Because the secure SSO route does not eliminate the weaker local route. An attacker only needs one valid login path to reach the account. If users can still authenticate with an unprotected password, the stronger enterprise control exists beside, not instead of, the insecure one.
Why This Matters for Security Teams
Ghost logins are a control gap, not a password problem alone. If an account can still authenticate through a local or legacy path, MFA on the SSO route only protects one entry point while leaving another route open. That matters because attackers do not need to defeat the strongest path if a weaker one still exists. NIST’s NIST Cybersecurity Framework 2.0 frames this as an identity assurance and access control issue, not a login UX issue.
For security teams, the risk is compounded by hidden account drift. Users may migrate to SSO over time, but local passwords, serviceable legacy authentication, and stale recovery paths often remain active. NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now shows why unused or under-managed identities become durable attack paths: controls tend to accumulate rather than disappear. In practice, many security teams discover ghost logins only after credential stuffing, helpdesk abuse, or account takeover has already occurred, rather than through intentional decommissioning.
How It Works in Practice
The practical failure mode is simple: one identity, multiple authentication methods, inconsistent protection. SSO with MFA may be correctly enforced for federated access, while the same account still accepts a local password, a recovery code, a POP/IMAP-style legacy protocol, or an application-specific sign-in path. If any one of those routes remains valid, the account is still reachable. This is why “MFA enabled” is not the same as “all login paths are hardened.”
Security teams should map every authentication entry point for privileged and high-value accounts, then compare those routes against current policy. That includes interactive sign-in, API-backed access, legacy protocols, and fallback recovery mechanisms. The Top 10 NHI Issues research is relevant here because the same pattern appears in non-human identities: a secure primary path does not eliminate risk if a secondary credential remains valid. For human accounts, the operational fixes usually include:
- Disable or retire all non-SSO authentication paths that are not explicitly required.
- Enforce MFA or stronger controls on every remaining interactive route, not just the federated one.
- Remove stale passwords and reset credentials that should no longer exist.
- Review recovery and helpdesk flows, since attackers often target those when primary auth is protected.
- Use conditional access and session controls to reduce blast radius if an alternate path is abused.
Current guidance suggests treating authentication as an attack surface inventory exercise: if the account can still authenticate somewhere, it is still exposed somewhere. These controls tend to break down in hybrid identity environments where older apps, synced directories, or vendor-managed authentication channels still require backward-compatible sign-in methods.
Common Variations and Edge Cases
Tighter authentication control often increases operational overhead, requiring organisations to balance access continuity against the risk of legacy breakage. That tradeoff matters because some applications and admin workflows cannot be moved to SSO immediately. Best practice is evolving here: there is no universal standard for every legacy edge case, but the direction is clear. If a weaker path must remain, it should be isolated, monitored, and time-limited.
Edge cases usually appear in three places. First, break-glass accounts may intentionally bypass SSO, but they need strong storage, monitoring, and tested recovery procedures. Second, service accounts and shared administrative identities may not use human MFA at all, which means their exposure needs separate NHI controls and secrets hygiene. Third, password synchronization can recreate the ghost-login problem if old credentials survive after SSO rollout. NHIMG’s 2024 ESG Report: Managing Non-Human Identities reinforces the broader lesson: hidden or insufficiently secured identities are common, and attackers look for the path that remains easiest to exploit. Teams that only verify the SSO control often miss the remaining login paths that matter most.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Ghost logins are a failure of access path control and identity proofing. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Stale credentials and alternate auth routes are classic identity lifecycle exposure. |
| CSA MAESTRO | ID-2 | Multiple authentication paths undermine trusted identity boundaries for workloads and users. |
Retire unused credentials and enforce rotation or decommissioning for every surviving login path.
Related resources from NHI Mgmt Group
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
