TL;DR: Prove’s analysis of 385,000 retroactive SMS and voice OTP transactions found 10% over non-fixed VoIP lines, 2.5% of mobile MFA transactions with low Trust Score, and 5% with low SIM tenure, with FinTech and e-commerce showing elevated fraud exposure. The lesson is that consumer MFA still depends on identity evidence quality, not just additional factors.
At a glance
What this is: This analysis examines consumer MFA fraud risk and finds that weak phone and SIM signals can undermine OTP-based authentication at scale.
Why it matters: It matters because consumer identity assurance, fraud controls, and step-up authentication all depend on signal quality, not merely the presence of MFA factors.
By the numbers:
- 10% of multi-factor authentication transactions were over Non-Fixed VoIP lines.
- 2.5% of mobile MFA transactions were found to have low Trust Score.
- 5% of mobile MFA transactions were found to have low SIM tenure.
👉 Read Prove Identity’s analysis of consumer MFA vulnerabilities and fraud risk
Context
Consumer MFA is only as strong as the phone, SIM, and behavioural signals behind it. When OTP delivery and phone identity checks are weak, attackers do not need to break the factor itself, only the confidence model that decides whether the transaction should be trusted.
For IAM, fraud, and customer identity teams, this is a governance problem as much as an authentication problem. Consumer journeys that rely on SMS or voice OTP must account for phone number provenance, SIM swap exposure, and the limits of static enrolment data, especially in sectors where account abuse rises fast during peak activity.
Key questions
Q: How should security teams handle low-trust phone signals in consumer MFA?
A: Security teams should use phone intelligence, SIM tenure, and number-history checks to decide whether a challenge should proceed. OTP can still be useful, but it should sit inside a risk decision that can block, step up, or redirect the flow when the phone path looks inconsistent or recently compromised.
Q: Why do SMS and voice OTPs still fail against fraud?
A: They verify reachability, not identity confidence. Attackers exploit recycled numbers, non-fixed VoIP lines, and SIM swaps to satisfy the factor while bypassing the real trust assumption. That is why OTP-only MFA performs poorly when fraudsters control the communication path.
Q: What do fraud teams get wrong about MFA assurance?
A: They often treat a successful second factor as proof of legitimacy. In practice, the second factor may only show that a message reached a device or number, not that the device belongs to the right person or that the session is safe.
Q: When should organisations step up beyond SMS-based verification?
A: They should step up whenever the contact channel has short SIM tenure, unusual line type, recent number changes, or other signs of weak trust. Those conditions indicate that the authentication path is fragile and may not support high-value or high-risk transactions.
Technical breakdown
Why SMS and voice OTPs fail as trust signals
SMS and voice OTPs verify possession of a reachable phone path, not the true assurance of the identity behind it. Non-fixed VoIP numbers, recycled numbers, and recent SIM swaps weaken the assumption that a successful OTP means a legitimate user. That gap is especially important in consumer IAM because fraudsters target the channel, not just the account. Risk-based authentication tries to add context, but its value depends on the quality of the underlying phone and device signals. If those signals are stale or spoofable, the factor can still be valid while the identity is not.
Practical implication: Treat OTP as one signal in a broader risk decision, not as a standalone trust event.
SIM tenure and phone intelligence as fraud controls
SIM tenure measures how long a SIM has been active in a device, and short tenure can indicate recent swap activity or a fresh identity foothold. Phone intelligence combines line type, number history, and behavioural context to score whether a transaction looks consistent with a real customer. In consumer fraud programmes, this shifts authentication from simple challenge-response to evidence weighting. The key technical point is that fraudsters often exploit the gap between enrolment and use, especially when credentials or contact details are newly changed.
Practical implication: Add SIM age and phone intelligence to step-up decisions wherever account takeover or synthetic identity risk is material.
Sector risk concentration in FinTech and e-commerce
The study’s sector split shows that fraud pressure is not distributed evenly. FinTech and e-commerce face higher-value accounts, faster monetisation, and more frequent account recovery abuse, so weak MFA checks create a bigger downstream loss window. In those environments, authentication controls must be aligned with transaction value and abuse patterns. A one-size-fits-all MFA policy underestimates how attackers mix credential stuffing, social engineering, and phone-based compromise to move from login to loss. The technical issue is not authentication alone, but the trust model that sits around it.
Practical implication: Prioritise stronger authentication telemetry and tighter recovery checks in sectors with high fraud pressure.
NHI Mgmt Group analysis
Consumer MFA depends on trust in the identity signal, not just the second factor: OTP success does not mean the user is legitimate when the phone number, SIM, or line type is weak. Non-fixed VoIP and recently swapped SIMs show that the authentication event can be technically valid while the identity assurance is not. Practitioners should treat phone trust as a first-class control surface, not a supporting detail.
Trust score gaps create a measurable fraud blind spot: When low-confidence transactions are accepted, the programme is no longer making a strong identity decision, only completing a delivery workflow. The article’s data shows that a small share of suspicious transactions can hide a large amount of downstream abuse. The implication is that customer authentication needs risk signals with enough resolution to separate reachability from legitimacy.
Phone identity governance is now part of consumer IAM: MFA programmes increasingly depend on lifecycle questions that look a lot like NHI governance, including enrolment provenance, reassignment risk, and revocation after number change. The same governance logic that applies to non-human identities also applies when a customer’s contact channel becomes the access path. Identity teams should stop treating phone-based trust as a narrow fraud feature.
Channel assurance is a shared control problem across IAM and fraud: Security, fraud, and identity teams often measure different outcomes, but attackers only need one weak channel to succeed. The higher-risk sectors in the study show why authentication design cannot be isolated from business loss exposure. Practitioners should align MFA policy, fraud telemetry, and recovery controls around one shared trust model.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Another finding shows that 91.6% of secrets remain valid five days after the targeted organisation is notified, which is why remediation speed matters in identity programmes.
- For a broader lifecycle view, read Ultimate Guide to NHIs for governance, rotation, and offboarding guidance.
What this signals
Phone trust is becoming a governance input, not just a fraud signal: consumer identity teams that still treat SMS OTP as the end of the decision chain will miss the point. The more useful posture is to classify phone-based assurance by channel quality, then route high-risk sessions into stronger verification before the transaction reaches approval.
The practical signal is whether your programme can separate reachability from legitimacy. If you cannot explain why a given phone path is trustworthy, you do not have MFA assurance, only message delivery with a security label attached.
A useful next resource is Ultimate Guide to NHIs, because the same lifecycle logic that governs secrets, tokens, and service accounts also helps teams reason about enrolment, revocation, and stale trust in customer identity flows.
For practitioners
- Strengthen phone trust before OTP delivery Use line-type, number-history, and SIM-tenure checks to decide whether a challenge should be issued at all. A valid OTP should not override evidence that the phone path is low confidence.
- Flag non-fixed VoIP as a high-risk channel Route non-fixed VoIP transactions into step-up paths or alternate verification when the account value or fraud exposure is material. The goal is not to ban the channel, but to stop treating it as equivalent to mobile trust.
- Link recovery events to authentication risk Increase scrutiny after phone number changes, SIM swaps, or enrolment updates because those events can precede OTP abuse. Recovery and login should share the same risk view rather than operating as separate controls.
- Align fraud and IAM thresholds Set shared policy for when low-trust signals block login, trigger review, or step up to another factor. If fraud and IAM use different thresholds, attackers will use the weakest path to complete the transaction.
Key takeaways
- Consumer MFA weakens when phone identity is treated as proof of legitimacy rather than as one input to a risk decision.
- The article’s data shows that a meaningful share of MFA traffic carries low-confidence signals, especially where VoIP and SIM activity distort trust.
- Teams should align fraud, IAM, and recovery controls around one shared trust model so attackers cannot use the weakest channel to complete abuse.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, while GDPR define the regulatory obligations.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Consumer MFA risk maps to access control decisions based on confidence signals. |
| NIST SP 800-53 Rev 5 | IA-2 | The article is about authentication assurance for consumer access. |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous trust evaluation for identity assertions. | |
| GDPR | Art.32 | Consumer identity data and authentication controls affect protection of personal data. |
Use IA-2 to ensure authentication strength matches transaction risk and channel confidence.
Key terms
- Phone Trust Signal: A phone trust signal is evidence used to judge whether a mobile number or device path is likely controlled by the right person. It includes line type, SIM age, number history, and behavioural context, and it helps distinguish true possession from simple message delivery.
- SIM Tenure: SIM tenure is the length of time a SIM has been active in a device or account context. Short tenure can indicate a recent swap, a fresh device binding, or an identity path that should be treated as higher risk before allowing sensitive authentication or recovery.
- Trust Score: Trust Score is a risk-scoring model that estimates identity confidence from phone and behavioural signals. In consumer IAM, it is useful when it changes authentication from binary success or failure into a more nuanced decision about whether a session is consistent with legitimate use.
- Non-Fixed VoIP: Non-fixed VoIP is a virtual phone number not tied to a physical address or stable mobile line. It can be legitimate, but in authentication flows it often reduces confidence because the number may be easier to obtain, recycle, or use outside normal consumer identity expectations.
What's in the full report
Prove Identity's full analysis covers the operational detail this post intentionally leaves for the source:
- Breakdown of how Trust Score was applied across SMS and voice OTP transactions
- Sector-specific risk findings for FinTech and e-commerce during holiday fraud exposure
- The relationship between SIM tenure, non-fixed VoIP lines, and low-trust authentication events
- Context on Prove’s acquisition and integration of MFA capabilities into its platform
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are shaping identity security strategy or maturing governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org