They rely on channels that are easier to intercept, redirect, or recover than the account being protected. If an attacker can take over the phone number or mailbox, the second step becomes weak evidence rather than strong assurance. For regulated systems, that gap is enough to justify stronger factors.
Why This Matters for Security Teams
SMS and email OTP are often treated as “good enough” because they add a second step, but for high-assurance access the real question is not whether a code exists, it is whether the channel delivering that code is harder to compromise than the account itself. In practice, the answer is often no. Phone numbers can be ported, inboxes can be reset, and both channels are exposed to phishing, session theft, and help desk abuse.
That is why NIST SP 800-63 Digital Identity Guidelines distinguishes between authenticator assurance and simple possession checks. For security teams, the issue is amplified by downstream impact: once an attacker crosses the login boundary, they can reach secrets, admin consoles, and toolchains that were never designed for user-channel recovery. NHIMG research on the Ultimate Guide to NHIs shows how identity weak points become operational failures when access paths are too easy to reroute.
In practice, many security teams encounter OTP weakness only after an account recovery flow has already been abused, rather than through intentional assurance testing.
How It Works in Practice
High-assurance access depends on whether the factor resists interception, replay, and recovery abuse under real attacker pressure. SMS and email OTP fall short because the secret is delivered through a channel that is outside the protected transaction. If the attacker can redirect the number, compromise the mailbox, hijack a session, or coerce support into a reset, the code becomes a short-lived bypass rather than a strong proof of identity.
Current guidance suggests treating OTP as a convenience layer, not a top assurance factor, for regulated or high-impact systems. A stronger pattern is to pair workload and human identity controls with phishing-resistant authenticators, explicit reauthentication for sensitive actions, and policy checks at the moment of access. The relevant control logic should reflect the request context, not just the presence of a code. That is consistent with OWASP Non-Human Identity Top 10 and NIST SP 800-53 Rev 5 Security and Privacy Controls, which emphasize access control, authentication strength, and recovery path hardening.
- Use phishing-resistant MFA for privileged and regulated access.
- Separate account recovery from primary authentication, with stricter review.
- Limit OTP use to lower-risk workflows where channel compromise is less material.
- Monitor for SIM swap, mailbox takeover, and help desk override patterns.
- Require step-up checks for admin actions, not just at login.
NHIMG’s 52 NHI Breaches Analysis repeatedly shows that weak identity recovery and exposed credentials turn a single login weakness into broader environment compromise. These controls tend to break down when legacy help desk processes can override identity proofing because the recovery path becomes the easiest attack path.
Common Variations and Edge Cases
Tighter authentication often increases user friction and support overhead, requiring organisations to balance assurance against operational speed. That tradeoff is real, especially where mobile coverage is poor, contractors rotate frequently, or legacy systems cannot yet support modern authenticators. There is no universal standard for this yet, but best practice is evolving toward risk-based, phishing-resistant methods for privileged users and sensitive workflows.
SMS OTP may still appear in low-risk consumer journeys, but it is a weak choice for admin access, financial approvals, clinical systems, and anything that can trigger secrets exposure or lateral movement. Email OTP is usually even less suitable because mailbox compromise often follows the same phishing and password-reset paths as the protected account. For organisations with agentic or machine-driven workflows, the concern extends further: once an identity is used to unlock tokens, API keys, or administrative tools, the blast radius is no longer limited to a single user session. NHIMG’s DeepSeek breach and Microsoft SAS Key Breach illustrate how quickly exposed credentials can be operationalised once trust is misplaced.
For organisations that must keep OTP temporarily, the safer approach is to constrain it with short lifetimes, strict recovery controls, and explicit risk signalling, while planning a migration to stronger factors. Security teams should treat OTP as transitional, not as the endpoint for high-assurance access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST SP 800-63, NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | AAL2 | Defines assurance levels and why SMS/email OTP is insufficient for high-risk access. |
| NIST CSF 2.0 | PR.AC-7 | Supports stronger authentication for users, devices, and services. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Highlights weak identity assurance and recovery paths that enable compromise. |
| CSA MAESTRO | IAM-01 | Requires strong identity and access controls for autonomous and machine-driven access. |
| NIST AI RMF | GOVERN | Assurance decisions for AI-enabled or automated access need accountable governance. |
Use phishing-resistant auth and runtime policy for any workflow that can invoke sensitive actions.