By NHI Mgmt Group Editorial TeamPublished 2026-02-05Domain: Governance & RiskSource: Prove Identity

TL;DR: SMS-based one-time passcodes lack end-to-end encryption and remain vulnerable to SIM swap, phishing, and account takeover patterns that can also weaken newer passkey-only deployments, according to Prove Identity. Static, one-time authentication is no longer enough when fraud adapts across channels and sessions; continuous assurance is now the governance problem.


At a glance

What this is: This is a consumer identity and authentication analysis arguing that SMS OTPs and other legacy MFA patterns no longer provide durable assurance against modern fraud.

Why it matters: It matters because IAM teams responsible for consumer login, account recovery, and fraud reduction need controls that survive device change, phishing, and cross-channel takeover attempts.

By the numbers:

👉 Read Prove Identity's analysis of why SMS OTP is failing consumer authentication


Context

SMS OTP was designed as a low-friction step-up control, but it assumes the possession factor remains trustworthy long enough to matter. In consumer IAM, that assumption breaks when SIM swaps, phishing, and device replacement become the normal attack and recovery paths.

The deeper issue is not whether organisations are using MFA, but whether the authentication model still matches how users move across devices and channels. Continuous identity assurance is now the relevant governance question for consumer identity programmes, not whether a one-time code can still be made to work.


Key questions

Q: How should consumer IAM teams reduce reliance on SMS OTP without hurting conversion?

A: Replace SMS OTP as the default trust step with layered assurance that uses device state, carrier intelligence, and risk-based step-up only when needed. Keep friction low for known users, but make recovery and device change stricter than ordinary login. The goal is not more prompts, but stronger trust with fewer brittle checkpoints.

Q: Why do one-time passcodes fail in modern consumer authentication?

A: They fail because they prove access to a channel, not durable identity. SIM swaps, phishing, and device redirection can all break the assumption that the code reaches the intended user. Once the channel is compromised, the code becomes a weak signal rather than a meaningful identity control.

Q: What should organisations do when passkeys are deployed but account takeovers still occur?

A: Review recovery and device binding first, because those are common places where attackers reintroduce fraud. A passkey can be strong at login and still leave gaps in re-enrollment, recovery, and cross-channel trust. Organisations should measure whether every step in the identity lifecycle is protected, not just the authentication screen.

Q: Who is accountable when consumer authentication controls allow account takeover?

A: Accountability sits with the identity and fraud owners who define the assurance model, not just with the team that chose the login factor. If the organisation allows weak recovery, fragile channel trust, or unchecked device re-binding, then the control design failed across IAM, fraud, and product governance.


Technical breakdown

Why SMS OTP is brittle in consumer authentication

SMS one-time passcodes depend on a phone number and a message path that the organisation does not control end to end. That creates exposure to SIM swap attacks, interception, and social engineering, while also making the code itself a weak possession signal once an attacker can redirect the number or coerce the user. The problem is structural: OTPs prove access to a communications channel, not durable user presence or device trust. In modern IAM, that makes them easy to deploy and hard to trust.

Practical implication: Treat SMS OTP as a legacy fallback, not a primary trust anchor, for consumer account security.

How continuous identity assurance changes the authentication model

Continuous identity assurance shifts the question from 'did the user enter the right code?' to 'does the current session still match the trusted identity profile?' That means combining multiple signals such as device state, network context, carrier intelligence, and behavioural continuity across sessions. Instead of one brittle challenge, the system evaluates trust over time and can re-check when risk changes. This is especially relevant when users change devices or move between channels, where static MFA creates recovery gaps that attackers can exploit.

Practical implication: Build step-up logic around session risk and re-verification triggers, not around one-time login events.

Why passkeys still need layered identity signals

Passkeys reduce phishing exposure, but they do not eliminate fraud when attackers can trick users into binding a fraudulent key or when account recovery paths remain weak. A passkey is one strong signal, not a complete assurance model. If device trust, SIM ownership, and recovery controls are not aligned, attackers can still create a valid-looking session that is not a legitimate one. The lesson is that authentication strength depends on the full identity lifecycle, including re-binding and recovery.

Practical implication: Pair passkeys with recovery governance, device binding, and fraud checks rather than treating them as a standalone fix.


Threat narrative

Attacker objective: The attacker wants durable account access that survives the initial login and can be used for fraud, takeover, or recovery abuse.

  1. Entry begins with phishing, SIM swap abuse, or social engineering that redirects a consumer’s authentication channel away from the legitimate device.
  2. Escalation occurs when the attacker uses the compromised channel or a fraudulent passkey binding to satisfy a weak possession check and establish access.
  3. Impact follows as the attacker takes over the account, bypasses recovery friction, and can monetise the session through fraud or downstream abuse.
  • MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
  • Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Legacy MFA is now a trust maintenance problem, not a login problem. SMS OTP was designed for a world where the possession factor was stable enough to be reused as a checkpoint. That assumption fails when consumer identity moves across devices, carriers, and channels, because the channel itself becomes part of the attack surface. The implication is that consumer IAM must be judged on trust durability, not on whether a code was successfully delivered.

Cross-channel authentication creates a broader assurance surface than single-step MFA. Modern consumer journeys span onboarding, device change, recovery, and recurring login, and each step has different fraud pressure. A model that works at initial authentication can fail during re-binding or account recovery, which is where attackers often find the weakest process. Practitioners should evaluate identity assurance as a lifecycle control, not a point-in-time challenge.

Passkeys reduce one class of phishing, but they do not close the recovery gap. A fraudulent key can still become a valid credential if the binding process or downstream possession checks are weak. That makes recovery governance and device trust part of the authentication stack, not separate back-office concerns. Consumer IAM teams should treat account recovery as a privileged path that needs the same scrutiny as primary login.

Continuous verification is becoming the practical baseline for consumer fraud control. Static MFA can still slow an attacker, but it does not adapt when risk changes mid-session or when the user’s device state changes between events. This is why the category is moving toward layered identity assurance with carrier intelligence, device signals, and behavioural continuity. The practitioner conclusion is simple: one-time trust no longer matches how modern fraud operates.

From our research:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
  • The lifecycle gap is broader than secrets alone, so start with the NHI Lifecycle Management Guide to connect rotation, offboarding, and visibility.

What this signals

Legacy MFA is converging with broader identity lifecycle problems. When authentication depends on a phone number, device, and carrier relationship, recovery and re-binding become governance events rather than simple support actions. That is why consumer IAM programmes increasingly need to align authentication policy with lifecycle controls and not just with login UX.

Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs, which is a reminder that identity assurance fails when governance is blind to the assets it depends on. The same visibility discipline applies in consumer IAM: if teams cannot see how trust is established, they cannot know when it has been weakened.

Consumer authentication is moving toward durable trust signals. Teams should expect more emphasis on device binding, carrier intelligence, and recovery governance, especially where fraud losses justify added controls. The practical signal to watch is whether your current step-up logic can still distinguish a real user change from a takeover attempt.


For practitioners

  • Reclassify SMS OTP as fallback authentication Move SMS codes out of the primary assurance path for high-risk consumer journeys such as account recovery, device change, and payment-related access. Use them only where risk is low and where alternative controls can absorb failure.
  • Map authentication controls to lifecycle events Review onboarding, login, device replacement, and recovery as separate trust events. Each step needs a distinct control profile, because the risk profile changes after the initial account creation.
  • Add possession intelligence to step-up decisions Combine carrier-based checks, device recognition, and contextual risk scoring so that step-up is triggered by a change in trust, not merely by the presence of a login attempt.
  • Harden account recovery like a privileged path Require stronger verification for recovery than for ordinary login, and make sure re-binding a device cannot happen solely through a channel an attacker can redirect.

Key takeaways

  • SMS OTP is no longer a reliable primary assurance control because attackers can attack the channel, the device, and the recovery path.
  • The evidence points to a broader lifecycle problem: static login controls fail when trust has to persist across devices, sessions, and channels.
  • Consumer IAM teams should move toward continuous verification, stronger recovery governance, and layered possession intelligence instead of depending on one-time codes.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Authentication and access control are central to the consumer MFA problem described here.
NIST SP 800-63SP 800-63BThe article is about authenticators, phishing resistance, and assurance in digital identity.
NIST Zero Trust (SP 800-207)Zero Trust reinforces continuous verification instead of one-time trust assumptions.
GDPRArt.32Consumer authentication and identity data protection can implicate security of processing obligations.

Review consumer login and recovery flows against PR.AC-1 and remove brittle single-signal trust decisions.


Key terms

  • continuous identity assurance: A model that evaluates trust across the full user journey instead of only at login. It combines device, channel, and behavioural signals so identity confidence can be refreshed when conditions change, which is especially important in consumer authentication and recovery flows.
  • sms otp: A one-time passcode delivered by text message as a possession-based authentication factor. It is simple to deploy but weak against SIM swap, interception, and phishing because it verifies channel access more than durable user identity.
  • device binding: The process of associating a trusted device or cryptographic credential with an identity so future sessions can be recognised with less friction. In consumer IAM, binding must be governed carefully because weak re-binding can become a takeover path.
  • account recovery: The set of controls used to restore access after a user loses a device, credential, or session. It is a high-risk identity workflow because attackers often target it after defeating ordinary login controls, so it should be treated as a privileged trust path.

What's in the full article

Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:

  • How its unified authentication flow binds identity across onboarding, device change, and login without forcing repeated code entry.
  • The specific carrier- and SIM-based checks used to decide when a silent step-up should occur.
  • The passkey-related fraud scenario and how the multi-layered challenge sequence is intended to stop it.
  • The customer-experience framing behind persistent trust and reduced recovery friction.

👉 The full Prove Identity post covers the unified authentication flow, passkey fraud scenario, and device re-binding logic.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-02-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org