Subscribe to the Non-Human & AI Identity Journal

Why do traditional MFA methods struggle against synthetic identity attacks?

Traditional MFA struggles because it confirms a moment of possession, not the legitimacy of the full session. Attackers can phish, proxy, or replay credentials after the initial challenge. Organisations need controls that detect abnormal behaviour, evaluate device and context signals, and interrupt suspicious sessions before fraudulent activity completes.

Why Traditional MFA Fails Against Synthetic Identity Abuse

Traditional MFA was designed to prove that a user or device can complete a second factor challenge, not that the person or session behind it is legitimate. synthetic identity attacks exploit that gap by combining stolen personal data, fabricated attributes, and session hijacking techniques that let an attacker pass MFA while remaining effectively unauthorised. The control validates a moment, but fraud is executed across the rest of the session.

This is why security teams increasingly pair MFA with runtime detection, device trust, and behavioural analytics instead of treating it as a fraud boundary. NHI Management Group’s Ultimate Guide to NHIs shows how identity compromise often persists because credentials and sessions are not revoked quickly enough, and that same persistence pattern applies when attackers use synthetic identities to blend into normal access flows. NIST guidance on NIST SP 800-53 Rev 5 Security and Privacy Controls reinforces the need for continuous monitoring rather than one-time authentication events. In practice, many security teams discover synthetic identity abuse only after funds move, accounts are opened, or internal trust has already been established, rather than through intentional fraud testing.

How MFA Should Be Evaluated in a Synthetic Identity Attack Path

Synthetic identity attacks usually succeed by defeating the assumptions around enrollment, possession, and session continuity. A phishing-resistant factor can still be passed if the attacker has already built a convincing identity profile, compromised a device, or proxied the session in real time. The operational question is not whether MFA was present, but whether the full access path was continuously trustworthy.

Practitioners should evaluate MFA as one control inside a larger identity assurance chain:

  • Does enrollment include proofing strong enough to detect fabricated or stitched-together identity attributes?
  • Are device posture, IP reputation, geo-velocity, and session risk scored at runtime?
  • Can suspicious sessions be interrupted after authentication if behaviour changes materially?
  • Are recovery paths, reset flows, and help desk overrides more weakly protected than the login flow itself?

That last point is where attackers often concentrate effort. If account recovery is easier to subvert than primary MFA, the control set becomes asymmetric and the fraud path widens. NHI Management Group’s 52 NHI Breaches Analysis is a useful reminder that compromised identity material tends to be reused across systems, which is exactly how synthetic identities gain persistence once they are accepted by one workflow. For broader adversary tradecraft, MITRE ATT&CK Enterprise Matrix helps teams map session theft, proxying, and post-authentication abuse to known techniques. These controls tend to break down in high-friction consumer environments where step-up checks are minimized to reduce abandonment and attackers can exploit the resulting trust gaps.

Where Current Guidance Is Evolving

Tighter authentication often increases user friction and operational cost, requiring organisations to balance fraud reduction against conversion, support load, and false positives. Current guidance suggests that the answer is not “more MFA” in the abstract, but stronger identity proofing, fraud detection, and adaptive session control tied to real risk.

There is no universal standard for this yet, but best practice is evolving toward layered controls that include liveness checks, proofing evidence quality, behavioural telemetry, and rapid revocation when risk rises. For synthetic identity scenarios, a pass on MFA should be treated as a signal, not as final assurance. That is especially true in regulated workflows and account opening journeys, where attackers can patiently build credibility before triggering value extraction. The Top 10 NHI Issues research also highlights how excessive trust in static identity artifacts creates long-lived exposure, a pattern that maps directly to synthetic identity fraud when sessions are not continuously re-evaluated. For adversary behaviour trends, CISA cyber threat advisories remain a practical source for current phishing, credential abuse, and social engineering patterns. The main limitation is that these controls are less effective when organisations lack clean identity data, making high-quality onboarding and recovery governance a prerequisite rather than an add-on.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
NIST CSF 2.0 PR.AA Identity verification and continuous authentication are central to resisting synthetic identity abuse.
NIST SP 800-63 IAL/AAL Synthetic identities exploit weak proofing and insufficient authenticator assurance.
NIST AI RMF AI RMF applies to adaptive fraud detection and risk scoring used with MFA.
OWASP Non-Human Identity Top 10 NHI-01 Identity compromise and over-trust in static credentials mirror synthetic identity attack paths.
OWASP Agentic AI Top 10 Runtime risk evaluation aligns with adaptive authorization and session interruption principles.

Strengthen identity assurance and monitor sessions continuously instead of trusting MFA as a one-time gate.