OTP authentication: are your controls still strong enough?

TL;DR: OTP authentication remains more secure than static passwords, but it is increasingly bypassed through SIM swapping, SS7 interception, and real-time phishing, according to iProov. For high-assurance access, the control problem is no longer code generation; it is whether the verification method can survive modern interception and relay attacks.

NHIMG editorial — based on content published by iProov: OTP authentication security risks and biometric alternatives

Questions worth separating out

Q: When should organisations stop using OTP for authentication?

A: Organisations should stop using OTP when the access decision is high consequence, the user journey is likely to be targeted by phishing, or the recovery flow is especially sensitive.

Q: Why do SIM swap attacks matter for IAM teams?

A: SIM swap attacks matter because they defeat SMS-based possession checks without breaking the authentication algorithm.

Q: What do security teams get wrong about app-based TOTP?

A: Teams often assume app-based TOTP is inherently phishing resistant because it is not sent over a mobile network.

Practitioner guidance

• Reclassify OTP by risk tier Use SMS or email OTP only for low-risk access paths where the business impact of account takeover is limited.
• Remove OTP from recovery paths Do not let an OTP channel become the way a user regains access after compromise.
• Assume the channel can be compromised Model SIM swap, mailbox takeover, and relay phishing as expected attack paths rather than edge cases.

What's in the full article

iProov's full article covers the operational detail this post intentionally leaves for the source:

• Step-by-step explanation of HOTP, TOTP, SMS OTP, email OTP, and hardware token differences for implementation teams
• Attack walkthroughs for SIM swap, SS7 interception, and real-time adversary-in-the-middle phishing against OTP
• Detailed comparison of OTP versus biometric face verification for onboarding, recovery, and high-risk re-authentication
• Accessibility and user experience considerations tied to OTP and biometric verification choices

👉 Read iProov's analysis of OTP security risks and biometric alternatives →

OTP authentication: are your controls still strong enough?

Explore further

View Full Forum →  |  NHI Foundation Course →