Multi-factor authentication (MFA) is a critical security measure for protecting user accounts—but what about everything else? While MFA is widely used to secure logins, it often stops at SaaS applications, leaving other parts of the network—like legacy applications, databases, and operational technology—wide open to attacks.
The problem? Hackers don’t need a front-door key when there are plenty of unlocked side doors. Just one unprotected system can be enough for them to sneak in, move laterally, and escalate their access until they take control.
Why Traditional MFA Falls Short
Most organizations rely on MFA to secure user logins, but the reality is that traditional MFA is underutilised across enterprise environments. Why? Because applying MFA beyond SaaS applications is difficult, and many security teams lack the tools to extend it to legacy systems, databases, operational technology (OT), and on-premises infrastructure. This creates major security gaps that attackers can exploit.
Here’s why traditional MFA falls short:
- Application-Layer Focus: Most MFA solutions protect SaaS applications but don’t extend to non-web-based assets like databases, legacy applications and industrial control systems. This leaves critical infrastructure vulnerable
- Protocol Vulnerabilities: Attackers often bypass MFA by exploiting weaknesses at the protocol level. If an open RDP or SSH port exists, they can use stolen credentials to gain access—MFA at the application layer does nothing to stop this
- Agent-Based Limitations: Many MFA solutions require software agents to be installed on endpoints. However, this isn’t always feasible for legacy systems, IoT devices or unmanaged assets, meaning these remain unprotected
- Operational Complexity: Extending MFA beyond user logins typically requires major infrastructure changes or custom integrations, making deployment costly and difficult to maintain
All it takes is one open port or overlooked system for attackers to break in. Once inside, they can move laterally across the network, escalating their access and deploying ransomware or stealing sensitive data.
When MFA Isn’t Enough: Real-World Failures
MFA is supposed to be a safety net—an extra layer of security that stops attackers in their tracks. But here’s the reality: MFA isn’t foolproof. Hackers have found ways to work around it, and organizations have paid the price.
- MFA recovery loopholes: A study called “We’ve Disabled MFA For You” found that weak recovery processes often let attackers bypass MFA entirely. In some cases, just accessing the associated email was enough to disable MFA and gain full entry
- MFA fatigue attacks: MFA fatigue attacks occur when cybercriminals spam users with endless authentication requests until someone, out of frustration, clicks “approve” just to make it stop—unknowingly granting access to an attacker
- Exploitable MFA vulnerabilities: In late 2024, researchers uncovered a flaw in Microsoft’s Azure MFA that allowed attackers to bypass authentication completely, exposing Outlook, OneDrive, and Teams
The takeaway? MFA alone isn’t enough. Hackers are getting smarter, and organizations need to think beyond traditional authentication methods to truly secure their systems. The question is—what’s the next step?
The Zero Networks Way: Tie MFA to the Network Layer
Instead of limiting MFA to just applications, Zero Networks enables just-in-time MFA at the network layer. This means that any connection attempt—regardless of the protocol, operating system, or application—is automatically blocked unless verified by MFA.
Here’s how it works:
- All inbound connections are blocked by default: Unlike traditional MFA, which only protects specific applications, Zero Networks ensures that every entry point, including RDP, SSH, SMB and database access, is blocked unless explicitly allowed
- On-demand MFA verification: When a user needs access to a system, they request it in real-time and verify their identity via MFA before a temporary connection is granted
- Time-limited, least privilege access: Once access is granted, it is only available for a short window, preventing persistent access that attackers could exploit
- No agents or complex integrations required: Zero Networks applies MFA at the network layer without the need for agents on endpoints or changes to existing infrastructure
This approach ensures:
- No open ports for attackers to exploit: All services remain inaccessible until verified, eliminating the risk of unauthorised access
- MFA protection for assets that previously couldn’t be secured: Legacy applications, industrial control systems, and on-prem infrastructure can now benefit from MFA without requiring software agents
- Complete prevention of lateral movement: Attackers who gain initial access cannot move across the network, as every access attempt requires real-time MFA validation
With Zero Networks Segment, organizations can enforce MFA on demand, ensuring that any abnormal activity, privileged access request, or high-risk operation is verified before proceeding. This eliminates security blind spots and makes lateral movement across the network virtually impossible.
A Common Scenario: MFA for RDP/SSH
Remote access protocols like RDP, SSH and WinRM are prime targets for attackers looking to move laterally. Even when protected by traditional MFA, once a session is established, attackers can use stolen credentials or session hijacking techniques to bypass authentication controls.
Zero Networks eliminates this risk by applying port-level MFA. Here’s how it works:
- Block: All administrative ports are blocked by default, preventing unauthorised access
- Authenticate: Users request access and verify their identity via MFA before the port is temporarily opened
- Time-Limited Access: Once authenticated, access is granted only for a limited time, reducing the attack window
Users can authenticate via their organization’s preferred identity provider (Entra ID, Duo, Okta, CyberArk) or use email/SMS authentication.
This approach extends MFA protection to legacy applications, databases, OT/IoT devices, mainframes, on-prem VMs and IaaS VMs, ensuring that no critical asset is left exposed.
No Open Ports, No Lateral Movement
Hackers thrive on security gaps—Zero Networks eliminates them. By tying MFA to the network layer, it becomes impossible for attackers to move laterally, escalate privileges, or exploit vulnerable systems.
Want to see it in action? Book a demo now and experience the power of agentless, just-in-time MFA for your entire network.
