create more risk than it reduces?
- When does graph-based authorization create more operational risk than it reduces?