Because SMS, OTP, and push approvals can still be intercepted, relayed, or pressured through social engineering. MFA raises attacker cost, but it does not guarantee that the factor is bound to the original user and device. If the method can be phished in practice, it does not fully break the attacker’s access path.
Why This Matters for Security Teams
Conventional MFA reduces risk, but it does not close the identity gap created when a factor is separated from the original user, device, or transaction. Phishing-resistant methods are the direction of travel, yet many organisations still rely on SMS, OTP, and approval prompts that can be relayed or socially engineered. That leaves security teams with a control that looks strong on paper but can still be bypassed in real incidents.
The problem is not only authentication failure. It is the assumption that proving presence once means the session stays trustworthy. Modern identity attacks chain prompt fatigue, helpdesk abuse, token replay, and session hijacking after the initial login. This is why NHI Management Group’s research on Ultimate Guide to NHIs and the 52 NHI Breaches Analysis matter: identity compromise often becomes an access-path problem, not a password problem. NIST’s Cybersecurity Framework 2.0 pushes organisations to treat identity assurance as continuous, not one-time.
In practice, many security teams encounter MFA weakness only after an attacker has already turned a successful prompt into persistent access, rather than through intentional control testing.
How It Works in Practice
Effective identity defence now starts with asking what the factor actually binds to: the user, the device, the session, or the transaction. Many legacy MFA methods bind poorly to all four. SMS and voice codes can be intercepted. OTPs can be phished in real time. Push approvals can be abused through fatigue or coerced acceptance. Even when MFA succeeds, the resulting session token may remain valid long enough for an attacker to reuse it elsewhere.
Current guidance suggests moving from simple second factors toward phishing-resistant, device-bound methods and continuous session evaluation. That means:
- Prefer NIST-aligned phishing-resistant authenticators where feasible, especially for privileged access.
- Bind authentication to a managed device or cryptographic key, not just a one-time code.
- Shorten session lifetime and re-evaluate risk at step-up events, not only at login.
- Use conditional access that considers location, device posture, impossible travel, and sign-in pattern anomalies.
For organisations that also manage service accounts, API keys, and automation credentials, this lesson extends beyond human MFA. NHIs often carry long-lived secrets and broad permissions, which is why NHI governance guidance from Ultimate Guide to NHIs — Key Challenges and Risks is directly relevant: the strongest human login controls still leave the back door open if machine identities are over-privileged or poorly rotated.
These controls tend to break down in high-friction environments where legacy apps cannot support phishing-resistant authenticators and shared admin workflows force exceptions that weaken session assurance.
Common Variations and Edge Cases
Tighter authentication often increases operational friction, so organisations must balance usability against real risk reduction. That tradeoff is especially visible in privileged access, shared workstations, call-centre resets, and third-party access where prompt-based MFA may be the only deployable option. Best practice is evolving, but there is no universal standard for replacing every legacy factor overnight.
One common edge case is backup and recovery. If recovery paths still rely on SMS or weak helpdesk verification, attackers will target those routes instead of the primary MFA flow. Another is session persistence: a strong login method does little if refresh tokens, browser cookies, or OAuth grants remain valid after compromise. Security teams should therefore review the full identity lifecycle, not just the sign-in page.
NHIMG’s broader NHI research shows why this matters operationally: organisations often secure the front door while leaving machine and automation identities exposed elsewhere in the stack. That gap is visible in the Top 10 NHI Issues and reinforced by the Why NHI Security Matters Now section. If identity assurance does not cover both human and non-human pathways, MFA only reduces one slice of the attack surface.
In environments with heavy legacy dependency, conventional MFA remains a useful control, but it should be treated as one layer in a broader identity assurance strategy rather than a complete boundary.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-7 | Focuses on identity proofing and authentication strength across access flows. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Long-lived secrets and weak session controls increase non-human identity compromise risk. |
| NIST AI RMF | Continuous risk evaluation is relevant to identity decisions after initial sign-in. |
Replace weak MFA paths with phishing-resistant, risk-aware authentication for sensitive access.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
