How OTP Interception Works
there is a small ritual almost everyone online now performs without thinking. a password goes in, and then the site asks for one more thing, a short code, usually six digits, sent to a phone or pulled from an app. the code goes in, and the door opens. in that moment the code feels like a vault, a second lock that finally makes the account safe.
here is the uncomfortable thing the people who defend these systems have known for years. that code, on a bad day, is one of the weakest links in the chain, not one of the strongest. it does a real job, just a much smaller one than most people believe. what follows is why the one time code was a clever idea, where it quietly fails, and why the people guarding accounts have been steadily moving past it. it is a look at a weakness and its defenses, not a guide to anything.
the promise of the code
start with the idea, because it is a good one. a password is something a person knows, and things a person knows can be guessed, leaked, or talked out of them. so the second factor adds something a person has, their phone. even if a thief learns the password, they would still need physical possession of the device to read the code, and a thief on the other side of the world usually does not have it.
for years this raised the bar enormously. it turned account takeover from a quiet, remote, automated thing into something that required getting at an actual phone. that was a genuine leap, and the code earned its place.
the two flavors
but not all codes are the same, and the difference matters more than most realize. the older flavor is the code sent to a person, typically as a text message to their phone number. the newer flavor is the code generated on the device itself by an app, a number that changes every thirty seconds and is never sent anywhere.
they look identical to the user, six digits typed into a box. underneath they are worlds apart in how exposed they are. the texted code travels across systems the user does not control to reach them. the app code is computed quietly on the device from a shared secret set up once and kept local. that distinction is the whole heart of the story.
why the texted version was always fragile
the weakness of the texted code was never about the math. the six digits are fine. the weakness is the channel they travel through. the message crosses infrastructure built decades ago for casual conversation, infrastructure neither the user nor the bank fully controls, and along the way it is exposed to social engineering, human error, and plain mistakes at the provider.
defenders understood early that delivering a security code over that channel was a compromise, convenient but soft. the code itself was sound. the road it travelled to reach the user was the problem, and a code can never be stronger than the weakest road it has to cross.
why a phone number is not an anchor
most treat a phone number as if it were a permanent part of them, as solid as a fingerprint. it is not. it is an account held with a carrier, and accounts can be moved, recovered, and reassigned through human processes designed for ordinary, honest situations, like losing a handset or switching providers.
those same helpful processes are exactly the soft spot. any process that can move a number to a new device for a legitimate reason can, if abused, point the codes somewhere they should not go. defenders responded by treating the phone number as a weak anchor and refusing to let it carry the whole weight of an account. the lesson generalizes. if recovery is easy, the thing being recovered is only ever as strong as the recovery.
the relay that works on any code
now the deeper issue, and the one that touches even the good app codes. picture a convincing copy of a bank’s login page. a person is lured there, enters the password, and then the fake page asks for the one time code, exactly as the real site would. the victim, seeing precisely what they expect, reads the fresh code off their phone and types it in.
in that instant, whoever is behind the fake page can relay it onward to the real site before it expires. notice what happened. the code did its job perfectly. it proved the person had the phone. it just proved it to the wrong party, who passed the proof along. a code can be entirely genuine and still be handed to the wrong door. that relay is the mechanism people mean when they talk about interception, and it does not care whether the code arrived by text or by app.
why a relay beats a code but not a passkey
here is the elegant reason the same trick fails against a passkey. a one time code is just a number. it does not know which site it is being typed into, so it can be read off and relayed anywhere. a passkey is bound to the real site’s address and checks who is actually asking before it ever responds, so a relay to a fake page simply produces nothing.
that single difference, a code that travels blind versus a proof that verifies its destination, is exactly why defenders have been moving steadily from the first toward the second.
the fatigue problem
there is a softer, human weakness too, and an ordinary one. some systems, instead of a typed code, send a simple approve or deny prompt to the phone. tap approve and the door opens. convenient, until someone who already has the password starts triggering those prompts over and over.
the phone buzzes again and again, late at night, relentlessly, and eventually a tired or confused person taps approve just to make it stop. the security held, technically. the human gave way. any system leaning on a person to make the right call under repeated pressure will eventually meet a person too tired to make it. the better designs add context, show where the request is coming from, and refuse to let a flood of prompts wear someone down.
what the code really proves
be precise about what a one time code actually establishes. it proves that, at that moment, someone had access to the second factor. that is all. it does not prove that person meant to log in, or understood what they were approving, or that the site asking was the real one.
it proves possession, not intent, and not context. once that gap is clear, every one of the weaknesses falls into place. the fake page exploits the missing context. the fatigue attack exploits the missing intent. the channel weakness exploits the soft road. the code answers one narrow question honestly, and the trouble comes entirely from assuming it answered a bigger one.
the signals around the code
this is why the institutions that take the problem seriously, banks especially, never rest the whole decision on the code. it is one input among many. behind the scenes the system also asks whether this is the device the person normally uses, whether the location fits their pattern, whether the timing and rhythm of the session look like this account, whether they just appeared somewhere implausible a moment after being somewhere else. a correct code on a strange device, in a strange place, behaving strangely, can still raise the alarm. the defense lives in the weave, not the single thread of the code.
and this is where the defender keeps a deep advantage, the same one this channel keeps finding. an attacker trying to misuse a code has to win a narrow, fragile race, relay a number before it expires, wear someone down with prompts, abuse a recovery process, and do it all without tripping any of those surrounding alarms. the defender, meanwhile, watches millions of genuine logins every day and knows what normal looks like, so even a captured, replayed code tends to give itself away through the strangeness around it, the unfamiliar device, the impossible jump in location, the behavior that does not fit. the code was never meant to be the whole defense. it is one tripwire in a room full of them, and the attacker has to cross the room without touching a single one.
what it is really about
put all of it together and the direction of travel becomes obvious. every weakness traces back to one root, a number that is portable and blind, able to be read aloud, relayed, phished, and sent over a soft channel because it has no awareness of where it belongs. the fix is not a better number but a credential bound to its destination that never leaves the device, which is what the modern passkey provides.
the one time code was a bridge, a clever, portable, good enough idea that protected a great many people for years, and it still does real work today. but it was always a compromise, a secret read off one screen and typed into another, blind to where it was really going.
the quiet story under every modern login box is the slow replacement of that blind portable secret with something bound, local, and aware of its destination. the people defending accounts are not panicking about the code. they are calmly retiring it, the way one retires a lock that served well but was never quite as strong as the door deserved. this is not one clean trick holding the line. it is a stack of imperfect signals, layered and weighted against each other, quietly outlasting the number in the box that most people fill in without a second thought.
The Hidden Internet takes apart the systems that quietly run the modern web, explained from the inside. No products, just the machinery. Subscribe on YouTube.