Start by removing unnecessary steps, clarifying enrollment and recovery, and making the secure path the easiest path for each user population. Good MFA design reduces effort without reducing assurance. Teams should also measure support tickets, bypass requests, and fallback usage because those signals show whether the control is usable enough to survive in production.
Why This Matters for Security Teams
MFA friction is not just a user experience problem. When enrollment, recovery, or step-up prompts are clumsy, users look for the fastest approved detour, and attackers exploit those detours. IAM teams have to protect assurance while still making the secure path easier than the bypass path. That means reducing avoidable prompts, tightening recovery workflows, and watching for the operational signals that reveal pain before it becomes policy erosion, as reflected in the NIST Cybersecurity Framework 2.0.
For NHI Management Group, the practical lesson is that control adoption is a security control in itself. If MFA is too disruptive for a call center, a contractor population, or a high-frequency admin group, users will accumulate exceptions, re-enrollments, and fallback methods that quietly weaken assurance. That is especially dangerous when the same team is also trying to harden broader identity workflows, as seen in Ultimate Guide to NHIs – Standards, where usability and governance failures tend to compound across identity types. In practice, many security teams encounter MFA fatigue only after bypass requests and help desk load have already normalized the weak path.
How It Works in Practice
The most effective way to reduce friction is to remove unnecessary authentication work, not to dilute the authentication factor. Start by mapping the full journey for each user population: first enrollment, device change, lost device recovery, step-up for sensitive actions, and periodic re-authentication. Then eliminate duplicate prompts, shorten flows, and make recovery predictable. Current guidance suggests that MFA should be adapted to the task and risk level, not applied as a one-size-fits-all burden.
Teams usually get better results when they combine policy design with operational tuning:
- Use risk-based or context-aware step-up only when the action justifies it.
- Prefer phishing-resistant methods for higher-risk groups, while keeping standard users on the simplest approved method.
- Document recovery paths so the help desk can complete them quickly without improvising exceptions.
- Track enrollment completion, reset requests, bypass approvals, and fallback usage as usability indicators.
For implementation detail, tie the MFA experience to identity governance and access analytics, not just the login page. The 2024 Non-Human Identity Security Report shows that only 19.6% of security professionals express strong confidence in securely managing non-human workload identities, which is a useful reminder that identity controls often fail when operational complexity outruns clarity. The same lesson applies to human MFA: if the process is hard to understand, users and admins will route around it. These controls tend to break down in large hybrid organisations with many device types and inconsistent recovery ownership because the support model becomes the real policy engine.
Common Variations and Edge Cases
Tighter MFA controls often increase support cost and user time, requiring organisations to balance stronger assurance against operational burden. That tradeoff becomes sharper in environments with executives, frontline staff, contractors, or shared workstations, where one authentication method may not fit all. Best practice is evolving, but most teams now separate the question of assurance from the question of workflow: the same control objective can be delivered with different user journeys.
Edge cases deserve explicit treatment. For example, break-glass access should exist, but it must be rare, monitored, and reviewed after use. Recovery paths should not become permanent bypasses. SMS-based MFA may still exist in some environments for continuity, but it should be treated as lower assurance and phased out where stronger methods are feasible. Where legal, accessibility, or device constraints limit method choice, the secure path still needs to be the fastest path available. That often means pre-enrollment, self-service device updates, and clear escalation to the service desk rather than ad hoc exception handling. The most practical benchmark is whether users can complete the secure flow without help from a specialist; if not, the organisation is likely to see both more bypass demand and more shadow workarounds, similar to the access drift described in Microsoft Midnight Blizzard breach.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-2 | Supports usable authentication without weakening assurance or control objectives. |
| NIST SP 800-63 | AAL2 | Defines assurance levels that help reduce friction without dropping below needed MFA strength. |
| NIST AI RMF | Risk and governance functions support context-aware access decisions and usability measurement. |
Tune MFA journeys so the secure path is simplest, then measure friction signals and revise controls.
Related resources from NHI Mgmt Group
- How can IAM teams reduce manual work without weakening controls?
- How can security teams reduce friction without weakening privileged access controls?
- How should security teams reduce friction in remote identity controls without weakening security?
- How should teams reduce Oracle ERP assurance costs without weakening controls?
