They often treat MFA as a stand-alone login control instead of part of a broader governance chain. For VMs, the real risk is not only stolen credentials. It is unmanaged exceptions, weak context, and poor visibility into who accessed what, from where, and under which policy conditions.
Why This Matters for Security Teams
MFA is often deployed to reduce the chance that a stolen password becomes a server compromise, but that framing is too narrow for VM and server access. The real issue is governance: who can approve access, under what conditions, for how long, and whether the session is visible and revocable. NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts in the Ultimate Guide to NHIs, which is a strong signal that authentication alone does not equal control.
Security teams also get tripped up by the difference between interactive human logins and server access pathways. Server access may involve break-glass accounts, automation, remote admin tools, bastions, VPNs, or console sessions that do not behave like ordinary workforce sign-ins. Without clear policy boundaries, MFA becomes a checkbox that can be bypassed by exceptions, shared accounts, or overly broad admin trust. The OWASP Non-Human Identity Top 10 treats weak lifecycle and access governance as a primary risk because identities, not just passwords, are what attackers exploit. In practice, many security teams discover MFA gaps only after a privileged session or exception path has already been abused, rather than through intentional control testing.
How It Works in Practice
For server access, MFA should be treated as one layer in a broader access decision chain. A strong implementation usually combines identity proofing, device or workload trust, policy evaluation, session logging, and just-in-time privilege. The question is not simply whether the user approved a prompt, but whether the request matched the approved context for that server, change window, source network, and role.
Good practice typically includes:
- Using MFA to gate privileged entry points such as bastions, admin portals, or remote management consoles.
- Requiring step-up authentication for risky actions, not only for initial login.
- Replacing standing admin access with just-in-time approval and short-lived elevation.
- Binding access to named identities, rather than shared accounts or generic break-glass credentials.
- Logging source, destination, reason, duration, and command-level activity for later review.
This is where NHI governance becomes essential. Server access often depends on service accounts, automation tokens, or machine credentials that sit outside the normal MFA flow. The Ultimate Guide to NHIs - Key Challenges and Risks highlights how excessive privileges and poor rotation turn identity into the real attack surface. For technical control design, the NIST Cybersecurity Framework and Zero Trust Architecture both support the idea that access should be continuously evaluated, not granted once and trusted forever.
That means MFA should complement least privilege, PAM, session isolation, and short-lived secrets. If a team only protects the login screen while leaving static admin accounts, broad exception paths, and opaque session activity in place, the control is performing theater rather than risk reduction. These controls tend to break down in environments with shared root access, legacy SSH workflows, or automation that cannot be cleanly tied back to a unique identity because attribution and policy enforcement become inconsistent.
Common Variations and Edge Cases
Tighter MFA often increases operational friction, so organisations must balance stronger assurance against emergency access, developer productivity, and legacy compatibility. That tradeoff is real, especially in infrastructure teams that support mixed Linux, Windows, cloud, and on-prem estates.
One common edge case is break-glass access. Best practice is evolving, but current guidance suggests break-glass should be rare, time-bound, heavily monitored, and separately governed, not a permanent bypass that quietly becomes normal practice. Another case is automated server access: MFA does not fit machine-to-machine workflows, so teams should use workload identity, short-lived certificates, or ephemeral tokens instead of trying to bolt human MFA onto non-human operations.
Another mistake is assuming MFA compensates for poor authorization. If a privileged account can reach every server once authenticated, MFA only narrows the entry point, not the blast radius. The better pattern is MFA plus context-aware authorization, per-session elevation, and revocation that actually works. The 52 NHI Breaches Analysis and the Microsoft Midnight Blizzard breach both reinforce a consistent lesson: identity controls fail fastest when exceptions, long-lived access, and weak monitoring are allowed to coexist.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | MFA gaps often mask weak NHI lifecycle and access governance. |
| NIST CSF 2.0 | PR.AC-4 | Privileged access controls must be context-aware, not login-only. |
| NIST Zero Trust (SP 800-207) | AC-3 | Zero Trust requires continuous authorization, which MFA by itself does not provide. |
Inventory server and service identities, then remove standing access that MFA alone cannot constrain.
Related resources from NHI Mgmt Group
- What do security teams get wrong about emergency access for password vaults?
- What do organisations get wrong about secure remote access for vendors and support teams?
- What do security teams get wrong about privileged access reviews in Active Directory?
- What do security teams get wrong about shopfloor MFA and access control?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org