Because the factor itself becomes an identity artefact with a lifecycle. Enrolment, challenge, verification, recovery, and revocation all create state that can outlive the user intent if it is not tied to offboarding and account change events.
Why This Matters for Security Teams
MFA is often treated as a point-in-time control, but the factor itself becomes an identity artefact with its own lifecycle. Enrolment, re-registration, recovery, fallback, and revocation all create state that can outlive the user intent if offboarding, role change, or device loss events are not wired into identity governance. That is why lifecycle management matters as much as the challenge step itself.
This is not a theoretical edge case. The same governance gap that appears in NHI programs also shows up in MFA operations: once a factor is enrolled, it can remain trusted long after the original device, phone number, or authenticator app should have been removed. NHIMG research on Top 10 NHI Issues shows that stale identity artefacts and weak lifecycle discipline are recurring failure points, and the pattern is consistent with broader identity guidance in the NIST Cybersecurity Framework 2.0. In practice, many security teams discover broken MFA governance only after a departed user, compromised device, or bypassed recovery path has already created a live access path.
How It Works in Practice
Effective MFA governance treats each factor as managed state, not just a configured setting. That means every factor should be tied to an owner, an enrolment event, a verification method, an expiry or review interval, and a revocation trigger. The operational question is not merely “is MFA enabled?” but “which factors exist, who approved them, how are they recovered, and what events retire them?” The NHI Lifecycle Management Guide is useful here because the same lifecycle discipline applies whether the identity is human or machine.
Current guidance suggests that MFA controls should be linked to authoritative lifecycle events such as hire, transfer, termination, device replacement, account recovery, and privilege elevation. That is where standards like the OWASP Non-Human Identity Top 10 become relevant by analogy: unmanaged credentials and stale trust relationships are the problem, regardless of whether the identity is a user or an automated workload. Practical governance usually includes:
- Factor inventory, so the organisation knows which authenticators are active and where they are bound.
- Automatic revocation on offboarding, device retirement, or number change.
- Recovery path controls, including step-up verification and administrative approval for high-risk resets.
- Periodic review of trusted devices and remembered sessions.
- Exception handling for shared devices, contractors, and emergency access.
NHIMG research in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs reinforces the same point: identity state must be continuously reconciled with business change, not assumed to remain valid. These controls tend to break down when recovery is outsourced to help desk improvisation because the reset path becomes the weakest and least monitored trust boundary.
Common Variations and Edge Cases
Tighter MFA governance often increases operational overhead, requiring organisations to balance stronger revocation and recovery controls against user friction and support burden. That tradeoff is real, especially in environments with high turnover, BYOD, or geographically distributed workforces. Best practice is evolving, but there is no universal standard for every recovery scenario yet.
Some deployments rely on SMS, push approval, or device-bound passkeys, and each has different lifecycle implications. SMS numbers are especially volatile because they can change without a formal identity event. Push factors can persist on unmanaged devices if session and device trust are not reviewed. Passkeys reduce some recovery risk, but they still require clear ownership transfer and revocation when hardware is lost or reassigned. The Ultimate Guide to NHIs — Static vs Dynamic Secrets is relevant as a reminder that long-lived trust artifacts accumulate risk unless they are deliberately shortened or retired.
For regulated environments, lifecycle evidence matters as much as technical enforcement. Audit teams will ask whether revocation is automatic, whether recovery is logged, and whether stale factors are periodically challenged. That is why the Ultimate Guide to NHIs — Regulatory and Audit Perspectives is a useful companion. The main exception is emergency access, where temporary bypass may be acceptable, but only if it is time-boxed, documented, and reviewed after the incident.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers stale credentials and lifecycle drift that mirrors MFA factor risk. |
| NIST CSF 2.0 | PR.AA | Identity proofing, authentication, and access control depend on governed MFA lifecycle. |
| NIST AI RMF | GOVERN | Governance requires accountability for identity controls across their full lifecycle. |
Track MFA factors like managed identity artefacts and revoke them on change events.
