TL;DR: OTP, SMS MFA, and push-based approvals are increasingly bypassed by real-time phishing proxies, SIM swap attacks, and MFA fatigue, while FIDO2 and passkeys use cryptographic binding to stop replay and domain misuse, according to eMudhra. The governance shift is clear: authentication must move from shared-secret trust to device-bound verification or the control remains easy to trick.
NHIMG editorial — based on content published by eMudhra: Phishing-resistant MFA is replacing OTP and SMS as the baseline for secure authentication
Questions worth separating out
Q: How should security teams phase out OTP and SMS MFA?
A: Start with privileged accounts, remote administrators, and applications that expose regulated or sensitive data.
Q: Why do push-based MFA prompts still create account takeover risk?
A: Push prompts can be abused through MFA fatigue, where repeated requests pressure users into approving a login they did not initiate.
Q: What do organisations get wrong about phishing-resistant MFA?
A: Many teams treat it as a technical add-on rather than a change in authentication trust.
Practitioner guidance
- Prioritise privileged accounts for phishing-resistant MFA Move administrators, help desk staff, and other high-impact users to FIDO2 or passkeys first.
- Retire SMS MFA on high-risk access paths Replace SMS and OTP where account takeover would materially affect production systems, regulated data, or privileged administration.
- Use number-matching as a temporary hardening layer Deploy number-matching and contextual prompts while migration work is underway, but set a firm retirement date.
What's in the full article
eMudhra's full article covers the operational detail this post intentionally leaves for the source:
- How FIDO2 and passkey authentication differ from OTP in day-to-day deployment decisions
- Why privileged users should be migrated before general users in a phased authentication rollout
- What number-matching and context-aware prompts can and cannot do during the transition period
- How SecurePass positions phishing-resistant MFA for regulated enterprise environments
👉 Read eMudhra's analysis of why phishing-resistant MFA is replacing OTP and SMS →
OTP and SMS MFA are failing: what should IAM teams change now?
Explore further
Phishing-resistant MFA is now the minimum viable control for human identity assurance. OTP and SMS were built for a login world where the channel could be trusted long enough for a code to arrive and be used. That assumption no longer holds when attackers intercept the session in real time or redirect the delivery path. The implication is that identity programmes need to stop treating code-based MFA as a durable trust layer and reclassify it as an interim control only.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: Who should be accountable for MFA modernisation in identity programmes?
A: Accountability should sit with IAM, security architecture, and application owners together. IAM owns the authentication standard, security architecture defines the risk threshold, and application owners ensure their systems can support device-bound methods. If responsibility is fragmented, old MFA methods stay in place longer than they should.
👉 Read our full editorial: Phishing-resistant MFA is now the baseline for human identity