MFA coverage gaps show why identity security still fails

At a glance

What this is: This is an MFA-focused identity security commentary arguing that coverage gaps and enforcement failures still undermine account protection.

Why it matters: It matters because IAM programmes cannot treat MFA as solved if coverage is uneven across human identities, service access paths, and application estates.

👉 Read Hydden's analysis of MFA coverage gaps and invisible authentication

Context

Multi-Factor Authentication works only when it is applied consistently across the identity estate. The article’s central point is that many real-world breaches still succeed because organisations leave gaps in enforcement, especially where legacy applications, customer access, or fragmented identity stacks make universal MFA difficult.

For IAM and security teams, the issue is not whether MFA is a useful control. The question is whether policy, provisioning, and exception handling are strong enough to make MFA universal in practice rather than selective in policy.

Key questions

Q: How should organisations roll out MFA without leaving coverage gaps?

A: Start by mapping every authentication path, including legacy apps, partner portals, and customer journeys, then enforce MFA wherever the business relies on access. Make exceptions time-bound and reviewed, because the main failure mode is not lack of policy but partial enforcement that leaves exploitable paths open.

Q: Why do invisible MFA models depend on identity telemetry?

A: Invisible MFA works only when the system can see enough risk context to decide when to challenge a user. Device state, session behaviour, and location signals must be reliable and timely, otherwise adaptive authentication becomes either over-triggered or too permissive to be trusted.

Q: What do security teams get wrong about MFA coverage?

A: They often count deployment instead of enforcement. An organisation can claim MFA adoption while still leaving high-risk apps, privileged users, or exception routes unprotected. The practical test is whether MFA is mandatory on the paths attackers can actually use.

Q: Who is accountable when MFA exceptions become permanent?

A: IAM, application owners, and security governance share accountability because permanent exceptions turn a compensating control into a standing weakness. Exception registers should be time-bound, reviewed, and tied to clear ownership so bypasses do not outlive the business reason that created them.

Technical breakdown

Why MFA fails when coverage is incomplete

MFA raises the cost of credential theft by requiring an additional factor, but it only protects the accounts and applications where it is actually enforced. Gaps appear when certain apps cannot support modern authentication flows, when exceptions are granted for convenience, or when users are able to bypass stronger checks through legacy paths. In those cases, the organisation has a partial control that creates a false sense of coverage. Practical implication: map MFA enforcement against every authentication path, not just the primary SSO flow.

Practical implication: map MFA enforcement against every authentication path, not just the primary SSO flow.

Invisible MFA depends on real-time identity risk visibility

Invisible MFA is a risk-based model that authenticates continuously and only interrupts the user when risk changes. That approach depends on reliable signals about device state, session behaviour, location, and account risk at the moment access is being used. If the identity platform cannot see those signals in real time, step-up prompts become either too frequent or too weak, and the model loses trust. Practical implication: validate the data feeds behind adaptive authentication before relying on risk-based prompts.

Practical implication: validate the data feeds behind adaptive authentication before relying on risk-based prompts.

Federation and SSO reduce password dependence, not governance responsibility

SSO and federation can reduce how often users type passwords, but they do not remove the need for strong policy, lifecycle governance, and recovery controls. If a federated account is compromised, the blast radius can span multiple connected applications even when the user never sees a password prompt. That makes MFA one layer in a broader identity architecture, not a complete substitute for access governance. Practical implication: align MFA policy with federation, recertification, and exception management as one control system.

Practical implication: align MFA policy with federation, recertification, and exception management as one control system.

Threat narrative

Attacker objective: The attacker’s objective is to turn stolen credentials into durable account access and broader application reach.

1. entry: Attackers obtain passwords through phishing, credential reuse, or breach exposure and target accounts that lack enforced MFA.
2. escalation: Where MFA is inconsistently deployed, stolen credentials remain sufficient to authenticate through legacy or exempted paths.
3. impact: The attacker gains unauthorized account access and can reach sensitive information, financial assets, or downstream applications.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity security fails where MFA is treated as a point control instead of an estate-wide policy. The article correctly identifies that partial coverage leaves accounts, applications, and exception paths outside the protection model. That is an IAM governance problem, not just an authentication problem. The implication is that organisations must stop measuring MFA by product deployment and start measuring it by enforced coverage.

Invisible MFA is only as strong as the identity telemetry behind it. Risk-based authentication depends on knowing enough about the session to decide when to challenge. If visibility is weak, continuous authentication becomes guesswork and either annoys users or misses real risk. Practitioners should treat telemetry quality as part of the control, not as an optional enhancement.

Federation reduces password exposure, but it does not remove identity accountability. SSO and federation can lower the number of direct password prompts, yet the organisation still owns enrolment, recovery, exception handling, and application-level enforcement. That means MFA policy has to be governed across the full access lifecycle, not only at login.

Coverage drift: the real control failure is not MFA absence, but uneven enforcement across legacy apps, customer journeys, and exempted identities. This pattern shows up whenever identity teams can prove a policy exists but cannot prove it is applied everywhere the business depends on access. The implication is that assurance must focus on coverage drift, not on checkbox adoption.

Hydden’s framing reflects a broader IAM reality: authentication controls break when operational exceptions become permanent. The article points to a common organisational failure mode where convenience overrides enforcement. Once exceptions normalise, MFA becomes a partial control with uncertain value. Practitioners should treat exception sprawl as a governance defect, not a temporary accommodation.

From our research:

• 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• That confidence gap sits alongside a separate finding that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• For teams broadening identity controls beyond MFA, the next step is to connect enforcement with the NHI lifecycle, as outlined in Ultimate Guide to NHIs , Key Challenges and Risks.

What this signals

Coverage quality is now the real identity security metric. MFA adoption percentages matter less than whether every identity path is actually enforced, because exceptions and legacy routes are where attackers look first. In practice, that pushes teams toward continuous assurance, not one-time deployment checks.

With only 1.5 out of 10 organisations highly confident in securing NHIs, per The State of Non-Human Identity Security, the same governance discipline that limits MFA gaps also has to cover machine credentials and service access.

Coverage drift: once exception handling becomes routine, authentication policy stops behaving like a control and starts behaving like documentation. Teams should expect audit questions to move from

For practitioners

• Map MFA enforcement across every access path Inventory employee, customer, partner, and admin sign-in paths, then verify which ones truly require MFA and which rely on legacy or exempted flows. Prioritise the applications and identities that currently depend on exceptions.
• Review exception handling as a governance control Track which teams can grant MFA bypasses, how long those exceptions last, and whether they are periodically reapproved. Permanent exceptions should be treated as control failures, not operational convenience.
• Validate telemetry for adaptive authentication Check whether device signals, session context, and risk events arrive quickly enough to support invisible MFA decisions. If the platform cannot see changes in real time, step-up decisions will be inconsistent.
• Align MFA with lifecycle governance Connect enrolment, recovery, recertification, and offboarding so MFA state stays accurate when users change roles or leave. A strong login step is not enough if lifecycle processes leave stale access in place.

Key takeaways

• The article argues that MFA is only effective when it is enforced consistently across the full identity estate.
• The main risk is coverage drift, where exceptions, legacy systems, and partial deployments weaken an otherwise sound control.
• Practitioners should govern MFA as an end-to-end policy tied to lifecycle, telemetry, and exception management.

Key terms

• Multi-Factor Authentication: A sign-in control that requires more than one proof of identity before access is granted. In practice, MFA combines something known, owned, or inherent so that stolen passwords alone are not enough to authenticate, although weak coverage or exception handling can still leave risky gaps.
• Invisible MFA: A risk-based authentication approach that tries to verify users continuously without interrupting them every time they sign in. The control relies on reliable telemetry about device, session, and behaviour signals, then prompts only when the risk profile changes enough to justify extra verification.
• Federation: A method of letting one identity system trust another so users can access multiple applications through a shared sign-in process. Federation simplifies user experience, but it also concentrates risk, making governance over enrolment, recovery, and downstream application enforcement essential.
• Coverage Drift: The gap between a security policy that exists on paper and the parts of the environment where it is actually enforced. In identity programmes, coverage drift appears when exceptions, legacy apps, or bypass paths allow controls like MFA to be selectively ignored.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Hydden: MFA coverage gaps and the rise of invisible authentication. Read the original.