Organisations should stop using OTP when the access decision is high consequence, the user journey is likely to be targeted by phishing, or the recovery flow is especially sensitive. OTP can still reduce friction for low-risk use cases, but it should not be the primary control for privileged access, payment approval, or account recovery.
Why This Matters for Security Teams
OTP is still widely used because it is easy to deploy and easy for users to understand, but those strengths become liabilities when the decision being protected is high consequence. Phishing kits, adversary-in-the-middle attacks, and push fatigue have made one-time codes a weak last line of defence for privileged access, payment approval, and account recovery. Current guidance from NIST Cybersecurity Framework 2.0 pushes teams toward risk-based, outcome-driven controls rather than assuming that a second factor is automatically strong.
The practical issue is not whether OTP ever works, but whether it still matches the threat model. For low-risk sessions, OTP may reduce friction without materially changing exposure. For sensitive workflows, however, a phished code can become a direct path to takeover, especially when recovery channels are weaker than the primary login. NHI Management Group’s research on the Ultimate Guide to NHIs shows how identity controls fail when credentials and recovery paths are not governed as rigorously as the accounts themselves. In practice, many security teams discover OTP’s limitations only after a phishing-led account takeover or payment fraud event has already occurred, rather than through intentional control review.
How It Works in Practice
The most defensible way to retire OTP is to classify where it is still acceptable and where it is no longer fit for purpose. OTP can remain as a step-up check for low-risk consumer access, but for privileged administration, funds movement, and sensitive recovery actions, organisations should move to phishing-resistant authentication such as FIDO2/WebAuthn, device-bound cryptographic authenticators, or tightly controlled recovery workflows. The control decision should be based on the transaction, not just the user.
That usually means pairing identity assurance with runtime context: device posture, geolocation anomalies, session age, and whether the action is destructive, financial, or administrative. This is consistent with the direction of NIST Cybersecurity Framework 2.0, which emphasises governance and risk treatment across the identity lifecycle. OTP should also be removed from account recovery where possible, because recovery is often the easiest way to bypass stronger primary authentication.
- Use OTP only for low-consequence access where the blast radius is limited.
- Replace OTP for privileged access with phishing-resistant MFA and stronger session controls.
- Treat recovery flows as high-risk and require separate, audited verification.
- Shorten code validity and limit reuse, but do not assume shorter TTL alone makes OTP safe.
- Review whether shared service accounts or administrative accounts still rely on OTP-based step-up.
NHI Management Group’s Schneider Electric credentials breach coverage illustrates how credential exposure can cascade when identity proofing is weaker than the sensitivity of the action being approved. These controls tend to break down when legacy SSO, outsourced support, or recovery desk processes still depend on SMS or email OTP because those channels are easier to intercept or socially engineer.
Common Variations and Edge Cases
Tighter authentication often increases user friction and support overhead, so organisations must balance resistance to phishing against operational cost and adoption risk. Best practice is evolving, but there is no universal standard for the exact cutoff where OTP becomes unacceptable; the right answer depends on consequence, exposure, and available alternatives.
Some environments still keep OTP for a transition period because they cannot replace every legacy app at once. That is defensible only if OTP is not used for privileged action and is wrapped in compensating controls such as device binding, step-up review, and strict recovery governance. In regulated workflows, a single OTP may be acceptable as an auxiliary signal, but it should not be treated as sole proof of identity for approval or reset. Email OTP is usually the weakest variant because the mailbox often becomes the real target.
For organisations with shared admin consoles, call-centre assisted recovery, or third-party support access, the decision to stop using OTP should happen sooner, not later. Those environments amplify social engineering risk and make revocation harder to control. When the organisation cannot reliably distinguish a legitimate user from a convincing attacker at the moment of authentication, OTP has already outlived its usefulness.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access control should match the sensitivity of the action. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Short-lived credentials and recovery paths are central to reducing OTP dependence. |
| NIST AI RMF | Risk-based authentication decisions align with AI RMF governance and measurement. |
Use risk-informed governance to retire OTP where it cannot resist realistic attack paths.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
