They should improve it with stronger factors rather than abandon it. Passwordless methods and public key-based authenticators reduce credential theft and prompt fatigue exposure, while step-up controls keep the strongest checks for the highest-risk actions instead of forcing them on every login.
Why This Matters for Security Teams
MFA is not failing because the idea is obsolete. It fails when the factor mix still depends on secrets that can be phished, replayed, fatigue-approved, or stolen from endpoints. Security teams should treat the question as a control-design problem: raise assurance with stronger authenticators, reduce prompt abuse, and reserve the highest friction for genuinely risky actions. That approach is more consistent with the NIST Cybersecurity Framework 2.0 than trying to force every login through the same gate.
The practical risk is that attackers now target the weakest step in the authentication chain, not the whole chain. When password-based factors remain in place, one compromised login can still become the starting point for lateral movement, session hijacking, or privilege escalation. NHI Management Group research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and the same basic lesson applies to human access: weak or reusable credentials are where compromise tends to start. The Ultimate Guide to NHIs makes the broader point that standing credentials create durable exposure, which is why stronger factors and shorter-lived access are more resilient than simple prompt multiplication. In practice, many security teams encounter MFA bypass only after session tokens or help-desk recovery paths have already been abused, rather than through intentional testing.
How It Works in Practice
Improving MFA usually means moving toward phishing-resistant authenticators and away from shared knowledge or push-only approval. Public key-based methods, passkeys, hardware-backed authenticators, and certificate-based sign-in reduce the chance that an attacker can reuse a stolen secret. For higher-risk actions, step-up authentication adds a second decision point at runtime instead of burdening every routine login. That fits better with modern identity governance than a one-size-fits-all policy.
A practical rollout usually includes three layers:
- Replace password plus OTP paths where possible with public key or device-bound authenticators.
- Use risk signals such as device posture, location, impossible travel, and transaction sensitivity to trigger step-up checks.
- Protect recovery workflows, since account recovery is often easier to attack than primary sign-in.
This is also where NHI lessons matter. The same control failures seen in service accounts and API keys appear in human access when long-lived secrets are left in place. NHIMG notes that 71% of NHIs are not rotated within recommended time frames, and that pattern mirrors why static credentials remain attractive to attackers. Stronger MFA reduces credential theft, but only if the surrounding lifecycle is equally disciplined. Current guidance from Microsoft Midnight Blizzard breach analysis and the NIST Cybersecurity Framework 2.0 both point toward layered identity assurance, not a single control that is assumed to be enough. These controls tend to break down when legacy apps only support reusable passwords or when recovery processes still rely on help-desk social engineering.
Common Variations and Edge Cases
Tighter authentication often increases user friction and support load, requiring organisations to balance assurance against operational speed. That tradeoff is real, especially in environments with contractors, shared kiosks, offline systems, or customer-facing flows where repeated prompts can create abandonment.
There is no universal standard for this yet, but best practice is evolving in two directions. First, high-assurance access should move to phishing-resistant factors wherever the business risk justifies it. Second, lower-risk activity should use context-aware step-up rather than constant reauthentication. This is particularly important for privileged users, admins, and remote access, where the cost of compromise is far higher than the inconvenience of a stronger factor.
Organisations should also distinguish between authentication strength and session strength. A strong first login does not protect a session token that is later stolen, replayed, or exported from a browser profile. That is why token binding, short session lifetimes, and reauthentication for sensitive actions matter as much as the initial factor choice. The Ultimate Guide to NHIs is relevant here because the same lifecycle thinking applies across both human and non-human identities: the shorter the useful life of a credential, the smaller the attacker’s window. For organisations still relying on SMS or recovery-only overrides, improving MFA is the safer path, but only if backup paths are hardened at the same time.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA-01 | Identity proofing and authentication strength are central to MFA improvement. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Short-lived credentials and rotation reduce damage from stolen factors. |
| NIST AI RMF | Risk-based step-up authentication supports context-aware trust decisions. |
Replace long-lived secrets with ephemeral, tightly scoped credentials and rotate aggressively.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
