They are vulnerable because attackers can intercept or redirect the delivery channel through SIM swapping, mailbox compromise, or live proxy phishing. The issue is not whether the code is random. The issue is whether the attacker can capture it before it is used. For high-value access, that answer is often yes.
Why This Matters for Security Teams
SMS and email one-time passwords are still widely used because they are easy to deploy, but that convenience masks a structural weakness: the second factor is only as strong as the delivery path. If an attacker can take over a phone number, intercept email, or proxy the login flow in real time, the OTP becomes a speed bump rather than an access control. That is why guidance from the NIST Cybersecurity Framework 2.0 pushes teams toward stronger identity assurance for higher-risk access paths.
For enterprise environments, this matters most where the target is not consumer convenience but privileged access, remote administration, or high-value SaaS. A short-lived code does not solve channel compromise, and it does not prevent live phishing kits from relaying the session. NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now frames the broader pattern well: identity risk grows faster than most organisations’ ability to govern it. In practice, many security teams discover OTP weakness only after an account takeover, not through intentional control testing.
How It Works in Practice
The failure mode is not that the OTP itself is predictable. The failure mode is that the delivery channel is often easier to compromise than the account being protected. SMS can be redirected through SIM swap, number port-out abuse, SS7 weaknesses, or malware on the endpoint. Email OTPs are even more exposed when the mailbox is already a primary authentication factor, because mailbox compromise turns the “second factor” into a second copy of the same trust boundary.
Current guidance suggests treating OTPs as step-up signals for low-risk actions, not as the sole control for access to sensitive systems. For higher assurance, use phishing-resistant authentication such as FIDO2/WebAuthn, device-bound credentials, or certificate-backed access where appropriate. The OWASP Non-Human Identity Top 10 is useful here because it reflects a broader identity principle: secrets and tokens should not live in channels that can be replayed or intercepted.
Operationally, teams should map access by risk tier:
- Low-risk user actions may tolerate OTP as a temporary control.
- Privileged admin access should require phishing-resistant MFA and conditional access.
- Session reauthentication should be triggered by device change, geo-velocity, or impossible travel.
- Recovery flows must be stronger than the login flow, or attackers will bypass the stronger control through account reset.
NHIMG’s Top 10 NHI Issues also reinforces a useful analogy: short-lived artifacts still fail when the surrounding identity lifecycle is weak. These controls tend to break down in remote-first enterprises with legacy help desk recovery paths because attackers target the human and process layer rather than the code itself.
Common Variations and Edge Cases
Tighter authentication often increases user friction and support cost, so organisations have to balance assurance against operational disruption. That tradeoff is real, but it should not be used to justify weak methods for privileged access. Best practice is evolving, and there is no universal standard for exactly when OTP must be retired, but current guidance is clear that risk should drive the choice.
Some environments still rely on SMS or email OTP because they must support mixed device fleets, third-party contractors, or recovery scenarios where phishing-resistant methods are not yet universal. In those cases, OTP can remain a transitional control if it is paired with device posture checks, anomaly detection, and strict recovery verification. A useful rule is to avoid treating OTP as proof of possession when the possession channel itself is externally reachable or easily reset.
For enterprise governance, the practical question is not “Is OTP random?” but “Can the attacker intercept, redirect, or replay it before expiry?” NHIMG’s 52 NHI Breaches Analysis shows how often identity failures become incident multipliers once credentials or tokens are exposed, and the same logic applies to OTP-based access. For higher-risk systems, the safer path is to move to phishing-resistant MFA and reduce reliance on channel trust altogether.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers weak secret and token handling, which mirrors OTP interception risk. |
| NIST CSF 2.0 | PR.AA-1 | Identity proofing and authentication strength are central to this access-risk question. |
| NIST AI RMF | Risk management guidance applies to choosing authentication based on impact and likelihood. |
Replace replayable OTP reliance with phishing-resistant, short-lived, and channel-safe authentication.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
