Fraud

OTP Fatigue and AI-Driven Takeovers

TLDR
 Criminals are now using AI and phishing-as-a-service platforms to automate one-time password theft and live session hijacking. This makes “MFA fatigue” attacks common and repeatable. Outdated authentication methods like OTPs are no match for automated, real-time phishing. Cryptographic device binding and device-bound passkeys remove phishable factors entirely and strengthen zero trust strategies.

AI has changed the phishing game

Phishing no longer depends on a clever human creating a single fake page. Criminal platforms now bake in generative AI tools that spin up convincing login sites in seconds and translate lures into multiple languages. Services like Darcula and other phishing kits can launch professional-grade campaigns with almost no technical skill. When law enforcement takes one service down, another emerges. The fraud economy is now industrial.

Phishing kits automate OTP theft and session hijacking

Modern phishing kits act as a live proxy between the victim and the real website. They capture both login credentials and the session cookies that prove a user is already authenticated. Attackers no longer need to steal another OTP once they have a valid session token. Microsoft and other security researchers have tracked kits like EvilProxy and Tycoon 2FA doing this at scale. Once a session cookie is stolen, resetting a password or revoking an OTP will not stop an attacker who is already inside.

MFA fatigue is a known weakness

MFA fatigue attacks rely on persistence and human nature. Attackers send a flood of login attempts, triggering push notifications over and over until a user finally taps Approve. Sometimes they pair this with social engineering, pretending to be IT support and urging the victim to “just accept one.” The 2022 Uber breach showed the tactic works and it has only spread since. As long as users must make the final decision under pressure, this vector stays open.

Why OTPs are failing in the age of AI fraud

OTPs are shared secrets. Whether delivered by SMS or app, they can be intercepted, relayed or guessed within the short window before they expire. AI-driven phishing shrinks that window further by automating the entire attack. And because OTPs cannot prove that the code was entered on the legitimate site, a well-crafted proxy attack can capture it in real time. Regulators have noticed. Singapore’s banking authorities have already moved to phase out OTP logins for customers who use digital tokens. The direction is clear: shared secrets are too easy to steal.

Device binding removes the phishable factor

Cryptographic device binding replaces one-time codes with a key pair generated and stored on the user’s own device. Only the public key is registered with the service. Each login or high-risk action requires the device to sign a challenge that is tied to the legitimate site’s origin. A phishing page cannot fake that signature or replay it from another device. This is the principle behind passkeys. Synced passkeys improve convenience across devices, while device-bound passkeys keep the private key local for maximum assurance. In both cases, there is no code to intercept and nothing for an attacker to relay.

Zero trust is stronger with device binding

Zero trust security depends on continuous verification of both the user and the device. Device binding provides a cryptographically proven device identity that fits directly into this model. Every request can be checked against an uncompromised device key. Prompt bombing and OTP harvesting stop being effective because there is no shared secret to steal and no human approval to trick.

Takeaway for product and growth teams

If your customers are drowning in OTP prompts and your security team is fighting a constant wave of phishing, the answer is not more prompts. Migrate critical actions to device-bound passkeys and other phishing-resistant flows. Use OTPs only as temporary backup while you complete the transition. You will cut fraud risk and give your users a faster, cleaner login experience.

Sources
 https://www.netcraft.com/blog/ai-enabled-darcula-suite-makes-phishing-kits-more-accessible-easier-to-deploy
 https://thehackernews.com/2025/04/darcula-adds-genai-to-phishing-toolkit.html
 https://www.axios.com/2025/07/01/okta-phishing-sites-generative-ai
 https://www.trendmicro.com/en_us/research/24/d/labhost-takedown.html
 https://www.bleepingcomputer.com/news/security/fbi-shares-massive-list-of-42-000-labhost-phishing-domains/
 https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec-attackers-use-aitm-phishing-sites-as-entry-point-to-further-financial-fraud/
 https://www.proofpoint.com/us/blog/email-and-cloud-threats/aitm-phishing-attacks-evolving-threat-microsoft-365
 https://www.darkreading.com/endpoint-security/evilginx-bypasses-mfa
 https://www.infoq.com/news/2022/09/Uber-breach-mfa-fatigue/
 https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
 https://www.straitstimes.com/singapore/singapore-banks-to-phase-out-use-of-otp-for-login-for-customers-using-digital-tokens https://www.channelnewsasia.com/singapore/banks-phase-out-otps-login-phishing-scams-digital-tokens-4466786
 https://fidoalliance.org/white-paper-replacing-password-only-authentication-with-passkeys-in-the-enterprise/
 https://developers.google.com/identity/passkeys/faq
 https://csrc.nist.gov/pubs/sp/800/207/final

Toby Rush
CEO
Published
Oct 3, 2025
Blog

Similar Insight

View More
Passkeys
Q&A with Andrew Shikiar, CEO of FIDO
By
Maranda Manning
October 1, 2025
Product
It’s Time to Move Beyond Probabilistic Device Fingerprinting
By
Maranda Manning
September 25, 2025
Fraud
APAC's Identity Fraud Surge
By
Greg Storm
September 25, 2025
View More