TL;DR: Gartner’s analysis of seven MFA maturity tracks argues that organisations need to move beyond checklist-driven authentication toward risk-based design, DevOps guidance, stronger credential controls, and better session management, according to Gartner. The bigger implication is that MFA only becomes durable when it is treated as a governance pattern, not a single control.
NHIMG editorial — based on content published by 1Kosmos: Gartner’s Seven Tracks to a Mature MFA Implementation
Questions worth separating out
Q: How should security teams implement risk-based MFA without creating excessive user friction?
A: Start by classifying access paths by sensitivity, then assign stronger MFA only where the business impact of compromise is high.
Q: Why do MFA programmes often fail even when the login flow is protected?
A: They fail when the control is strong at the front door but weak across integration points, recovery flows, or post-authentication sessions.
Q: What do security teams get wrong about session management in MFA design?
A: They often assume authentication ends once the factor is accepted.
Practitioner guidance
- Define authentication assurance tiers Map applications, data classes, and administrative paths to different MFA assurance levels so higher-risk access gets stronger verification and recovery controls.
- Test for integration bypass paths Review DevOps pipelines, admin routes, and API access flows for paths that bypass the intended MFA policy or weaken step-up enforcement.
- Harden credential and recovery controls Treat password reset, device binding, backup factors, and support escalation as part of the MFA control surface, not as separate helpdesk steps.
What's in the full article
1Kosmos's full post covers the operational detail this analysis intentionally leaves for the source:
- The seven-track mapping as presented by the vendor, including the specific implementation themes attached to each track.
- The product-specific authentication capabilities the vendor uses to illustrate adaptive MFA, session handling, and credential protection.
- The configuration and integration guidance that an implementation team would need to apply the approach in practice.
- The vendor's own framing of how passwordless and biometric methods fit into its MFA model.
👉 Read 1Kosmos's analysis of Gartner's seven tracks for mature MFA implementation →
MFA maturity tracks: what IAM teams need to change now?
Explore further
MFA maturity is no longer about adding more prompts. The governance question is whether authentication strength tracks actual risk, or whether every access path is forced through the same control regardless of sensitivity. When organisations stay checklist-driven, they create friction without improving assurance, and they miss the chance to align authentication with the value of the target. The implication is that MFA must be treated as a policy model, not a feature toggle.
A few things that frame the scale:
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to The 2024 Non-Human Identity Security Report.
- A separate finding from The State of Non-Human Identity Security shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps.
A question worth separating out:
Q: What is the difference between MFA and broader access governance?
A: MFA verifies the user at a point in time, while access governance decides when, where, and under what conditions that verification should be required and how long trust should last. MFA is one control inside the wider policy system. Without governance around risk, recovery, and session assurance, MFA remains incomplete.
👉 Read our full editorial: MFA maturity is shifting from checklist controls to risk-based access