MFA coverage gaps: what IAM teams are missing in practice

TL;DR: MFA reduces account takeover risk, but the article argues that incomplete coverage, legacy compatibility issues, and poor enforcement still leave major gaps across employee and customer identities, according to Hydden. The real issue is not MFA itself, but whether organisations can enforce it consistently across every account and application.

NHIMG editorial — based on content published by Hydden: MFA coverage gaps and the rise of invisible authentication

Questions worth separating out

Q: How should organisations roll out MFA without leaving coverage gaps?

A: Start by mapping every authentication path, including legacy apps, partner portals, and customer journeys, then enforce MFA wherever the business relies on access.

Q: Why do invisible MFA models depend on identity telemetry?

A: Invisible MFA works only when the system can see enough risk context to decide when to challenge a user.

Q: What do security teams get wrong about MFA coverage?

A: They often count deployment instead of enforcement.

Practitioner guidance

• Map MFA enforcement across every access path Inventory employee, customer, partner, and admin sign-in paths, then verify which ones truly require MFA and which rely on legacy or exempted flows.
• Review exception handling as a governance control Track which teams can grant MFA bypasses, how long those exceptions last, and whether they are periodically reapproved.
• Validate telemetry for adaptive authentication Check whether device signals, session context, and risk events arrive quickly enough to support invisible MFA decisions.

What's in the full article

Hydden's full article covers the operational detail this post intentionally leaves for the source:

• The article expands on why invisible MFA is being positioned as a practical response to user friction in passwordless and SSO environments.
• It explains how continuous discovery can support better MFA decisions by improving identity-risk visibility.
• It describes the usability and compatibility challenges that still block complete MFA coverage across legacy systems.
• It outlines the vendor's view of how IAM teams should think about enforcement across employees and customers.

👉 Read Hydden's analysis of MFA coverage gaps and invisible authentication →

MFA coverage gaps: what IAM teams are missing in practice?

Explore further

View Full Forum →  |  NHI Foundation Course →