Is receiving an OTP via email any more secure than receiving it via SMS?

The worry is that 2FA protects you in cases where your passwords get leaked. The 2FA is a mitigating control to prevent people from abusing that password. However people often re-use their password across multiple websites, including their email and most people do not protect it with 2FA.

This means that if your password leaks, there is a higher likelihood that someone will be able to get your OTP from your email address than from a text message.

Hardware tokens and OTP generators are still much more prefered over SMS or email.


The risk of receiving an OTP via SMS is that an attacker could call the phone company and have the number the SMS will be sent to redirected to a phone the attacker controls. This assumes the attacker knows the phone number and provider of the victim's cell phone. This risk is difficult to mitigate as the sender of the OTP will not be informed about the phone change, and the victim may not be aware of the phone change immediately.

The risk of receiving an OTP via email is that the attacker may have access to the victim's email. Assuming the email account is well-protected and secure (stated in the question) will mitigate this risk.