Subscribe to the Non-Human & AI Identity Journal

What do security teams get wrong about 2FA adoption?

They often treat 2FA as a replacement for password hygiene rather than a layer on top of it. If passwords are reused, weak, or easy to reset, attackers still gain a foothold and then attack the second factor through phishing, session theft, or recovery abuse.

Why This Matters for Security Teams

Security teams get 2FA wrong when they treat it as a finish line instead of a compensating control. Two-factor authentication reduces some password-based risk, but it does not fix weak credential hygiene, weak recovery processes, or poor session protection. As NHI Mgmt Group notes in the Ultimate Guide to NHIs, 97% of NHIs carry excessive privileges, which is a reminder that authentication strength matters less when access paths are already overexposed.

The practical mistake is assuming that “MFA enabled” means the account is safe from phishing, token theft, help desk social engineering, or stale recovery options. Current guidance from the NIST Cybersecurity Framework 2.0 still points teams toward layered identity risk management, not a single control that can absorb all failure modes. 2FA helps most when paired with strong passwords, phishing-resistant factors, tight reset controls, and session monitoring. In practice, many security teams encounter account takeover only after an attacker has bypassed the second factor through recovery abuse or stolen session tokens, rather than through intentional password cracking.

How It Works in Practice

Effective 2FA adoption starts with threat modeling the full login and recovery flow, not just the sign-in prompt. If an organisation allows weak passwords, reused passwords, or easy self-service resets, then 2FA only narrows one part of the attack path. Security teams should pair 2FA with password policy enforcement, breached-password screening, device and location risk checks, and phishing-resistant authenticators where possible. For higher-risk users, current best practice is moving toward factor types that are less replayable than OTP codes, especially for administrative access.

Operationally, the control set usually includes:

  • Require 2FA for all privileged accounts and external access, not just a subset of users.
  • Use phishing-resistant methods for admins and remote access where the platform supports them.
  • Harden account recovery with stronger identity proofing and step-up checks.
  • Monitor for impossible travel, token replay, unusual device enrollment, and recovery workflow abuse.
  • Keep password controls active, including uniqueness checks and breach-based blocking.

This is especially important because identity systems often fail at the edges. The State of Non-Human Identity Security report shows that lack of credential rotation is a top cause of identity-related attacks, which reinforces a broader lesson: authentication controls degrade quickly when lifecycle and recovery practices are weak. That aligns with NIST guidance to treat identity as a managed risk surface rather than a single-point control. These controls tend to break down in environments with legacy apps, SMS-only fallback, or help desks that can reset access with minimal verification because attackers target the weakest recovery path, not the strongest login factor.

Common Variations and Edge Cases

Tighter 2FA requirements often increase user friction and support load, so organisations must balance phishing resistance against operational overhead. That tradeoff becomes visible in remote workforces, contractor-heavy environments, and regulated systems where recovery friction can create business pressure to weaken the process.

There is no universal standard for this yet, but current guidance suggests several exceptions need explicit handling. SMS-based 2FA may be acceptable for low-risk use cases, but it is not a strong choice for high-value administrative access because of SIM swap and interception risks. Push fatigue, OTP relay phishing, and help desk override abuse are also common failure modes. For shared accounts, service desks, and privileged access workflows, teams should prefer stronger authenticators and tighter approval paths rather than assuming one second factor fits every use case.

The most overlooked edge case is account recovery. If recovery bypasses password hygiene and 2FA policy, the organisation has simply moved the attack surface to another channel. The Ultimate Guide to NHIs is useful here because it frames identity as a lifecycle problem, not a one-time enrollment event. In mature programs, 2FA is treated as one layer in a broader identity assurance model, not as evidence that password risk has been solved.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AA-01 Addresses identity proofing and authentication strength beyond basic 2FA.
OWASP Non-Human Identity Top 10 NHI-03 Credential lifecycle weakness mirrors the same hygiene failures seen in identity takeover.
NIST SP 800-63 AAL2 Authentication assurance levels help distinguish basic 2FA from stronger phishing-resistant options.

Use stronger authentication and recovery controls as part of a layered identity assurance program.