Treat workarounds as evidence that the control design is not aligned with user behaviour. Re-examine friction, recovery paths, and helpdesk dependency, then simplify the authentication flow before tightening policy language. A control that users evade at scale has already weakened the programme.
Why This Matters for Security Teams
When users work around MFA or other access controls, the issue is rarely “user resistance” alone. It usually means the control is too slow, too brittle, or too dependent on helpdesk intervention to survive real work. That matters because people will route around friction, especially when access is needed to restore service or meet deadlines. The security signal is not defiance; it is a design failure that can create shadow approval paths and inconsistent enforcement.
This is especially important in environments where identity controls are already stretched across human and non-human access. NHI Management Group notes that 97% of NHIs carry excessive privileges, and 79% of organisations have experienced secrets leaks, with 77% of those incidents causing tangible damage, according to the Ultimate Guide to NHIs. The lesson carries over to user access: if the approved path is painful, people seek an easier one, and that easier one is often less visible to security. Guidance from the OWASP Non-Human Identity Top 10 reinforces that access controls must be usable as well as strict, because weak adoption becomes its own control gap. In practice, many security teams discover the workaround after it has already become routine behaviour rather than through planned control testing.
How It Works in Practice
The right response is to treat the workaround as an operational feedback loop. First, identify where the control breaks: repeated MFA prompts, unreliable device trust, poor recovery options, or support queues that are slower than the business task. Then map the path users actually take, including self-service resets, shared accounts, emergency bypasses, and informal approvals. The goal is not to soften policy language; it is to rebuild the control so the secure path is the easiest path.
Practically, that usually means reducing unnecessary prompts, improving phishing-resistant methods, and making recovery paths fast enough that users do not invent their own. For privileged or high-risk access, combine step-up authentication with contextual checks such as device posture, location, session risk, and task sensitivity. Standards like PCI DSS v4.0 emphasise strong authentication where risk is high, but the control only works when it is operationally adoptable. On the identity-operations side, the 52 NHI Breaches Analysis shows a familiar pattern: when access is difficult to govern consistently, users and administrators create exceptions that outlive the original incident.
- Measure where MFA fatigue, lockouts, and reset requests cluster.
- Replace brittle recovery with self-service, verified recovery where appropriate.
- Remove duplicate prompts caused by overlapping tools or misconfigured sessions.
- Reserve bypasses for tightly logged, time-bound exceptions.
These controls tend to break down in high-turnover service desks with fragmented identity stacks, because exceptions become normal and no one owns the full user journey.
Common Variations and Edge Cases
Tighter authentication often increases support overhead, so organisations have to balance friction against the real cost of account compromise. That tradeoff is most visible in call centres, shift-based operations, incident response, and merged environments where multiple identity providers overlap. In those settings, best practice is evolving rather than settled: there is no universal standard for exactly how many prompts are “too many,” but there is clear agreement that repeated user bypasses indicate misalignment.
Some edge cases justify alternative treatment. Break-glass accounts need separate governance, but they should not become a convenience channel. Service accounts and machine access should not inherit human MFA patterns at all; they need workload identity, secret rotation, and explicit lifecycle controls instead. For user access, reauthentication should be risk-based, not calendar-based, and recovery should be designed so that helpdesk staff are not forced to improvise exceptions. The Ultimate Guide to NHIs — Key Challenges and Risks is useful here because it shows how privilege, visibility, and lifecycle failures compound when controls do not match actual behaviour. The practical test is simple: if people keep bypassing a control, the organisation is probably optimising for compliance theatre rather than secure access.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Access control failures map directly to how users actually gain access. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Bypass behavior often reflects weak identity lifecycle and control design. |
| NIST AI RMF | Operational misalignment is a governance issue requiring continuous monitoring. |
Treat repeated bypasses as a monitored risk signal and feed them into governance reviews.
