MFA blocks some credential theft, but it does not stop every path that attackers use. Session hijacking, misconfigurations, over-privileged accounts, and inherited trust can all bypass the value of a strong login. Teams need controls that govern what happens after authentication succeeds, not just before it.
Why This Matters for Security Teams
MFA is valuable, but it only proves that a login step was completed. It does not guarantee the session remains trustworthy after authentication, and that is where many attacks succeed. Attackers increasingly target cookies, tokens, service accounts, misconfigured trust paths, and over-privileged identities instead of trying to crack a password at the door. That is why MFA can be present and still not stop session replay, token theft, or lateral movement.
This is not a niche problem. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks notes that 97% of NHIs carry excessive privileges, which means a successful bypass or stolen session can quickly become broad access. External guidance from the CISA cyber threat advisories also shows how adversaries chain initial access with credential abuse and persistence. In practice, many security teams discover MFA gaps only after a valid session has already been abused, rather than through intentional testing.
How It Works in Practice
Attack vectors keep working because authentication and authorisation are not the same control. MFA strengthens the authentication event, but the attacker only needs one successful path into a trusted session, API token, or delegated workflow to keep operating. Once inside, the real question becomes what the identity can do, how long the trust lasts, and whether the system re-evaluates risk at runtime.
For human users, that usually means session hijacking, push fatigue, phishing proxies, or stolen browser tokens. For non-human identities, the problem is often worse because secrets are embedded in code, CI/CD pipelines, or cloud metadata, and service accounts rarely get challenged the way people do. NHIMG’s 52 NHI Breaches Analysis and Ultimate Guide to NHIs — Why NHI Security Matters Now both reinforce that compromise often persists because credentials remain valid far beyond the original login moment.
- Use MFA, but pair it with conditional access, device posture checks, and session risk evaluation.
- Shorten token lifetime and revoke sessions on anomalous behaviour, privilege changes, or impossible travel signals.
- Replace long-lived secrets with just-in-time issuance, scoped tokens, and workload identity where possible.
- Apply least privilege to both people and machines so a stolen session has limited blast radius.
- Continuously monitor post-authentication actions, not just failed logins.
The operational takeaway is simple: strong authentication still fails if the downstream session, token, or delegated trust remains broadly usable. These controls tend to break down in environments with legacy SSO integrations, shared service accounts, or static cloud keys because the system trusts the session long after the original MFA event.
Common Variations and Edge Cases
Tighter authentication often increases friction, so organisations have to balance user experience against attack resistance. That tradeoff is real, especially when executives, developers, and automation pipelines all depend on fast access. Best practice is evolving, but current guidance suggests the highest-value protection comes from reducing trust duration and privilege scope rather than adding more login prompts.
One common edge case is machine-to-machine access. MFA does not apply cleanly to workloads, so security teams need cryptographic workload identity, short-lived credentials, and policy that evaluates the request, not just the login. Another edge case is delegated access inside SaaS platforms, where the primary account may be protected but OAuth grants, refresh tokens, or inherited admin roles remain active. The Anthropic report on AI-orchestrated cyber espionage underscores how quickly attackers can chain tool access once they get a foothold, which is why static trust assumptions age badly.
For organisations with mature Zero Trust programs, the practical focus is not whether MFA exists, but whether every privileged action is re-authorised at runtime. Where MFA still matters, it should be treated as one signal in a broader control set, not as proof that the environment is safe.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers overlong-lived NHI credentials that survive MFA and enable post-login abuse. |
| OWASP Agentic AI Top 10 | A-05 | Agentic systems need runtime authorisation, not just a strong initial login. |
| NIST AI RMF | AI RMF governance applies to decisions made after authentication in autonomous workflows. |
Replace static secrets with short-lived NHI credentials and rotate or revoke them on risk change.
