Legacy MFA proves a session factor, not the legitimacy of the person behind the request. Attackers can steal or coerce SMS codes, manipulate push prompts, or bind new devices after weak proofing. If onboarding or recovery is the weak point, MFA simply protects the wrong stage of the identity lifecycle.
Why Legacy MFA Misses the Real Attack Surface
Legacy MFA is designed to confirm that a session includes a second factor, not that the requestor is the legitimate workforce member at that moment. That gap matters because impersonation attacks usually target onboarding, recovery, device enrollment, or push fatigue, where weak proofing lets an attacker become the “trusted” user before MFA even starts. NHIMG’s analysis of 52 NHI breaches Report shows how often identity compromise begins well before a token is presented.
Attackers do not need to defeat MFA in the abstract if they can intercept SMS codes, coerce approvals, or add a new device through a poorly verified help desk flow. This is why current guidance increasingly treats MFA as one control in a broader identity lifecycle, not a complete impersonation defense. As CISA cyber threat advisories repeatedly show, real-world compromise often combines phishing, session theft, and recovery abuse rather than a single password break. In practice, many security teams discover impersonation only after help desk recovery or device enrollment has already legitimised the attacker.
How Workforce Impersonation Succeeds in Practice
Workforce impersonation usually succeeds by exploiting weak identity proofing and user interaction, not by cracking cryptography. MFA can still be present while the adversary controls the factor. The common failure patterns are predictable:
- SMS or voice codes are stolen through phishing, SIM swap, or call forwarding abuse.
- Push approvals are worn down through fatigue, social engineering, or help desk pressure.
- New devices are enrolled after recovery questions or ticket-based verification that is too weak.
- Session tokens are replayed after the initial MFA event, bypassing the original challenge.
For that reason, best practice is evolving toward phishing-resistant authentication, stronger proofing at enrollment, and step-up verification for sensitive actions. NIST identity guidance and the MITRE ATLAS adversarial AI threat matrix both reinforce a broader point: controls should be applied at the point of highest risk, not only at sign-in. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks explains how weak lifecycle controls turn identity tools into an attacker’s entry path rather than a barrier.
In a mature setup, workforce access should combine resistant factors, device binding, recovery hardening, and continuous risk evaluation so that a successful factor challenge does not automatically equal trusted identity. These controls tend to break down when large service desks still allow manual resets for high-value users because the recovery path becomes the easiest impersonation route.
Where MFA Needs to Be Reinforced or Replaced
Tighter authentication usually increases friction, so organisations must balance user convenience against the cost of account takeover and downstream lateral movement. There is no universal standard for this yet, but the direction of travel is clear: MFA alone is insufficient where recovery, enrollment, or help desk workflows are weak. That is why many teams now pair MFA with phishing-resistant methods, device posture checks, and approval controls that are harder to socially engineer.
This matters most for executives, finance teams, IT admins, and anyone with privileged access, because impersonation of those accounts creates disproportionate blast radius. Current guidance suggests focusing on the full identity lifecycle, including provisioning, proofing, recovery, and privileged step-up, rather than treating login as the only control point. NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now and Top 10 NHI Issues are useful references for understanding how identity trust breaks when access is granted without sufficient lifecycle assurance. In practice, mature organisations often find that the weakest link is not the MFA prompt itself, but the human and service processes that can authorise a new trusted factor.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Weak lifecycle proofing lets attackers bind trusted access before MFA matters. |
| NIST CSF 2.0 | PR.AC-7 | Phishing-resistant authentication is central to stopping impersonation attacks. |
| NIST SP 800-63 | IAL2 | Identity proofing strength determines whether a new factor truly belongs to the user. |
Harden enrollment, recovery, and factor-binding workflows so identity proofing cannot be bypassed.
