Accountability sits across mobile operations, identity governance, and fraud detection. The mobile team owns device policy, the IAM team owns authentication assurance, and the security team owns correlation and response. If OTP interception is possible, then SMS should not be treated as a strong factor for high-risk access decisions.
Why This Matters for Security Teams
OTP theft is not just a mobile problem or a help desk problem. It is an identity assurance failure that crosses device trust, authentication policy, fraud telemetry, and incident response. When a compromised phone can receive one-time codes, the organisation has usually overestimated SMS as a factor and underestimated how quickly an attacker can turn a stolen session into account takeover. Current guidance increasingly treats SMS OTP as a weak recovery or step-up mechanism for high-risk access, especially where phishing or malware can intercept the code.
For NHI Management Group, the important lesson is that account takeover is often enabled by weak assurance at the edge of identity, not by a single broken control in the middle. The same pattern shows up in NHI compromise research, where secrets and credentials remain usable long after they should have been revoked. The Ultimate Guide to NHIs — Why NHI Security Matters Now notes that 91.6% of secrets remain valid five days after notification, which is a reminder that delayed revocation turns one compromise into many. In practice, many security teams encounter OTP abuse only after fraud has already been observed, rather than through intentional control testing.
How It Works in Practice
Accountability should be mapped to the control point, not the victim event. The mobile operations team is accountable for device posture, jailbreak or root detection, secure app configuration, and whether the phone can reliably protect local credentials. The IAM team is accountable for whether SMS OTP is permitted for the relevant risk tier, whether step-up requirements are strong enough, and whether account recovery methods are resistant to interception. The security team is accountable for detection logic, correlation across device, identity, and session signals, and escalation when an OTP is delivered to a device that should no longer be trusted.
That division becomes operational only when policy is explicit. Best practice is evolving toward context-aware authentication, where the decision is based on device trust, location, session history, and transaction risk at the moment of access. For high-risk workflows, that means moving away from SMS toward phishing-resistant authenticators and stronger recovery paths. The 52 NHI Breaches Analysis reinforces the broader pattern that compromise tends to persist when ownership of credentials and revocation is unclear. External guidance from the Anthropic AI-orchestrated cyber espionage campaign report also shows how quickly automated abuse can chain access once a foothold exists.
- Define SMS OTP as a low-assurance factor for recovery, not a trusted primary control for sensitive access.
- Bind authentication decisions to device risk and session context, not just possession of a phone number.
- Escalate to phishing-resistant MFA for privileged, financial, and administrative actions.
- Correlate mobile telemetry, identity logs, and fraud signals to detect OTP interception patterns.
These controls tend to break down in BYOD environments with weak mobile management and fragmented logging, because the organisation cannot prove whether the phone, the SIM, or the session was compromised first.
Common Variations and Edge Cases
Tighter authentication policy often increases user friction and support cost, requiring organisations to balance account security against recovery speed and business continuity. That tradeoff is real, especially when a lost phone, SIM swap, or inaccessible authenticator can strand legitimate users.
There is no universal standard for this yet, but current guidance suggests several edge-case rules. If the phone is unmanaged, SMS should not be used for privileged access at all. If the phone is corporate-owned but rooted, the device should be treated as untrusted until remediated. If an OTP arrives on a device that has recently failed posture checks, the event should be treated as a possible compromise even if the login succeeds. For sensitive environments, recovery workflows should require stronger verification than the original login path.
This is also where ownership can blur. Fraud teams may spot unusual access first, but they cannot remediate device trust alone. IAM can block the factor, but cannot investigate the handset. Mobile operations can quarantine the device, but cannot decide whether the account should be reset. The practical answer is a shared incident path with a single accountable owner for the case and clearly assigned technical owners for each control. That approach is consistent with the broader NHI governance lessons in the The 52 NHI breaches Report and with the operational visibility emphasis in the Ultimate Guide to NHIs — Why NHI Security Matters Now.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-7 | Addresses authentication mechanisms and trust decisions for account access. |
| NIST AI RMF | GOVERN | Requires clear accountability for identity risk and response ownership. |
| NIST Zero Trust (SP 800-207) | PA-14 | Supports context-aware, per-request trust evaluation instead of static factor trust. |
Assign ownership for mobile, IAM, and fraud decisions in a documented escalation path.
Related resources from NHI Mgmt Group
- Who is accountable when a compromised business account is used for ad fraud or SSO pivoting?
- Who is accountable when a compromised account is used to cause harm?
- Who is accountable when a compromised official account is used for fraud or surveillance?
- Who is accountable when stolen identities are used to exfiltrate data through SaaS?