Subscribe to the Non-Human & AI Identity Journal
Home FAQ Governance, Ownership & Risk Why is SMS not a durable long-term MFA…
Governance, Ownership & Risk

Why is SMS not a durable long-term MFA strategy for healthcare identity?

← Back to all FAQ
By NHI Mgmt Group Editorial Team Updated July 10, 2026 Domain: Governance, Ownership & Risk

SMS is better than password-only access, but it remains vulnerable to interception, SIM swap, and social engineering. In healthcare, that weakness matters because compromise can expose ePHI at scale. Treat SMS as a transitional option and plan a move toward passkeys or hardware security keys for higher-risk access.

Why This Matters for Security Teams

SMS is often chosen because it is available, familiar, and easy to deploy, but those same traits make it a weak long-term control for healthcare identity. It depends on a phone number, carrier routing, and user behaviour that attackers can manipulate through SIM swap, message interception, or social engineering. For healthcare, that is not just an inconvenience. It can become a pathway to ePHI exposure, account takeover, and lateral movement across clinical and administrative systems.

The risk is especially concerning when SMS is treated as a default rather than a bridge. NIST Cybersecurity Framework 2.0 emphasizes resilient identity and access practices, and NHIMG research shows why durability matters: the Ultimate Guide to NHIs notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which is a reminder that weak identity controls tend to fail broadly, not in isolation.

In practice, many security teams discover SMS weakness only after a phishing or carrier takeover has already turned a routine login into an incident.

How It Works in Practice

For healthcare identity, the practical question is not whether SMS is better than passwords alone. It is whether SMS can remain trustworthy under real attack conditions, repeated access, and high consequence workflows. Current guidance suggests it should not be treated as a durable long-term MFA factor for privileged staff, remote access, or systems that can expose sensitive patient data. The issue is that SMS proves possession of a phone number, not strong cryptographic possession of a device or key.

Safer alternatives align better with both user experience and resilience. Passkeys, FIDO2 hardware security keys, and platform authenticators reduce reliance on carrier networks and are harder to phish. For higher-risk access, a healthcare program should pair stronger authentication with conditional access, device posture checks, and step-up verification for unusual behaviour. The NIST Cybersecurity Framework 2.0 supports this kind of risk-based approach, while NHIMG’s Top 10 NHI Issues underscores how identity weaknesses compound when credentials are reused, overexposed, or difficult to revoke.

  • Use SMS only as a transitional factor where stronger methods are not yet available.
  • Prioritize passkeys or hardware keys for clinicians, admins, and remote support staff.
  • Apply step-up authentication when access patterns change or risk increases.
  • Review recovery flows, because password reset and phone replacement are common attack paths.

These controls tend to break down in environments that still rely on shared accounts, legacy EHR integrations, or outsourced support desks because recovery and exception handling become the weakest link.

Common Variations and Edge Cases

Tighter authentication often increases rollout cost and support overhead, requiring organisations to balance stronger assurance against clinical workflow friction. That tradeoff is real in healthcare, where emergency access, on-call rotation, and device loss create genuine operational exceptions.

There is no universal standard for this yet, but current guidance suggests SMS may still have a temporary role for low-risk user populations, account recovery in constrained environments, or phased migration programs where alternatives are not fully deployed. Even then, it should be time-bound and closely monitored. A strong approach is to reserve SMS for transitional use while accelerating enrollment in phishing-resistant MFA, especially for accounts that can access ePHI, billing systems, or identity administration.

NHIMG research also shows why “temporary” controls deserve scrutiny: only Ultimate Guide to NHIs reports that 71% of NHIs are not rotated within recommended time frames, which illustrates how organisations often keep weak mechanisms far longer than intended. When authentication recovery, help desk processes, and privileged access all depend on SMS, the system becomes harder to secure over time, not easier.

For healthcare, the best long-term posture is to treat SMS as a migration aid, not an endpoint.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AAIdentity assurance and access control are central to replacing SMS with stronger MFA.
OWASP Non-Human Identity Top 10NHI-01Weak authentication and recovery paths increase credential compromise risk.
NIST SP 800-63AAL2SMS may satisfy limited assurance, but stronger authentication is needed for sensitive systems.
NIST Zero Trust (SP 800-207)IDZero Trust requires stronger identity signals than phone-number-based verification.
NIST AI RMFGOVERNAuthentication policy should be governed as a risk decision, not a convenience default.

Shift healthcare MFA to phishing-resistant methods and tie access to risk-based identity assurance.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org