Passwordless MFA vs one-time codes: why auth risk still matters

At a glance

What this is: This is an analysis of why one-time code MFA can fail under real attack and usability conditions, and why passwordless MFA changes the trust model.

Why it matters: IAM and NHI teams should care because the same factor weaknesses that undermine human authentication also shape how service and device identities are protected.

👉 Read Beyond Identity's analysis of passwordless MFA vs one-time codes

Context

One-time code MFA looks stronger than passwords, but it often depends on channels and factors that are easier to intercept, reuse, or socially engineer than teams assume. For IAM and NHI governance, the core issue is not whether MFA exists, but whether the second factor actually adds independent assurance. As environments add more machine and agent identities, weak authentication patterns tend to spread from user access into broader identity operations.

Passwordless MFA shifts authentication toward device-bound cryptography and biometrics, which reduces dependence on recoverable secrets and shared knowledge factors. That matters for NHI programmes because the same governance question keeps resurfacing across humans, workloads, and agents: what is the durable trust anchor, and how is it verified at runtime? For background on the identity lifecycle questions this raises, see the Ultimate Guide to NHIs.

Key questions

Q: How should teams decide when one-time codes are still acceptable for MFA?

A: Use one-time codes only where the protected system has low privilege, low fraud impact, and limited downstream access. For anything sensitive, prefer authentication that does not rely on message delivery or reused secrets. If the code can be intercepted, replayed, or recovered through the same account path, it is not delivering strong multifactor assurance.

Q: What is the difference between passwordless MFA and one-time code MFA?

A: Passwordless MFA uses device-bound cryptography and local user verification, while one-time code MFA depends on a code delivered over SMS, email, or an app. The first removes reusable secrets from the login path. The second still depends on a transmitted secret that can be intercepted, delayed, phished, or made redundant by password reuse.

Q: Why do one-time codes create a false sense of security?

A: They look like a second factor, but in many deployments they are tied to the same account recovery system, the same password, or the same exposed device. That means the second factor may not be independent at all. Teams should test whether the factor actually resists interception, reuse, and account recovery abuse.

Q: How should organisations reduce MFA-related account takeover risk?

A: Start by replacing the weakest factors on the highest-risk accounts, then remove recovery paths that depend on shared secrets or easily intercepted delivery channels. Pair that with risk-based step-up, strong offboarding, and continuous review of fallback access. The goal is to make takeover harder without turning authentication into a usability failure.

Technical breakdown

Why one-time codes weaken multifactor assurance

One-time codes are only useful if the second factor is truly independent from the first. SMS and email delivery often break that assumption because both can be routed through channels tied to the same account recovery path, the same password, or the same compromised device. SMS codes can also be intercepted through SIM swap attacks or mobile signalling abuse. In practice, the control becomes a convenience layer rather than a durable proof of possession. That is why code-based MFA often raises the appearance of assurance without consistently reducing takeover risk.

Practical implication: treat one-time codes as a weaker step-up control, not a default control for high-risk access.

How passwordless MFA changes the trust anchor

Passwordless MFA replaces shared secrets with asymmetric cryptography. A private key stays on the device, typically protected by hardware such as a TPM, while user verification comes from biometrics or another local unlock step. The system then verifies possession of the device without asking the user to type or transmit a reusable secret. That changes the failure mode: attackers can no longer replay or phish a code that was delivered over an exposed channel. The security value comes from binding the authentication event to the device and the user at the point of use.

Practical implication: prioritize device-bound authentication where phishing, recovery abuse, and code interception are material threats.

Why passwordless MFA also improves access governance

Passwordless authentication reduces the number of stored recovery secrets and eliminates many shared credentials that otherwise become governance liabilities. That matters because every backup factor, reset path, or fallback workflow expands the identity attack surface. For NHI programmes, the architectural lesson is the same one seen in workload identity design: remove avoidable secrets, reduce replayable material, and make each credential harder to extract or reuse. Authentication becomes easier to govern when the system has fewer places where a secret can persist outside policy.

Practical implication: review recovery flows, fallback channels, and stored secrets as part of the same control set as primary authentication.

Threat narrative

Attacker objective: The attacker wants to turn an apparently protected login into a usable authenticated session without triggering meaningful resistance.

1. Entry can occur when an attacker intercepts a one-time code delivered over SMS or email, or when they steal credentials that make the second factor effectively redundant.
2. Escalation happens when the attacker pairs the captured code with reused passwords or compromised email access, turning MFA into a low-friction bypass.
3. Impact is account takeover, which can lead to fraud, data exposure, or privileged access abuse if the protected account has high-value permissions.

Breaches seen in the wild

• Moltbook AI agent keys breach — Moltbook breach exposed 1.5M AI agent keys.
• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

One-time codes are a control pattern, not a trust model. The article correctly separates user convenience from assurance, and that distinction is central to modern identity governance. If the second factor rides the same recovery path as the first, the enterprise is not gaining true independence between factors. Practitioners should evaluate MFA by attack resistance, not by checkbox presence.

Passwordless MFA reduces credential reuse pressure across the identity stack. When authentication no longer depends on remembered secrets, organisations can retire some of the recovery and fallback mechanisms that create hidden exposure. That does not eliminate risk, but it removes a common source of replay, phishing, and support-driven compromise. Teams should treat this as a governance simplification as much as an authentication upgrade.

Ephemeral assurance still needs lifecycle controls. Stronger authentication at the login step does not fix weak enrolment, recovery, device replacement, or offboarding processes. The article’s logic extends into NHI governance: if identities are issued and recovered carelessly, the system remains vulnerable even when the primary factor is hardened. The practical conclusion is to manage the full identity lifecycle, not just the front door.

Continuous risk-based authentication is the right complement to passwordless design. Static MFA policies are too blunt for environments where risk changes by device, location, and session behaviour. A stronger baseline can be paired with step-up checks only when the context warrants it, which is a better fit for both human and non-human access patterns. Practitioners should align authentication strength with runtime risk, not with one fixed policy for all sessions.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
• Only 20% of organisations have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
• For a broader view of identity exposure patterns, see 52 NHI Breaches Analysis, which maps repeated control failures across real incidents.

What this signals

Passwordless design will increasingly be judged by how well it reduces hidden recovery dependencies, not by whether it removes passwords alone. The governance shift is toward fewer replayable secrets, tighter device binding, and stronger step-up controls when context changes. That same logic applies to NHI programmes, where long-lived secrets and weak recovery paths remain persistent sources of operational risk.

Recovery-path debt: organisations that keep SMS, email, and help-desk overrides in place are preserving the very pathways attackers exploit. With 96% of organisations storing secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs, the real challenge is systemic rather than isolated. Teams should treat authentication hardening and secret sprawl reduction as one programme, not separate projects.

For practitioners

• Review code delivery channels Eliminate SMS and email as default one-time code paths for sensitive access, and reserve them for low-risk fallback only where business constraints require it.
• Adopt device-bound authentication Use hardware-backed keys and local biometric or device verification for high-value accounts so the credential never leaves the trusted device.
• Map recovery and reset workflows Document every backup factor, reset path, and help-desk override that can re-enable access, then apply the same access review standards used for primary credentials.
• Apply step-up only on risk signals Tie stronger prompts to device change, unusual location, privilege elevation, or session anomaly instead of forcing the same challenge on every login.

Key takeaways

• One-time codes can improve the appearance of MFA without delivering independent assurance, especially when delivery and recovery paths are weak.
• Passwordless MFA changes the trust anchor by binding authentication to device-held cryptography and local verification instead of reusable secrets.
• Teams should treat authentication, recovery, offboarding, and secret hygiene as one governance surface, because attackers exploit the gaps between them.

Key terms

• Passwordless MFA: An authentication approach that replaces passwords and code-based second factors with device-bound cryptography and local user verification. The user proves possession of a trusted device and then unlocks it with a biometric or similar control, reducing reliance on reusable secrets and delivery channels that can be intercepted.
• One-Time Code MFA: A multifactor pattern that sends a temporary code by SMS, email, or an authenticator app to confirm a login. It is weaker when the delivery path, recovery path, or underlying password can be intercepted, reused, or socially engineered, because the second factor may not be truly independent.
• Step-Up Authentication: A risk-based control that asks for stronger verification only when context indicates elevated risk, such as device change, unusual geography, or privilege escalation. It helps balance security and usability, but it works only when the baseline authentication model is already resilient and the triggers are well tuned.
• Recovery Path: The set of backup methods, reset flows, and help-desk procedures that restore access when a user loses their primary credential. Recovery paths often become the weakest part of identity governance because they can reintroduce shared secrets, manual override, or inconsistent verification standards.

Deepen your knowledge

Passwordless MFA, recovery-path hardening, and NHI secret governance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are reworking authentication for users, workloads, or agents, it is worth exploring.

This post draws on content published by Beyond Identity: Passwordless MFA vs One-Time Codes. Read the original.