Skip to main content

No MFA on Privileged Access

Protecting admin and root accounts with only a password means one phish or leak grants full takeover. Require phishing-resistant MFA (security keys, passkeys) for all privileged access and enforce step-up via conditional-access policies.

No MFA on privileged access means administrator, root, cloud-owner, and other high-value accounts are protected by a password alone. Passwords are routinely phished, reused, leaked in breaches, and guessed — so a single-factor admin login is one stolen secret away from full compromise. Multi-factor authentication (MFA) adds an independent factor that a password thief usually cannot satisfy.

Why It Happens

MFA adds friction, and admins — often the most senior, busiest people — resist it. Setup work (enrolling devices, configuring an IdP) is deferred. Teams enable MFA for end users but consider internal or break-glass admin accounts "trusted" and exempt them. Legacy tools that do not support modern auth are left on passwords. The convenience of a quick password login wins until an incident.

Why It Hurts

Privileged accounts are the highest-value target: compromising one yields control of infrastructure, data, and other identities. Password-only protection makes them vulnerable to phishing, credential stuffing from reused passwords, and breach-derived credential dumps — all of which are cheap and constant. Without a second factor, a single successful phish equals total takeover. Even weak MFA (SMS one-time codes) is phishable and SIM-swappable, so it is insufficient for the most sensitive accounts.

Warning Signs

  • Admin or root consoles accept a password with no second factor.
  • MFA is optional, and privileged users have opted out.
  • Privileged accounts rely on SMS OTP, which is phishable.
  • There is no conditional-access policy requiring stronger auth for sensitive actions.

Better Alternatives

Require phishing-resistant MFA for all privileged access: hardware security keys or platform passkeys using WebAuthn/FIDO2, which bind authentication to the legitimate site and cannot be relayed by a phishing proxy. Prefer passkeys over OTP, and OTP over SMS. Enforce MFA through conditional-access policies that step up authentication for risky logins, new devices, or sensitive operations. Apply MFA to break-glass accounts too, with a controlled, logged emergency process. Combine with least privilege and just-in-time elevation so fewer accounts are privileged at all.

How to Refactor Out of It

  1. Inventory all privileged accounts and their current authentication factors.
  2. Mandate MFA for every privileged account, with no opt-out.
  3. Roll out phishing-resistant methods (security keys, passkeys) for admins; retire SMS OTP for sensitive roles.
  4. Add conditional-access rules that require strong auth for risky or high-impact actions.
  5. Secure break-glass accounts with MFA and a logged emergency procedure.
  6. Monitor for and alert on privileged logins lacking a second factor.