They create risk because the factor can be intercepted, shared, or relayed by an attacker, so it does not prove possession of a trusted device or a legitimate session. In regulated banking, that weakness becomes more serious when fraud reimbursement or liability shifts to the institution.
Why This Matters for Security Teams
SMS and email OTPs are often treated as “good enough” because they add a second step to login, but in regulated banking the real question is whether the factor resists interception, replay, and session relay under active attack. That bar is much higher than simple convenience-based authentication. NIST guidance on digital identity and the NIST Cybersecurity Framework 2.0 both push teams toward stronger, risk-based controls when account takeover can trigger direct financial loss.
The problem is not OTPs in isolation. The problem is that attackers now operate with phishing kits, proxy tooling, and social engineering workflows that can capture a one-time code and use it before the user realises anything is wrong. NHIMG research on non-human identity compromise shows how quickly exposed credentials are acted on in the wild, and that same attacker discipline applies to human-authentication abuse when the control is weak. See Top 10 NHI Issues and the Ultimate Guide to NHIs — Why NHI Security Matters Now for the broader identity-risk context.
In practice, many security teams encounter OTP abuse only after a fraud event has already moved from login to payment authorisation, rather than through intentional control testing.
How It Works in Practice
In regulated banking, OTP risk comes from the gap between “proof of access to a channel” and “proof of possession of a trusted authenticator.” SMS can be forwarded, SIM-swapped, intercepted through malware, or harvested through real-time phishing. Email OTPs are equally exposed when an attacker has mailbox access, compromised recovery settings, or can read forwarded mail. A one-time code is not bound to a device, a session, or a transaction unless the bank has explicitly engineered that binding.
Current guidance suggests stronger authentication should reduce reliance on reusable channels and move toward phishing-resistant methods such as cryptographic authenticators, device-bound tokens, or step-up approvals for higher-risk actions. The Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because banking teams often manage machine and human authentication with the same lifecycle blind spots: weak issuance, weak revocation, and weak monitoring. For human login flows, the same discipline applies.
- Bind authentication to a device or cryptographic key, not just a message delivered over a shared channel.
- Use risk signals such as device reputation, velocity, geography, and transaction context before step-up approval.
- Separate login authentication from payment confirmation so one stolen factor cannot authorise a high-value transfer.
- Detect relay patterns and impossible travel rather than assuming one-time use equals legitimacy.
Banking teams should also review how MFA enrollment is protected, because the weakest point is often the recovery path, not the primary login flow. These controls tend to break down in high-volume call-center environments where attackers can socially engineer reset workflows faster than fraud tooling can flag them.
Common Variations and Edge Cases
Tighter authentication often increases customer friction and support cost, so organisations must balance fraud reduction against abandonment and accessibility. That tradeoff is real, especially in retail banking where legitimate customers may still depend on SMS for device changes or travel scenarios. Best practice is evolving, and there is no universal standard that says every OTP must be removed immediately.
The edge cases matter. Some low-risk journeys may tolerate SMS as a backup channel, but regulated banking should avoid using it for account recovery, beneficiary changes, or payment approvals. Email OTPs can be acceptable in limited internal workflows, yet they become poor evidence of identity when mailbox compromise is plausible. NHIMG’s Ultimate Guide to NHIs — Regulatory and Audit Perspectives is relevant because auditors increasingly look for demonstrable control strength, not just the presence of a second factor. NIST’s identity guidance supports the same direction, and where banks operate cross-border, local payment and customer-authentication rules may impose additional constraints.
One NHIMG data point is especially useful for prioritisation: The 2024 ESG Report: Managing Non-Human Identities notes that 72% of organisations have experienced or suspect a breach of non-human identities, underscoring how quickly attackers exploit weak identity controls once a path is available. In banking, the equivalent lesson is that the channel chosen for OTP delivery should be treated as part of the attack surface, not as a trusted control by default.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-7 | Supports stronger authentication than shared-channel OTPs. |
| NIST SP 800-63 | Digital identity guidance informs assurance level choices. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Weak credential lifecycle is the same control failure pattern. |
Use authenticator assurance guidance to phase out SMS and email OTP for sensitive banking actions.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 6, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org