By NHI Mgmt Group Editorial TeamPublished 2026-02-24Domain: Governance & RiskSource: eMudhra

TL;DR: Kenyan enterprises are moving from static 2FA to context-aware MFA as SIM swap fraud, real-time phishing kits, and credential stuffing make SMS OTP controls increasingly fragile, according to eMudhra. The shift matters because identity assurance now has to adapt to device posture, location, and login risk rather than rely on a single second factor.


At a glance

What this is: This is an analysis of why Kenyan enterprises are shifting from static 2FA to context-aware MFA as a response to SIM swap fraud, phishing, and fraud pressure.

Why it matters: It matters because IAM teams need authentication controls that scale with remote work, BYOD, and mobile-first fraud patterns without creating avoidable friction or audit gaps.

By the numbers:

👉 Read eMudhra's analysis of the shift from 2FA to context-aware MFA in Kenya


Context

Static 2FA assumes that possession of an OTP is enough to prove the right user is present. In practice, that assumption breaks down when attackers can hijack phone numbers, relay codes in real time, or compromise the device path that delivers the second factor.

For Kenyan enterprises, this is an identity and access management problem as much as a fraud problem. As mobile banking, e-governance, and cloud-connected work expand, authentication has to evaluate the login context, not just the factor count.

MFA changes the control model by adding device intelligence, behavioral signals, and policy-driven step-up checks. That makes it more suitable for environments where access risk changes by user, endpoint, location, and time.


Key questions

Q: How should organisations replace SMS OTP without breaking user access?

A: Start with the highest-risk journeys first, such as banking, administrative access, and recovery flows. Move those paths to device-bound or push-based authentication, keep SMS as a limited fallback, and phase the change with clear user communication so support volume does not spike unnecessarily.

Q: Why do static 2FA controls fail against SIM swap and phishing attacks?

A: Static 2FA assumes the second factor remains under the user’s control and arrives through a trustworthy channel. SIM swap fraud and real-time phishing break both assumptions, because attackers can reroute or relay the code while still presenting a valid login to the system.

Q: What do security teams get wrong about context-aware MFA?

A: They often treat MFA as a user-friction problem instead of a risk decision engine. The real value comes from matching assurance to context, using device, location, and behavioural signals to decide when access should be accepted, challenged, or denied.

Q: Who is accountable when an organisation leaves SMS OTP in place for high-risk accounts?

A: Accountability sits with the identity, fraud, and security owners who approved the control baseline. If the organisation knowingly keeps a weak second factor in a high-risk flow, auditors will treat that as a governance choice, not a technical limitation.


Technical breakdown

Why SMS OTP-based 2FA breaks under modern fraud tactics

SMS OTPs are vulnerable because the second factor travels through a channel that attackers can intercept, redirect, or socially engineer. SIM swap fraud moves the victim’s phone number to an attacker-controlled SIM, while phishing kits can capture and replay one-time codes in real time. Once the code is relayed, the service sees a valid challenge response even though the user context is compromised. This is why possession-based authentication alone is no longer a reliable control in high-fraud environments.

Practical implication: reduce reliance on SMS OTP for high-risk accounts and treat the delivery channel itself as part of the attack surface.

How context-aware MFA changes the authentication decision

Context-aware MFA evaluates signals such as device fingerprint, endpoint attestation, location, login history, and time of access before deciding whether to step up authentication. The key shift is from static factor checking to risk-based policy enforcement. A known device in a normal location may get a lighter challenge, while an anomalous login can trigger biometrics, push approval, or additional verification. This preserves usability where the risk is low and increases assurance where the risk is elevated.

Practical implication: define risk thresholds and step-up rules so authentication strength matches the sensitivity of the application and the login conditions.

Why MFA matters for identity governance and auditability

MFA is not just an authentication layer. It becomes part of the governance evidence chain because it can generate logs showing when additional challenges were triggered, which devices were trusted, and how risky sessions were handled. That matters for compliance, incident review, and policy enforcement in regulated environments. Where organisations integrate MFA with directory services, cloud apps, and audit reporting, they gain a clearer view of how access decisions are being made across channels.

Practical implication: ensure MFA events are retained in audit logs and tied to identity records so access decisions can be reviewed after an incident.


Threat narrative

Attacker objective: The attacker aims to turn a stolen credential path into authenticated access that can be monetised through fraud, account takeover, or data misuse.

  1. Entry occurs when an attacker uses phishing, SIM swap, or credential stuffing to reach the login flow with valid or nearly valid credentials.
  2. Escalation occurs when the attacker intercepts or relays the OTP, then uses the authenticated session to access banking, e-commerce, or enterprise systems.
  3. Impact follows when account takeover enables fraud, data access, or unauthorised transactions at scale.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Static second-factor trust is the wrong assumption for mobile-first fraud environments: 2FA was designed for a world where the second factor was hard to intercept and the login channel was relatively stable. That assumption fails when SIM swap fraud, phishing-as-a-service kits, and credential stuffing can all compromise the same authentication path. The implication is that factor count alone is no longer a sufficient security measure.

Context-aware MFA turns authentication into a policy decision, not a checkbox: device posture, login geography, user history, and time-of-access signals change whether the session should be accepted, stepped up, or denied. That aligns better with ZTA thinking because trust is continuously evaluated rather than granted once at the door. For practitioners, the point is not more prompts. The point is better decisioning.

Identity governance now has to treat authentication events as evidence, not just user experience: MFA logs, device signals, and step-up outcomes are part of the assurance record that auditors and incident responders need. When those signals are absent, the organisation cannot explain why access was allowed or challenged. That is a governance gap, not a UX issue.

SMS OTP dependence creates avoidable authentication debt: the control is cheap to deploy but expensive to defend because the delivery channel is exposed to telecom-level attack and user deception. That makes it a weak baseline for regulated sectors, remote work, and consumer-facing platforms handling monetary transactions. Practitioners should treat remaining SMS OTP reliance as a risk concentration, not a mature control state.

From our research:

  • 98% of companies plan to deploy even more AI agents within the next 12 months, despite documented rogue behaviour in 80% of current deployments, according to AI Agents: The New Attack Surface report.
  • 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
  • For a broader governance frame, see Top 10 NHI Issues for the control patterns that matter when identity behaviour changes faster than policy.

What this signals

Context-aware authentication is becoming the practical bridge between fraud control and identity governance: organisations that still treat MFA as a static checkbox will struggle to explain why a login should be trusted when the channel itself is under attack. For teams modernising access controls, the next step is to align authentication strength with application risk, not user convenience.

As mobile-first services scale, security teams should expect more pressure to prove that access decisions were contextually justified. That means retaining MFA evidence, integrating it into audit and incident workflows, and connecting authentication policy to the business-critical apps that carry financial and personal data.


For practitioners

  • Phase out SMS OTP for high-risk access paths Move banking, admin, and customer account flows to stronger factors such as push approval, device-bound authentication, or biometrics where appropriate. Preserve SMS only as a fallback for low-risk recovery paths and document where it remains in use.
  • Adopt risk-based step-up policies Use device fingerprinting, location, and behavioural baselines to decide when a login should trigger additional verification. Separate normal access from anomalous access so the policy can raise assurance without imposing the same friction on every session.
  • Retain MFA events in audit-ready logs Record step-up prompts, successful challenges, trusted devices, and denied sessions in a form that can be correlated with IAM and SIEM records. This supports investigations, compliance reporting, and access review evidence.
  • Align authentication with regulated risk tiers Classify applications by fraud exposure, data sensitivity, and business impact, then assign MFA strength accordingly. Mobile money, government portals, and privileged enterprise access should not share the same assurance baseline.

Key takeaways

  • Static 2FA is increasingly exposed to SIM swap, phishing relay, and credential stuffing tactics that target the authentication channel itself.
  • Kenyan enterprises are moving toward context-aware MFA because device, location, and behavioral signals provide stronger access decisions than OTP count alone.
  • Security teams should treat MFA as governance evidence and risk policy, not just a login experience layer.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-53 Rev 5 and NIST Zero Trust (SP 800-207) set the technical controls, while ISO/IEC 27001:2022 and GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-7Risk-based authentication matches the article's context-aware MFA model.
NIST SP 800-53 Rev 5IA-2Authentication strength and multi-factor use are central to this article.
NIST Zero Trust (SP 800-207)The article's adaptive trust model aligns with continuous verification.
ISO/IEC 27001:2022A.5.15Access control policy is relevant where MFA is used as a governance control.
GDPRArt.32Where identity data and access logs are processed, security of processing is relevant.

Protect authentication and audit data under Art.32 when MFA generates identity-related records.


Key terms

  • Context-Aware MFA: Context-aware MFA is authentication that changes its challenge level based on risk signals such as device health, location, behaviour, and access history. It is not just more factors. It is a policy-driven trust decision that adapts to the conditions of the login.
  • SIM Swap Fraud: SIM swap fraud occurs when an attacker convinces or corrupts a mobile provider into moving a victim’s number to a different SIM card. Once the number is controlled, SMS-based OTPs and recovery codes can be intercepted, letting the attacker impersonate the user.
  • Device Fingerprinting: Device fingerprinting is the process of recognising a device from its attributes, posture, or cryptographic signals so access policies can distinguish familiar endpoints from suspicious ones. In identity programmes, it helps separate routine logins from sessions that deserve stronger verification.
  • Step-Up Authentication: Step-up authentication is an additional verification challenge triggered when a login or session looks riskier than expected. It is used to raise assurance only when needed, which helps balance security with usability in IAM programmes that serve mixed-risk applications.

What's in the full article

eMudhra's full article covers the implementation detail this post intentionally leaves for the source:

  • Biometric MFA deployment examples for banks, government portals, and high-trust networks.
  • Context-aware policy design that uses device posture, location, and access history to trigger step-up authentication.
  • Integration patterns for Active Directory, Azure AD, cloud platforms, and on-prem applications.
  • Compliance reporting details for Kenya's Data Protection Act, ISO 27001, and related audit needs.

👉 The full eMudhra article covers biometric login, push authentication, and compliance considerations in more operational detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an identity security programme, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-24.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org