No MFA on Privileged Access
Protecting admin and root accounts with only a password means one phish or leak grants full takeover. Require phishing-resistant MFA (security keys, passkeys) for all privileged access and enforce step-up via conditional-access policies.
No MFA on privileged access means administrator, root, cloud-owner, and other high-value accounts are protected by a password alone. Passwords are routinely phished, reused, leaked in breaches, and guessed — so a single-factor admin login is one stolen secret away from full compromise. Multi-factor authentication (MFA) adds an independent factor that a password thief usually cannot satisfy.
Why It Happens
MFA adds friction, and admins — often the most senior, busiest people — resist it. Setup work (enrolling devices, configuring an IdP) is deferred. Teams enable MFA for end users but consider internal or break-glass admin accounts "trusted" and exempt them. Legacy tools that do not support modern auth are left on passwords. The convenience of a quick password login wins until an incident.
Why It Hurts
Privileged accounts are the highest-value target: compromising one yields control of infrastructure, data, and other identities. Password-only protection makes them vulnerable to phishing, credential stuffing from reused passwords, and breach-derived credential dumps — all of which are cheap and constant. Without a second factor, a single successful phish equals total takeover. Even weak MFA (SMS one-time codes) is phishable and SIM-swappable, so it is insufficient for the most sensitive accounts.
Warning Signs
- Admin or root consoles accept a password with no second factor.
- MFA is optional, and privileged users have opted out.
- Privileged accounts rely on SMS OTP, which is phishable.
- There is no conditional-access policy requiring stronger auth for sensitive actions.
Better Alternatives
Require phishing-resistant MFA for all privileged access: hardware security keys or platform passkeys using WebAuthn/FIDO2, which bind authentication to the legitimate site and cannot be relayed by a phishing proxy. Prefer passkeys over OTP, and OTP over SMS. Enforce MFA through conditional-access policies that step up authentication for risky logins, new devices, or sensitive operations. Apply MFA to break-glass accounts too, with a controlled, logged emergency process. Combine with least privilege and just-in-time elevation so fewer accounts are privileged at all.
How to Refactor Out of It
- Inventory all privileged accounts and their current authentication factors.
- Mandate MFA for every privileged account, with no opt-out.
- Roll out phishing-resistant methods (security keys, passkeys) for admins; retire SMS OTP for sensitive roles.
- Add conditional-access rules that require strong auth for risky or high-impact actions.
- Secure break-glass accounts with MFA and a logged emergency procedure.
- Monitor for and alert on privileged logins lacking a second factor.