Subscribe to the Non-Human & AI Identity Journal
Home Glossary Threats, Abuse & Incident Response MFA persistence
Threats, Abuse & Incident Response

MFA persistence

← Back to Glossary
By NHI Mgmt Group Updated May 26, 2026 Domain: Threats, Abuse & Incident Response

A post-compromise technique where an attacker adds or changes a second factor so access survives password resets or session interruption. In NHI and IAM governance, it is treated as a durable control failure because the attacker has altered the trust state of the identity itself.

Expanded Definition

MFA persistence describes a compromise that survives routine remediation because the attacker has altered the identity’s trust configuration, not just stolen a password. In NHI and IAM governance, that means the second factor becomes part of the attacker’s foothold, so resets, reboots, and session expiry do not restore a clean state.

Usage in the industry is still evolving. Some teams reserve the phrase for cases where an adversary enrolls a new authenticator, while others use it more broadly for any durable post-compromise authentication path. The practical distinction is whether the attacker controls an ongoing proof of identity, which is why the term sits close to account takeover, MFA bypass, and session persistence but is not identical to them. Guidance in NIST Cybersecurity Framework 2.0 and identity assurance controls reinforces the need to verify the trust state of the authenticator itself, not only the password behind it.

The most common misapplication is treating a password reset as a complete remediation when the attacker has already registered a new factor or recovery route.

Examples and Use Cases

Implementing MFA persistence detection rigorously often introduces investigation overhead, requiring organisations to weigh rapid user recovery against the risk of restoring an attacker-controlled identity state.

  • An attacker adds a new push device after stealing a session token, then keeps access even after the original password is changed.
  • A help desk reset re-enables login, but the malicious recovery email or backup code remains active and silently reestablishes access.
  • A service account used by an Microsoft Midnight Blizzard breach style intrusion retains a registered factor in an identity platform, allowing the intruder to return after containment.
  • An operator revokes a session yet misses the enrolled authenticator on a cloud IdP, so the compromise reappears during the next login cycle.
  • Detection logic compares factor enrollment changes against a baseline and flags out-of-band MFA additions for immediate review, especially where NIST Cybersecurity Framework 2.0 recovery controls require verified reauthentication.

In mature environments, the term is also used in incident response playbooks for both human and NHI accounts because the same pattern can protect API operators, admin users, and autonomous agents with tool access.

Why It Matters in NHI Security

MFA persistence matters because it turns an authentication event into a long-lived compromise of the identity plane. For NHIs, this is especially dangerous when secrets, tokens, or delegated credentials are already overexposed. NHI Mgmt Group research shows that 91.6% of secrets remain valid five days after notification, which means many organisations leave enough time for attacker-controlled trust paths to survive remediation.

This is why incidents such as the Salt Typhoon US telecoms breach matter to identity teams: once an adversary can sustain access, the problem stops being credential theft and becomes trust-state corruption. The same logic applies to cloud admins, service principals, and agentic systems that can enroll or reuse factors without strong governance. MFA persistence also intersects with zero trust, because NIST Cybersecurity Framework 2.0 emphasises continuous verification rather than one-time authentication.

Organisations typically encounter the operational impact only after a reset fails to evict the intruder, at which point MFA persistence becomes unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-05Covers auth lifecycle weaknesses where compromised NHI factors can survive remediation.
NIST CSF 2.0PR.AA-1Identity proofing and auth management require verifying the current trust state of credentials.
NIST Zero Trust (SP 800-207)AL-1Zero Trust assumes no credential or session is trusted without revalidation.

Reassess identity trust continuously and remove persistent MFA enrollments after compromise.

Deepen Your Knowledge

Ultimate Guide to NHIs → NHI Foundation Course → Discussion Forum →
NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on May 26, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.