The Curtains are Open: Why MFA has Become Security Theater

Introduction: The Illusion of Progress

In the mid-2000s, Bruce Schneier coined a term that would become a cornerstone of security skepticism: Security Theater. He defined it as the practice of implementing measures that provide the feeling of improved security while doing little or nothing to achieve it. At the time, he was largely referring to airport checkpoints and plastic-bag bans. Fast forward to 2026, and the theater has migrated from the tarmac to the login screen.

We have spent the last decade convincing boards, stakeholders, and users that Multi-Factor Authentication (MFA) is the "silver bullet" for identity security. On paper, it is. But in practice, the way we deploy MFA—specifically through the lens of "usability features"—has hollowed out its effectiveness, leaving us with a perimeter made of cardboard and paint.

The Rise of the "Remember Me" Trap

The most pervasive element of modern security theater is the "Remember this device" checkbox. On the surface, it’s a logical compromise. Security teams want MFA adoption, but users hate "MFA fatigue." To keep the helpdesk from being overwhelmed, administrators enable features like Microsoft Entra’s "Remember MFA," which can allow a user to bypass subsequent verifications for up to 90 days.

This is where the theater begins. From a user's perspective, they see two gates during their initial login. They feel secure. They believe they are operating in a 2FA environment. However, the moment that checkbox is clicked, the environment effectively reverts to Single-Factor Authentication (SFA) for the duration of that window.

The Vulnerability: Session Hijacking and the "Silent" Compromise

When we "remember" a device, we aren't actually remembering the hardware; we are dropping a long-lived session cookie in the browser. This creates a massive blind spot that traditional MFA fails to address:

1. Cookie Theft (Pass-the-Cookie): Modern malware—Infostealers like RedLine or Racoon—doesn't care about your password. It targets the session tokens. If an attacker steals a cookie from a "remembered" device, they can inject it into their own browser. Because the "theater" of MFA was already performed 20 days ago, the system welcomes the attacker without a single prompt.

2. Device Theft & Shared Workstations: In a world of hybrid work, the physical device is the perimeter. If a laptop is stolen or a shared home computer is compromised, the "remembered" status provides a direct, unhindered path into corporate resources.

Why We Ignore the Hole

Why do we allow this? Because of the "Friction Paradox." Research from JumpCloud and USENIX indicates that as friction increases, user adoption of security measures plummet. Organizations choose the appearance of MFA to satisfy compliance audits while secretly disabling the "multi-factor" part of the equation through long-lived sessions to maintain productivity.

The Path Forward: Auditing the Theater

To close the curtains on security theater, we must move toward Risk-Based Authentication (RBA) or The Whisper Company's For Your Eyes Only Authorization. We need to stop treating a 90-day window as a "set it and forget it" policy.

• Shorten the Leash: NIST SP 800-63B suggests minimizing these windows, especially for privileged accounts.

• Contextual Re-auth: If a "remembered" session suddenly changes its IP range or attempts to access high-value data (like PII or financial records), the "theater" must end and a hard re-authentication must be triggered.

If your MFA isn't checking the user's identity at the moment of risk, it isn't security—it's just a performance.