Subscribe to the Non-Human & AI Identity Journal

Who is accountable when MFA fails to protect a financial system?

Accountability sits with the organisation that owns identity governance, not with the authentication method itself. Security, IAM, application, and business owners must jointly ensure the control is enforced, reviewed, and aligned to access risk. In regulated sectors, audit evidence should show who approved exceptions, who monitors them, and who removes them.

Why This Matters for Security Teams

MFA is a control, not an accountability model. When it fails in a financial system, the issue is usually not the factor itself but the governance around enrollment, exception handling, session risk, and privileged access paths. That means ownership spans IAM, security operations, application owners, and the business function that accepted the risk. The control must be aligned to policy and evidence, not assumed effective because it exists. NIST’s NIST Cybersecurity Framework 2.0 and NIST SP 800-53 Rev 5 Security and Privacy Controls both reinforce that access control is an operating discipline, not a checkbox.

For financial institutions, this matters because attackers often do not need to defeat MFA directly. They target recovery flows, legacy protocols, help desk processes, session theft, or over-privileged accounts that bypass stronger controls. NHIMG research on the Microsoft Midnight Blizzard breach shows how identity weaknesses can cascade beyond a single login event, while the Schneider Electric credentials breach illustrates how exposed credentials still create downstream exposure even when “authentication” appears to be in place. In practice, many security teams encounter MFA failure only after unauthorized access has already been investigated as a fraud or outage event, rather than through intentional control testing.

How It Works in Practice

Accountability should follow the control lifecycle. Identity and access teams typically own policy design, security owns assurance and monitoring, application owners own enforcement in the system, and the business owner approves exceptions where there is a documented operational need. If MFA fails, the first question is whether the environment was configured to require it for all relevant paths, including admin consoles, APIs, remote access, and recovery processes. The second question is whether logs, alerts, and review cycles were strong enough to detect bypass or degradation.

Good practice is to define this as a shared control with named decision points. For example:

  • IAM owns factor enrollment, reset, and reauthentication rules.
  • Security owns control testing, monitoring, and exception governance.
  • Application owners confirm the application actually enforces MFA on every protected path.
  • Business owners approve risk acceptance and sign off on expiry dates for exceptions.

The identity standard in NIST SP 800-63 Digital Identity Guidelines is helpful because it treats authentication assurance, lifecycle, and recovery as separate control problems. In parallel, NHIMG’s analysis of the DeepSeek breach and vendor research on secrets exposure show why identity failures often become broader access failures when fallback credentials, tokens, or service accounts are not governed as tightly as user MFA. These controls tend to break down in legacy financial cores and outsourced access chains because the true enforcement point is split across multiple systems and no single team sees the full path.

Common Variations and Edge Cases

Tighter MFA governance often increases operational friction, requiring organisations to balance user experience, recovery speed, and regulatory evidence against the risk of silent bypass. Current guidance suggests that high-risk transactions, privileged actions, and remote administrative access deserve stronger controls than standard employee login flows, but there is no universal standard for exactly where the line should be drawn.

Some edge cases change the accountability picture:

  • If MFA was technically available but not enforced in one channel, the application owner and IAM team both share responsibility.
  • If the fraud path involved help desk reset or device replacement, the service owner and operations leader become accountable for weak recovery assurance.
  • If a vendor or managed service provider administered access, the organisation still remains accountable for the control outcome, even if execution was delegated.
  • If a privileged session was hijacked after MFA, post-authentication controls such as session binding, step-up verification, and monitoring become part of the failure review.

For regulated financial environments, the practical test is whether evidence can show who approved the exception, who reviewed it, and who removed it on expiry. If that cannot be proven, accountability has not been operationalised. NHIMG’s secrets research underscores why this matters: organisations often believe control coverage is stronger than it is, yet exposed credentials and fragmented remediation processes keep opening the same door.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST SP 800-53 Rev 5 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AC-1 Addresses how identities and access permissions must be governed across systems.
NIST SP 800-63 Defines assurance, enrollment, and recovery expectations for digital identity.
NIST SP 800-53 Rev 5 IA-2 Covers identification and authentication requirements for system access.
OWASP Non-Human Identity Top 10 NHI-06 Reinforces governance over credentials and secrets that often bypass MFA.
NIST AI RMF GOVERN Supports clear accountability and oversight for security controls and exceptions.

Assign named owners for access policy, enforcement, and review, then verify MFA is required on every protected path.