Subscribe to the Non-Human & AI Identity Journal

Why do SMS and email one-time passcodes create governance risk?

They create governance risk because they are easy to over-depend on, even when stronger options are available. In practice, they can be difficult to govern consistently across regions, devices, and recovery scenarios. They also make it harder to enforce risk-based step-up policies, which means the organisation may believe it has MFA coverage when control quality is still uneven.

Why This Matters for Security Teams

SMS and email one-time passcodes often start as a fallback control, then quietly become the default second factor for broad user populations. That creates governance risk because the organisation is no longer managing a strong, consistent assurance model. It is managing a delivery channel that varies by carrier, mailbox hygiene, recovery process, and user behaviour. NIST’s Cybersecurity Framework 2.0 emphasises governed, repeatable outcomes, not merely the appearance of coverage.

For NHIs and higher-risk workflows, the same pattern appears in credential lifecycle failures documented in NHIMG research such as Top 10 NHI Issues and the Ultimate Guide to NHIs — Regulatory and Audit Perspectives: controls are frequently adopted for convenience, then inherited across environments where the original assumptions no longer hold. In practice, many security teams discover OTP governance gaps only after an account recovery event, SIM-swap attempt, or regional exception has already weakened assurance.

How It Works in Practice

OTP risk is not just about code strength. It is about the control plane around issuance, delivery, recovery, and exception handling. A code sent by SMS or email may satisfy a basic MFA policy, but it does not necessarily provide consistent phishing resistance, device binding, or robust proof of possession. That is why current guidance increasingly favours stronger methods for sensitive access, as reflected in identity governance discussions across NIST CSF 2.0 and NHIMG’s Lifecycle Processes for Managing NHIs.

In practice, mature programmes usually separate OTP use into tightly defined scenarios:

  • low-risk account recovery, with additional verification and short-lived recovery windows
  • step-up authentication for limited transactions, not routine workforce access
  • temporary bridge control while stronger authenticators are enrolled
  • regional exceptions where supported methods are not yet uniformly available

Governance becomes stronger when teams document when OTP is allowed, when it is prohibited, who can approve exceptions, and what telemetry proves it was actually used. That includes logging delivery failures, repeated fallback usage, and cases where email access depends on the same account being protected. The problem is not only that OTP can be intercepted; it is that the organisation can no longer prove it is enforcing one consistent standard. This guidance tends to break down in highly distributed environments where device ownership, telecom coverage, and identity recovery processes vary by country and business unit.

Common Variations and Edge Cases

Tighter authentication controls often increase user friction and helpdesk load, requiring organisations to balance stronger assurance against operational continuity. That tradeoff is especially visible when email or SMS OTP remains the only universally available option for contractors, legacy applications, or emergency access. In those cases, the best practice is evolving rather than settled.

For some organisations, SMS or email OTP may remain acceptable for low-risk recovery paths, but not for privileged access, finance approvals, or administrative actions. For others, the real issue is not the OTP channel itself but the absence of policy control, such as no restriction on repeated fallback use or no mandatory re-enrolment after phone-number changes. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks highlights the broader pattern: controls that are easy to deploy are often the hardest to govern once they become business-critical.

Where risk is highest, the safer model is to treat OTP as transitional, then push toward stronger authenticators with explicit policy, audit evidence, and exception expiry. That becomes especially important when attacker behaviour changes faster than policy review cycles, because a fallback factor can look acceptable on paper long after it has become the weakest path into the environment.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST AI RMF and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-7 Addresses identity assurance and access control consistency across channels.
NIST SP 800-63 Defines digital identity assurance and authenticator lifecycle expectations.
OWASP Non-Human Identity Top 10 NHI-03 Fallback auth paths increase governance risk for identity lifecycle and recovery.
NIST AI RMF GOVERN Governance requires documented policy and accountability for fallback authentication.
NIST Zero Trust (SP 800-207) AC-3 Zero trust requires stronger, context-aware access decisions than simple OTP coverage.

Limit OTP to approved scenarios and verify that fallback paths meet documented assurance levels.