OTP authentication is losing ground in high-assurance access

At a glance

What this is: This is an analysis of OTP authentication and why its possession-based model is increasingly vulnerable to interception, relay, and social engineering attacks.

Why it matters: It matters because IAM programmes still using OTP for sensitive access, recovery, or step-up authentication need to understand where possession-based assurance fails and what stronger alternatives change across human, NHI, and autonomous identity governance.

By the numbers:

• The FBI’s Internet Crime Complaint Center recorded $26 million in reported SIM swap losses in 2024.

👉 Read iProov's analysis of OTP security risks and biometric alternatives

Context

OTP authentication is a possession factor, not a proof of stable identity. In practice, it assumes the device or inbox receiving the code remains trustworthy for the duration of the session, which no longer holds up well against SIM swap fraud, adversary-in-the-middle phishing, and account recovery abuse.

For IAM teams, the issue is not whether OTP works in the narrow sense. The issue is whether it still provides enough assurance for high-risk access, especially where step-up authentication, account recovery, and transaction approval are part of the control path. That is why the debate has shifted from convenience to assurance strength.

For teams managing humans, NHIs, and emerging autonomous access paths, OTP is a useful example of a control that looks familiar but may not map cleanly to the threat model anymore. The more valuable question is where a short-lived code still adds value and where it simply creates a false sense of security.

Key questions

Q: When should organisations stop using OTP for authentication?

A: Organisations should stop using OTP when the access decision is high consequence, the user journey is likely to be targeted by phishing, or the recovery flow is especially sensitive. OTP can still reduce friction for low-risk use cases, but it should not be the primary control for privileged access, payment approval, or account recovery.

Q: Why do SIM swap attacks matter for IAM teams?

A: SIM swap attacks matter because they defeat SMS-based possession checks without breaking the authentication algorithm. For IAM teams, that means a number tied to a phone is not a durable trust anchor. Any programme that relies on SMS OTP for sensitive steps should treat the mobile network as part of the attack surface.

Q: What do security teams get wrong about app-based TOTP?

A: Teams often assume app-based TOTP is inherently phishing resistant because it is not sent over a mobile network. That is only partly true. If attackers can use a real-time proxy, steal the device, or socially engineer the code, TOTP still fails as a high-assurance method.

Q: How should security teams verify users for high-risk actions instead of OTP?

A: Use stronger methods that verify the person, not just possession of a code source. For high-risk actions, that usually means phishing-resistant authentication, robust liveness checks, and recovery flows that do not depend on the same device or inbox used during compromise.

Technical breakdown

Why possession-based OTP assurance breaks down

OTP systems authenticate possession of a device, mailbox, or token, not the person behind it. That distinction matters because attackers increasingly target the delivery channel rather than the code itself. SMS OTP depends on the phone number, email OTP depends on inbox integrity, and app-based TOTP still collapses if the device is compromised or the code is relayed in real time. Because the code is short-lived, defenders often assume this makes interception hard. In practice, short validity only limits replay, not capture and forwarding. The underlying weakness is that the factor verifies access to a channel, not genuine identity.

Practical implication: Treat OTP as a limited assurance layer and do not use it alone for high-risk authentication or account recovery.

SIM swap, SS7, and relay attacks against OTP

SMS OTP is exposed to three common failure paths. SIM swap attacks transfer a phone number to attacker-controlled infrastructure, SS7 weaknesses allow interception in transit on legacy mobile signalling paths, and real-time phishing proxies capture credentials plus the OTP before the code expires. These are different mechanisms, but they produce the same outcome: the attacker receives or relays the one-time code without needing to break the OTP algorithm. TOTP reduces carrier exposure but does not remove phishing relay risk. The security issue is therefore architectural, not just transport-related.

Practical implication: Use phishing-resistant authentication for sensitive access and assume SMS OTP is unsuitable for high-assurance use cases.

Why biometric verification changes the assurance model

Biometric face verification shifts the factor from possession to inherence, which changes how identity is proven. A face cannot be ported to another number, copied into an inbox, or forwarded through a relay server. Strong systems also add liveness detection, which checks that a real person is present now rather than a photo, video, mask, or synthetic replay. That matters for out-of-band verification, enrollment, and high-risk step-up events. Biometric systems are not automatically perfect, but they address the channel fragility that OTP inherits from phones, networks, and inboxes.

Practical implication: Use stronger verification for onboarding, recovery, and high-risk transactions where channel compromise is the primary threat.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

OTP is no longer a stable high-assurance factor because the delivery channel is easier to compromise than the code. SMS, email, and app-based OTP all depend on the assumption that the receiving channel remains trustworthy long enough for the user to read and enter the code. That assumption is now routinely broken by SIM swaps, mailbox compromise, and real-time phishing relays. For identity governance, the conclusion is blunt: a time-limited code does not equal a resilient trust boundary.

Channel trust debt: OTP programmes accumulate risk wherever they depend on a mobile number, inbox, or shared device as the proof of identity. The article’s examples show that attackers do not need to defeat the math behind OTP. They only need to take over the path the code travels on. This is especially relevant where OTP still protects recovery, payment approval, or administrative access. Practitioners should view the channel itself as the control surface.

OTP remains acceptable for low-risk friction reduction, but it is a weak fit for high-consequence decisions. The right question is not whether OTP works in general, but whether it aligns with the assurance level required for the action being taken. Where fraud, session hijack, or account takeover would cause material harm, OTP’s possession-only model is out of step with modern threat behaviour. Teams should reclassify OTP as a convenience control, not a strong trust anchor.

Biometric authentication is gaining ground because it answers a different governance question than OTP. OTP asks whether the user can access a code source, while face verification asks whether the right person is present now. That distinction matters most in onboarding, re-authentication, and recovery flows where identity proof must survive device compromise. The practitioner implication is to separate convenience authentication from high-assurance verification, rather than forcing one mechanism to do both jobs.

From our research:

• 1,055% surge in unauthorized SIM swaps in 2024, rising from 289 cases in 2023 to nearly 3,000, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
• From our research: 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• For practitioners: review OTP use alongside the Top 10 NHI Issues and decide where possession-based factors should be retired from high-risk workflows.

What this signals

Channel trust debt: OTP is increasingly a governance liability where identity assurance still depends on the continued safety of a phone number, inbox, or shared device. The practical issue is not whether OTP can work, but whether the organisation can defend the delivery path well enough to trust the result.

The migration path is not about replacing every OTP prompt at once. It is about separating low-risk convenience flows from high-risk verification points, then using stronger methods where fraud, takeover, or recovery abuse would create real loss. That is the programme design decision IAM teams now need to make.

For broader identity strategy, OTP is a useful marker of where teams have confused a short-lived code with durable proof. The more mature posture is to align authentication strength with the consequence of failure and to retire possession-only checks where the attack surface is already well understood.

For practitioners

• Reclassify OTP by risk tier Use SMS or email OTP only for low-risk access paths where the business impact of account takeover is limited. Require stronger step-up controls for payment approval, admin actions, and recovery flows where code interception would be material.
• Remove OTP from recovery paths Do not let an OTP channel become the way a user regains access after compromise. Recovery should rely on stronger proofing and separate trust anchors, because the recovery path is often the easiest place for attackers to win.
• Assume the channel can be compromised Model SIM swap, mailbox takeover, and relay phishing as expected attack paths rather than edge cases. This is especially important where a phone number or inbox is treated as the standing proof of identity.
• Prioritise phishing-resistant alternatives for high assurance Move sensitive journeys to controls that verify the person, not just device access, and reserve OTP for where its assurance profile is acceptable. Use the strongest method at the point where identity failure would be most costly.

Key takeaways

• OTP still improves on static passwords, but it is increasingly weak for high-assurance identity decisions because attackers target the delivery channel rather than the code.
• The evidence is no longer theoretical: SIM swap fraud, SS7 interception, and relay phishing all show that possession-based authentication can fail at scale.
• IAM teams should reserve OTP for low-risk use cases and move sensitive access, recovery, and step-up journeys to stronger verification methods.

Key terms

• One-Time Passcode: A one-time passcode is a short-lived code used to confirm that a user can access a registered device, inbox, or token. It is a possession factor, not a proof of the person. Its security depends heavily on the integrity of the delivery channel and the surrounding recovery process.
• Time-Based One-Time Password: Time-based one-time password is an OTP variant that generates a rolling code from the current time window. It reduces replay risk compared with a static password, but it still depends on the user’s device and can be defeated by device compromise, real-time relay attacks, or social engineering.
• Phishing-Resistant Authentication: Phishing-resistant authentication uses methods that do not expose reusable secrets to an attacker during login. In practice, the control must survive fake pages, relay attacks, and channel interception. It is the right category for high-assurance journeys where OTP no longer provides enough trust.
• Liveness Detection: Liveness detection checks that a real, live person is present during biometric authentication rather than a photo, video, mask, or synthetic replay. It strengthens face verification by defending against spoofing attempts and helps distinguish genuine presence from captured or generated imagery.

Deepen your knowledge

OTP risk and phishing-resistant authentication are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are rethinking how possession-based factors fit into your access model, it is a practical place to start.

This post draws on content published by iProov: OTP authentication security risks and biometric alternatives. Read the original.