It has been reported that although Multi-factor Authentication (MFA) has long been a standard security practice for guarding against account takeover it does have limitations. For example, as highlighted by The Hacker News, MFA solutions don’t offer protection to remote command line access tools like PsExec, Remote PowerShel. This means that even though a fully functioning MFA solution is in place, workstations and servers remain vulnerable to lateral movement, ransomware spread and other identity threats.
Also, it reports that MFA limitations in the on-prem environment could lead to cloud SaaS resources being attacked. The advice is to regard MFA as a partial solution and to seek extra security measures.