MFA and SSO fail when attackers steal the factors, enroll their own devices, or replay already satisfied claims. The problem is not that the controls do nothing, but that they can be converted into valid sessions by an attacker who controls the recovery path or the token lifecycle. Governance must cover the trust chain, not just the prompt for credentials.
Why This Matters for Security Teams
MFA and SSO are essential, but they are not identity-proofing by themselves. Once an attacker steals a session token, compromises a recovery channel, or enrols a trusted device, the control plane can legitimise the intrusion instead of stopping it. That is why identity-focused attacks often look like normal sign-ins until the session is already active.
For practitioners, the real issue is the trust chain around the login event: enrolment, recovery, token issuance, session persistence, and privilege escalation. NHI Management Group has documented how identity compromise repeatedly appears in real-world breaches, including the 52 NHI Breaches Analysis and the Microsoft Midnight Blizzard breach, where access paths mattered as much as the initial credential event. NIST’s NIST Cybersecurity Framework 2.0 reinforces that identity controls must be managed as part of broader risk governance, not treated as isolated gates.
In practice, many security teams discover this only after a valid session has already been used to move laterally, rather than through intentional control testing.
How It Works in Practice
Identity-focused intrusions usually succeed by turning trusted workflows against the organisation. MFA can be bypassed through phishing proxies, push fatigue, device hijack, help-desk social engineering, or token theft. SSO can then amplify the compromise because a single authenticated session may unlock multiple downstream services, including cloud consoles, source control, and secrets stores.
The practical response is to govern the entire authentication and session lifecycle:
- Protect enrolment and recovery paths with stronger verification than the sign-in flow itself.
- Use phishing-resistant MFA where possible, but still monitor for token replay and session abuse.
- Shorten session lifetimes and bind tokens to device, context, or risk signals where supported.
- Continuously evaluate sign-in risk, not just initial credential acceptance.
- Review privileged SSO applications separately, because one compromised session can become many.
This is especially important for NHI and machine-to-machine access, where static credentials and long-lived tokens often persist far longer than a human session. The Ultimate Guide to NHIs explains why identity governance must include the full lifecycle of secrets, tokens, and workload access. For a more attack-driven view, the LLMjacking: How Attackers Hijack AI Using Compromised NHIs research shows how quickly exposed credentials can be abused once discovered.
These controls tend to break down in environments with legacy SSO integrations, weak help-desk identity proofing, or shared admin accounts because the attacker only needs one trusted recovery or token path to convert a valid login into lasting access.
Common Variations and Edge Cases
Tighter authentication often increases friction, so organisations must balance user experience against attack resistance. That tradeoff becomes more visible in high-volume support environments, regulated SaaS estates, and hybrid cloud stacks where some applications still cannot enforce modern token binding or device trust.
Current guidance suggests a few edge cases deserve special handling. First, SSO does not remove risk from downstream applications that over-trust upstream assertions. Second, MFA strength varies widely: SMS, push approvals, and re-used factors do not provide the same resistance as phishing-resistant methods. Third, service accounts and automation identities can fail in the same way as human identities if their secrets are stored, copied, or rotated poorly. NHI Management Group’s Top 10 NHI Issues and Ultimate Guide to NHIs and Standards are useful references for understanding how identity assurance degrades when session trust is treated as permanent.
Best practice is evolving toward continuous, context-aware verification rather than one-time sign-in success. That matters most where attacker dwell time is high, user recovery processes are informal, or a single SSO event can unlock both human and machine privileges across the environment.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Identity proofing and authentication must cover the full trust chain. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Covers weak authentication and token handling for non-human identities. |
| NIST AI RMF | Continuous risk evaluation is needed when identity decisions are dynamic. |
Strengthen sign-in, recovery, and session controls so valid sessions cannot be trivially hijacked.
