TL;DR: MFA often remains uneven across legacy systems, remote access, and privileged workflows, leaving password-based paths open even where organisations believe they are protected, according to Secret Double Octopus. The real issue is not MFA presence but enforcement coverage, phishing resistance, and proof that controls apply everywhere attackers can reach.
NHIMG editorial — based on content published by Secret Double Octopus: Top MFA Blind Spots: Why “We Have MFA” Isn’t Enough Anymore
Questions worth separating out
Q: How should security teams close MFA coverage gaps across legacy and remote access systems?
A: Start by mapping every authentication path, including legacy apps, VPN, RDP, SSH, endpoints, and privileged workflows.
Q: Why do organisations still get breached even when MFA is deployed?
A: Because deployment is not the same as enforcement.
Q: What do security teams get wrong about MFA exceptions?
A: They often treat exceptions as temporary implementation details instead of governance risks.
Practitioner guidance
- Map authentication coverage across every access path Inventory SaaS, legacy applications, VPN, RDP, SSH, endpoint login, and privileged workflows.
- Replace phishable factors on high-risk access paths Prioritise phishing-resistant authentication for admin, remote, and externally exposed systems.
- Tighten the exception lifecycle for legacy access Require an owner, expiry date, and compensating monitoring for every MFA exception.
What's in the full article
Secret Double Octopus's full blog post covers the operational detail this post intentionally leaves for the source:
- Detailed breakdown of legacy, VPN, RDP, SSH, and endpoint paths that commonly sit outside MFA enforcement
- Practical guidance on identifying phishing-resistant versus phishable authentication methods in mixed environments
- Examples of MFA exceptions, break-glass workflows, and policy drift patterns that create audit risk
- Coverage-first remediation priorities for teams deciding where to fix authentication gaps first
👉 Read Secret Double Octopus's analysis of MFA blind spots and enforcement gaps →
MFA blind spots: is your authentication coverage actually complete?
Explore further
MFA coverage is only meaningful when every access path is in scope. The article shows the core problem: organisations often assess MFA as a capability, not as a complete enforcement model. Legacy applications, remote access, shared admin workflows, and endpoint logins can all sit outside the same assurance boundary. For IAM and PAM leaders, the conclusion is simple: a partial MFA programme creates a false control surface, and attackers will always target the uncovered segment.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when MFA is not enforced consistently?
A: Accountability usually sits with identity governance, application owners, and platform teams together, because inconsistent enforcement is rarely caused by one control owner. Security leaders should require explicit ownership for every uncovered system and every exception path. That is especially important where privileged access or regulated systems are involved.
👉 Read our full editorial: MFA blind spots expose why coverage is not the same as control