TL;DR: Kenyan enterprises are moving from static 2FA to context-aware MFA as SIM swap fraud, real-time phishing kits, and credential stuffing make SMS OTP controls increasingly fragile, according to eMudhra. The shift matters because identity assurance now has to adapt to device posture, location, and login risk rather than rely on a single second factor.
NHIMG editorial — based on content published by eMudhra: Kenyan enterprises are shifting from 2FA to MFA to prevent SIM swap, phishing, and fraud
By the numbers:
- A 2023 Serianu report found SMS-based OTPs among the top stolen credentials in East African breaches.
- In 2022, Communications Authority of Kenya recorded over 370,000 mobile-related cybercrime reports, many involving SMS interception.
Questions worth separating out
Q: How should organisations replace SMS OTP without breaking user access?
A: Start with the highest-risk journeys first, such as banking, administrative access, and recovery flows.
Q: Why do static 2FA controls fail against SIM swap and phishing attacks?
A: Static 2FA assumes the second factor remains under the user’s control and arrives through a trustworthy channel.
Q: What do security teams get wrong about context-aware MFA?
A: They often treat MFA as a user-friction problem instead of a risk decision engine.
Practitioner guidance
- Phase out SMS OTP for high-risk access paths Move banking, admin, and customer account flows to stronger factors such as push approval, device-bound authentication, or biometrics where appropriate.
- Adopt risk-based step-up policies Use device fingerprinting, location, and behavioural baselines to decide when a login should trigger additional verification.
- Retain MFA events in audit-ready logs Record step-up prompts, successful challenges, trusted devices, and denied sessions in a form that can be correlated with IAM and SIEM records.
What's in the full article
eMudhra's full article covers the implementation detail this post intentionally leaves for the source:
- Biometric MFA deployment examples for banks, government portals, and high-trust networks.
- Context-aware policy design that uses device posture, location, and access history to trigger step-up authentication.
- Integration patterns for Active Directory, Azure AD, cloud platforms, and on-prem applications.
- Compliance reporting details for Kenya's Data Protection Act, ISO 27001, and related audit needs.
👉 Read eMudhra's analysis of the shift from 2FA to context-aware MFA in Kenya →
Kenyan MFA adoption: is static 2FA still enough for fraud risk?
Explore further
Static second-factor trust is the wrong assumption for mobile-first fraud environments: 2FA was designed for a world where the second factor was hard to intercept and the login channel was relatively stable. That assumption fails when SIM swap fraud, phishing-as-a-service kits, and credential stuffing can all compromise the same authentication path. The implication is that factor count alone is no longer a sufficient security measure.
Context-aware authentication is becoming the practical bridge between fraud control and identity governance: organisations that still treat MFA as a static checkbox will struggle to explain why a login should be trusted when the channel itself is under attack. For teams modernising access controls, the next step is to align authentication strength with application risk, not user convenience.
A question worth separating out:
Q: Who is accountable when an organisation leaves SMS OTP in place for high-risk accounts?
A: Accountability sits with the identity, fraud, and security owners who approved the control baseline. If the organisation knowingly keeps a weak second factor in a high-risk flow, auditors will treat that as a governance choice, not a technical limitation.
👉 Read our full editorial: Context-aware MFA is replacing static 2FA in Kenyan enterprises