MFA creates more friction than security value when prompts, resets, and device checks are so burdensome that users start bypassing the process or storing credentials unsafely. In that situation, the programme loses real assurance even if the policy looks stronger on paper. Teams should watch for authentication journeys that users avoid or repeatedly fail.
Why This Matters for Security Teams
MFA is valuable when it blocks theft, replay, and password-only compromise, but it stops helping when the user experience becomes so brittle that people route around it. That is especially true in environments where repeated challenges, device binding failures, and step-up prompts interrupt routine work. Security teams should treat MFA as a control that can fail operationally even when it is technically enabled, because friction changes behaviour and behaviour changes risk.
For identity programs, the practical question is not whether MFA exists, but whether it is proportionate to the threat and the workflow. The NIST Cybersecurity Framework 2.0 emphasizes outcomes over checkbox controls, which is the right lens here. When MFA is added to low-risk, high-frequency actions, users often accumulate workarounds, approve prompts reflexively, or store credentials in unsafe ways. NHIMG has seen similar dynamics in non-human identity failures: the Ultimate Guide to NHIs notes that 96% of organisations store secrets outside secrets managers in vulnerable locations, showing how friction pushes people toward convenience over control.
In practice, many security teams discover MFA is harming assurance only after help desk volume spikes or users start bypassing the intended path.
How It Works in Practice
The key is to match the authentication strength to the risk, the frequency of access, and the operational cost of interruption. MFA should be strongest where compromise would be materially damaging, but it should not become a constant obstacle for every low-risk transaction. Current guidance suggests using adaptive or risk-based authentication, where step-up checks are triggered by unusual context instead of every routine request. That aligns with zero trust thinking: verify continuously, but only as much as the context requires.
Practitioners usually reduce friction by combining a few controls rather than simply weakening MFA:
- Use phishing-resistant MFA for privileged or remote access, rather than repeated OTP prompts.
- Reduce prompt frequency with trusted devices, session lifetimes, and sane reauthentication windows.
- Prefer authenticator flows that are fast and reliable, especially for shift workers and incident responders.
- Measure failure rates, time-to-access, and help desk tickets alongside security incidents.
For broader identity governance, Microsoft Midnight Blizzard breach is a reminder that strong controls fail when the surrounding process is too easy to degrade under pressure. The same lesson appears in The State of Non-Human Identity Security: organisations often know they have a problem, but visibility and operational discipline lag behind. In other words, authentication that is too hard to use often becomes authentication that is not actually used well.
These controls tend to break down in high-churn environments with shared devices, frequent contractor turnover, or legacy apps that cannot support modern authentication reliably.
Common Variations and Edge Cases
Tighter MFA often increases operational overhead, requiring organisations to balance stronger assurance against user fatigue and support burden. That tradeoff is real, and best practice is evolving rather than universal. For example, a call centre, a factory floor, and a privileged admin console do not deserve the same authentication journey, even if they sit under one policy umbrella.
There are also cases where MFA adds little value because another control is already carrying most of the risk reduction. A short-lived session with device trust, conditional access, and strong phishing-resistant authentication may be better than repeated prompt storms. Conversely, MFA can be too weak if it relies on push approvals in a phishing-heavy environment, because user friction does not equal real assurance. The control must be evaluated against the attack path, not the policy language.
Security teams should also watch for edge cases where authentication breaks legitimate work:
- Emergency access and break-glass accounts need separate treatment.
- Mobile-first workforces may need simpler and more reliable second factors.
- Offline or low-connectivity operations can make device checks impractical.
- Legacy applications may force exceptions that need compensating controls.
In mature programs, the question shifts from “How do we require MFA everywhere?” to “Where does MFA meaningfully reduce risk without creating unsafe workarounds?” That is the operational test that separates sound identity design from theatre.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-7 | Supports proportionate access verification based on risk and context. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers secret handling when users bypass MFA and store credentials unsafely. |
| NIST AI RMF | Risk-based decisions fit AI and adaptive auth governance principles. |
Reduce MFA friction by removing unsafe credential workarounds and enforcing safer secret storage.
