Insufficient Authentication Controls usually ties into not having MFA enforced. If there is no MFA or a way to bypass it the severity rating is High at a minimum.
If you're not getting access anywhere with your pentest and can't tell if they're using MFA, you can ask the client if they have it enforced or not so you can include it on your report if they don't have it in writing from them.
Example 1
MFA bypass via MailSniper and a vulnerable on-prem Exchange server
MFA bypass via MailSniper and a vulnerable on-prem Exchange server
Example 2
MFA wasn't enforced on all applications leaving security holes
