Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Consumer MFA vulnerabilities: what should identity teams change now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Prove’s analysis of 385,000 retroactive SMS and voice OTP transactions found 10% over non-fixed VoIP lines, 2.5% of mobile MFA transactions with low Trust Score, and 5% with low SIM tenure, with FinTech and e-commerce showing elevated fraud exposure. The lesson is that consumer MFA still depends on identity evidence quality, not just additional factors.

NHIMG editorial — based on content published by Prove Identity: New Study by Prove Unveils Large-Scale Consumer Multi-Factor Authentication Vulnerabilities

By the numbers:

Questions worth separating out

Q: How should security teams handle low-trust phone signals in consumer MFA?

A: Security teams should use phone intelligence, SIM tenure, and number-history checks to decide whether a challenge should proceed.

Q: Why do SMS and voice OTPs still fail against fraud?

A: They verify reachability, not identity confidence.

Q: What do fraud teams get wrong about MFA assurance?

A: They often treat a successful second factor as proof of legitimacy.

Practitioner guidance

  • Strengthen phone trust before OTP delivery Use line-type, number-history, and SIM-tenure checks to decide whether a challenge should be issued at all.
  • Flag non-fixed VoIP as a high-risk channel Route non-fixed VoIP transactions into step-up paths or alternate verification when the account value or fraud exposure is material.
  • Link recovery events to authentication risk Increase scrutiny after phone number changes, SIM swaps, or enrolment updates because those events can precede OTP abuse.

What's in the full report

Prove Identity's full analysis covers the operational detail this post intentionally leaves for the source:

  • Breakdown of how Trust Score was applied across SMS and voice OTP transactions
  • Sector-specific risk findings for FinTech and e-commerce during holiday fraud exposure
  • The relationship between SIM tenure, non-fixed VoIP lines, and low-trust authentication events
  • Context on Prove’s acquisition and integration of MFA capabilities into its platform

👉 Read Prove Identity’s analysis of consumer MFA vulnerabilities and fraud risk →

Consumer MFA vulnerabilities: what should identity teams change now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Consumer MFA depends on trust in the identity signal, not just the second factor: OTP success does not mean the user is legitimate when the phone number, SIM, or line type is weak. Non-fixed VoIP and recently swapped SIMs show that the authentication event can be technically valid while the identity assurance is not. Practitioners should treat phone trust as a first-class control surface, not a supporting detail.

A few things that frame the scale:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
  • Another finding shows that 91.6% of secrets remain valid five days after the targeted organisation is notified, which is why remediation speed matters in identity programmes.

A question worth separating out:

Q: When should organisations step up beyond SMS-based verification?

A: They should step up whenever the contact channel has short SIM tenure, unusual line type, recent number changes, or other signs of weak trust. Those conditions indicate that the authentication path is fragile and may not support high-value or high-risk transactions.

👉 Read our full editorial: Consumer MFA vulnerabilities expose the limits of trust signals



   
ReplyQuote
Share: