Stopping Compromised Access After MFA: A Taxonomy of Containment Gaps and Controls

Sudheer Avula Independent Researcher Provo, Utah, U.S.A. sudheer.avula@gmail.com

Abstract

Multi-factor authentication (MFA) is widely used to strengthen account access, yet it does not by itself ensure rapid containment once authentication has succeeded. In modern authentication environments, especially enterprise and federated deployments, compromised access may persist across application sessions, identity provider sessions, access and refresh tokens, and remembered trust state. This fragmentation makes post-authentication containment a multi-layer problem rather than a single revocation event. This paper defines the post-authentication containment problem and presents a taxonomy of containment gaps and controls in MFA-protected systems. The taxonomy organizes incident classes and containment mechanisms across session, token, trust-state, and credential layers, and highlights where current controls remain partial, delayed, or dependent on product-specific integration. The paper further identifies user-driven deauthorization as an underdeveloped but potentially valuable containment capability. By clarifying this design space, the paper aims to inform future authentication architecture and support more systematic incident response.

Keywords: Multi-factor authentication; post-authentication containment; session revocation; token revocation; federated identity; identity and access management; user-driven deauthorization; incident response