Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Why do passwords and OTPs still create risk…
Governance, Ownership & Risk

Why do passwords and OTPs still create risk in regulated environments?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 11, 2026 Domain: Governance, Ownership & Risk

Passwords and OTPs remain risky because they can be stolen, phished, replayed, or bypassed through recovery flows and inconsistent enforcement. In regulated environments, the issue is not only account compromise. It is also the inability to prove that every high-risk access path uses a method strong enough for the threat model.

Why This Matters for Security Teams

Passwords and OTPs are still common because they are familiar, widely supported, and easy to deploy. The problem is that they are weak proof of identity in high-risk environments. A password can be phished, reused, or reset through a weaker recovery path, while an OTP can be intercepted, replayed, or approved in a rushed social-engineering moment. For regulated access, the question is not just whether a login works, but whether the organisation can prove the path was strong enough for the data, system, and risk tier involved. NIST’s Cybersecurity Framework 2.0 reinforces that identity assurance must be tied to risk, not convenience alone.

NHI Management Group’s Ultimate Guide to NHIs — Why NHI Security Matters Now shows how credential exposure becomes systemic when organisations rely on reusable secrets and inconsistent controls. The same pattern applies to human authentication when regulatory pressure demands stronger evidence of access assurance. In practice, many security teams discover that “MFA enabled” did not mean “safe enough” only after a fraudulent login, recovery-flow abuse, or audit finding has already occurred, rather than through intentional design.

How It Works in Practice

In regulated environments, passwords and OTPs should be treated as baseline controls, not final proof of trust. Stronger programmes layer them with phishing-resistant authenticators, risk-based step-up checks, device binding, session controls, and strict recovery governance. Current guidance suggests that the highest-risk systems should move toward authentication methods that are harder to replay or proxy, especially where privileged access, financial data, or safety-critical workflows are involved. The issue is not that passwords and OTPs are always useless; it is that they are too easy to defeat when an attacker targets the surrounding process.

Operationally, teams should map each access path to the assurance level it actually delivers. That means reviewing enrollment, password reset, account recovery, helpdesk overrides, and administrative bypasses as part of the control design. The Top 10 NHI Issues highlights a broader identity reality: weak lifecycle controls and excess trust create exposure long after initial setup. Even though that research focuses on NHIs, the lesson transfers cleanly to regulated human access, where one weak exception can undermine an otherwise strong policy.

  • Use phishing-resistant MFA for privileged and regulated access where feasible.
  • Reduce reliance on SMS OTPs and knowledge-based recovery questions.
  • Treat recovery flows as high-risk access paths requiring separate approval.
  • Log and review overrides, resets, and failed challenge attempts.
  • Align authentication strength to data sensitivity, not user convenience.

For audit readiness, tie controls to documented policy and evidence, not just product settings. The Ultimate Guide to NHIs — Regulatory and Audit Perspectives is useful here because it reflects the same evidence problem: regulators want demonstrable control operation, not assumed coverage. These controls tend to break down in large enterprises with delegated IT support and multiple identity providers because recovery workflows drift faster than policy enforcement.

Common Variations and Edge Cases

Tighter authentication often increases user friction and support overhead, requiring organisations to balance assurance against operational continuity. That tradeoff is real in regulated environments, especially where contractors, legacy applications, or emergency access processes still depend on passwords and OTPs. Best practice is evolving, and there is no universal standard for every system yet.

Some environments can phase out password reliance for privileged workflows, while others must keep it for compatibility and add compensating controls such as device attestation, conditional access, or out-of-band approval. OTPs are also not all equal: app-based or hardware-backed factors generally provide better resistance than SMS, but they still do not eliminate replay risk or social engineering when the user is tricked into sharing a code. The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs underscores a useful principle: controls only hold when their full lifecycle, including issuance, use, and revocation, is actually enforced.

In regulated programmes, the most common edge case is emergency access. Break-glass accounts often retain weaker authentication so operations can continue, but that exception must be tightly monitored, time-bound, and reviewed after every use. Another edge case is third-party support, where external vendors may inherit weaker identity practices than the regulated organisation itself. In those situations, passwords and OTPs become risk multipliers because they are easy to share, reuse, or bypass under pressure.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack surface, NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the technical controls, and NIS2 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Identity proofing and access control hinge on how credentials are issued and used.
NIST SP 800-63AAL2AAL guidance explains why passwords and basic OTPs may not be enough for sensitive access.
OWASP Non-Human Identity Top 10NHI-03Weak credential lifecycle handling creates the same exposure pattern seen with passwords and OTPs.
NIST AI RMFAI RMF supports risk-based governance for authentication decisions and exception handling.
NIS2NIS2 raises the bar for demonstrable access security in essential and important entities.

Use AI RMF risk practices to document auth exceptions, recovery flow risks, and compensating controls.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org