Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Legacy MFA and SMS OTPs: what consumer IAM teams need to know


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: SMS-based one-time passcodes lack end-to-end encryption and remain vulnerable to SIM swap, phishing, and account takeover patterns that can also weaken newer passkey-only deployments, according to Prove Identity. Static, one-time authentication is no longer enough when fraud adapts across channels and sessions; continuous assurance is now the governance problem.

NHIMG editorial — based on content published by Prove Identity: The Death of the OTP: Why Legacy MFA is Failing the Modern Consumer

By the numbers:

Questions worth separating out

Q: How should consumer IAM teams reduce reliance on SMS OTP without hurting conversion?

A: Replace SMS OTP as the default trust step with layered assurance that uses device state, carrier intelligence, and risk-based step-up only when needed.

Q: Why do one-time passcodes fail in modern consumer authentication?

A: They fail because they prove access to a channel, not durable identity.

Q: What should organisations do when passkeys are deployed but account takeovers still occur?

A: Review recovery and device binding first, because those are common places where attackers reintroduce fraud.

Practitioner guidance

  • Reclassify SMS OTP as fallback authentication Move SMS codes out of the primary assurance path for high-risk consumer journeys such as account recovery, device change, and payment-related access.
  • Map authentication controls to lifecycle events Review onboarding, login, device replacement, and recovery as separate trust events.
  • Add possession intelligence to step-up decisions Combine carrier-based checks, device recognition, and contextual risk scoring so that step-up is triggered by a change in trust, not merely by the presence of a login attempt.

What's in the full article

Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:

  • How its unified authentication flow binds identity across onboarding, device change, and login without forcing repeated code entry.
  • The specific carrier- and SIM-based checks used to decide when a silent step-up should occur.
  • The passkey-related fraud scenario and how the multi-layered challenge sequence is intended to stop it.
  • The customer-experience framing behind persistent trust and reduced recovery friction.

👉 Read Prove Identity's analysis of why SMS OTP is failing consumer authentication →

Legacy MFA and SMS OTPs: what consumer IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

Legacy MFA is now a trust maintenance problem, not a login problem. SMS OTP was designed for a world where the possession factor was stable enough to be reused as a checkpoint. That assumption fails when consumer identity moves across devices, carriers, and channels, because the channel itself becomes part of the attack surface. The implication is that consumer IAM must be judged on trust durability, not on whether a code was successfully delivered.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.

A question worth separating out:

Q: Who is accountable when consumer authentication controls allow account takeover?

A: Accountability sits with the identity and fraud owners who define the assurance model, not just with the team that chose the login factor. If the organisation allows weak recovery, fragile channel trust, or unchecked device re-binding, then the control design failed across IAM, fraud, and product governance.

👉 Read our full editorial: SMS OTP is failing consumer identity assurance in modern MFA



   
ReplyQuote
Share: