Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

OTP authentication: are your controls still strong enough?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9059
Topic starter  

TL;DR: OTP authentication remains more secure than static passwords, but it is increasingly bypassed through SIM swapping, SS7 interception, and real-time phishing, according to iProov. For high-assurance access, the control problem is no longer code generation; it is whether the verification method can survive modern interception and relay attacks.

NHIMG editorial — based on content published by iProov: OTP authentication security risks and biometric alternatives

Questions worth separating out

Q: When should organisations stop using OTP for authentication?

A: Organisations should stop using OTP when the access decision is high consequence, the user journey is likely to be targeted by phishing, or the recovery flow is especially sensitive.

Q: Why do SIM swap attacks matter for IAM teams?

A: SIM swap attacks matter because they defeat SMS-based possession checks without breaking the authentication algorithm.

Q: What do security teams get wrong about app-based TOTP?

A: Teams often assume app-based TOTP is inherently phishing resistant because it is not sent over a mobile network.

Practitioner guidance

  • Reclassify OTP by risk tier Use SMS or email OTP only for low-risk access paths where the business impact of account takeover is limited.
  • Remove OTP from recovery paths Do not let an OTP channel become the way a user regains access after compromise.
  • Assume the channel can be compromised Model SIM swap, mailbox takeover, and relay phishing as expected attack paths rather than edge cases.

What's in the full article

iProov's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step explanation of HOTP, TOTP, SMS OTP, email OTP, and hardware token differences for implementation teams
  • Attack walkthroughs for SIM swap, SS7 interception, and real-time adversary-in-the-middle phishing against OTP
  • Detailed comparison of OTP versus biometric face verification for onboarding, recovery, and high-risk re-authentication
  • Accessibility and user experience considerations tied to OTP and biometric verification choices

👉 Read iProov's analysis of OTP security risks and biometric alternatives →

OTP authentication: are your controls still strong enough?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8498
 

OTP is no longer a stable high-assurance factor because the delivery channel is easier to compromise than the code. SMS, email, and app-based OTP all depend on the assumption that the receiving channel remains trustworthy long enough for the user to read and enter the code. That assumption is now routinely broken by SIM swaps, mailbox compromise, and real-time phishing relays. For identity governance, the conclusion is blunt: a time-limited code does not equal a resilient trust boundary.

A few things that frame the scale:

A question worth separating out:

Q: How should security teams verify users for high-risk actions instead of OTP?

A: Use stronger methods that verify the person, not just possession of a code source. For high-risk actions, that usually means phishing-resistant authentication, robust liveness checks, and recovery flows that do not depend on the same device or inbox used during compromise.

👉 Read our full editorial: OTP authentication is losing ground in high-assurance access



   
ReplyQuote
Share: