Subscribe to the Non-Human & AI Identity Journal

What do organisations get wrong when they treat 2FA as enough for every use case?

They ignore the difference between ordinary login protection and high-assurance access control. A low-friction 2FA rollout can be appropriate for some users, but it is not a substitute for stronger assurance where privilege, sensitive data, or regulatory exposure is involved. Authentication strength should scale with risk.

Why This Matters for Security Teams

2FA is often treated as a universal safety net, but that assumption breaks down when the access path carries real privilege. A second factor can reduce account takeover risk at the login step, yet it does not by itself answer whether the request is appropriate for the asset, the data, or the current risk context. NIST’s NIST Cybersecurity Framework 2.0 pushes teams toward risk-based, outcome-driven controls rather than single-control thinking.

For NHI-heavy environments, the problem is sharper because attackers rarely need to defeat 2FA once if they can reuse tokens, steal session state, or pivot through overprivileged service accounts. NHIMG research shows only 5.7% of organisations have full visibility into their service accounts, while 97% of NHIs carry excessive privileges, making “2FA everywhere” a weak proxy for actual access governance. The Ultimate Guide to NHIs explains why visibility, rotation, and privilege control matter more than a generic login barrier.

In practice, many security teams discover that 2FA reduced phishing noise but did little to stop privileged misuse, lateral movement, or API abuse after the first authenticated session was already established.

How It Works in Practice

The practical mistake is conflating authentication with authorisation. 2FA can prove that a user or operator completed a stronger login challenge, but it does not prove that the request is suitable for the action being attempted. For low-risk user portals, that may be acceptable. For admin consoles, production data, secrets vaults, and automation control planes, the control objective is stronger: high-assurance access decisions at runtime.

Security teams usually need to combine 2FA with additional controls such as context-aware authorisation, session limits, device trust, and step-up checks for sensitive actions. That means evaluating the request, not just the login event. For example:

  • Require stronger factors for privileged roles, but also enforce just-in-time elevation for the specific action.
  • Use conditional access based on device posture, location, and session risk.
  • Protect secrets and API keys with vault-based issuance, short TTLs, and rotation.
  • Apply separate policies for human users, service accounts, and agentic workloads.

This is especially important in NHI governance, where a service account may never “log in” in the human sense. The Ultimate Guide to NHIs highlights how excessive privilege and weak lifecycle control create exposure even when perimeter logins are protected. Current guidance suggests pairing authentication strength with the sensitivity of the target system, not treating one 2FA policy as sufficient for all identities.

In standards terms, NIST Cybersecurity Framework 2.0 supports this layered approach by tying access decisions to governance, protection, and continuous risk management rather than one-time identity verification. These controls tend to break down when legacy systems cannot evaluate context at request time because they only understand static login success.

Common Variations and Edge Cases

Tighter authentication often increases user friction, help desk load, and integration complexity, so organisations have to balance convenience against assurance. That tradeoff is real, but it does not justify a one-size-fits-all 2FA rule.

There is no universal standard for this yet across every environment. Best practice is evolving toward risk-based access, with stronger treatment for admins, finance, customer data, production pipelines, and machine-to-machine credentials. A consumer app with low-impact data may reasonably rely on basic 2FA, while regulated workloads may need phishing-resistant MFA, device binding, or separate approval workflows for sensitive actions.

Edge cases are where simplistic policies fail most often:

  • Shared admin accounts, where 2FA is present but accountability is still weak.
  • API-driven services, where 2FA is irrelevant because the real control point is secret issuance and rotation.
  • Third-party access, where federated login can hide overbroad entitlement unless reviewed continuously.

NHIMG data shows 91.6% of secrets remain valid five days after notification and 79% of organisations have experienced secrets leaks, which underlines the point that authentication alone does not contain exposure once credentials are in circulation. The operational answer is to right-size assurance by use case, then verify that the policy actually follows the asset, not just the login screen.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63, NIST Zero Trust (SP 800-207) and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AA-01 Access control should match risk, not rely on one universal 2FA rule.
NIST SP 800-63 Digital identity assurance levels explain why one factor set cannot fit every use case.
NIST Zero Trust (SP 800-207) Zero Trust requires continuous verification beyond a successful 2FA login.
OWASP Non-Human Identity Top 10 NHI-01 NHI access often bypasses human MFA and depends on secrets, rotation, and privilege control.
NIST AI RMF Risk management for autonomous or software-driven access needs context-aware decisions.

Inventory non-human identities and protect them with short-lived credentials and least privilege.