Credential phishing is forcing passwordless and phishing-resistant MFA

At a glance

What this is: This is RSA Security's analysis of how credential phishing has evolved and why passwordless, phishing-resistant MFA, and Zero Trust controls are now central defenses.

Why it matters: It matters because credential phishing still turns human mistakes into identity compromise, and the same trust failures also expose NHI and privileged access programmes to lateral movement and takeover risk.

By the numbers:

• Credential phishing increased 703% in the second half of 2024, compared with a 202% increase in overall email-based phishing threats.
• Phishing cost an average of $4.88 million and took an average of 261 days to contain, according to IBM's Cost of a Data Breach Report.
• 78% of organisations surveyed reported having immediate plans to implement automation, machine learning, or some form of AI in their cybersecurity stack, according to RSA's 2025 RSA ID IQ Report.

👉 Read RSA Security's analysis of credential phishing and passwordless defence

Context

Credential phishing is the practice of tricking people into giving up usernames, passwords, or other login credentials so an attacker can enter business systems as a trusted user. In identity programmes, that matters because a stolen credential is not just a bad login, it is a valid identity event that can be reused for account takeover, privilege escalation, and lateral movement.

The article argues that the tactic is getting harder to stop because attackers now combine AI-written lures, social engineering, SMS and collaboration-app channels, and credential replay techniques. For IAM, that shifts the problem from simple email filtering to stronger authentication, reduced password reliance, and tighter control over where credentials can be used.

Key questions

Q: How should security teams reduce credential phishing risk without slowing users down?

A: Focus on removing reusable secrets from the most sensitive access paths first. Phishing-resistant MFA, passkeys, and SSO reduce exposure while also making legitimate access easier. Then extend controls across support and collaboration channels so attackers cannot simply move to a weaker prompt path. Usability improves when authentication becomes simpler than password entry.

Q: Why does credential phishing still work in organisations with mature email security?

A: Because email security is only one layer of the identity attack surface. Attackers increasingly use SMS, collaboration apps, QR codes, and voice calls to reach users through trusted channels. If identity controls depend on a single message gateway, the organisation has defended the mailbox but not the credential itself.

Q: What do security teams get wrong about passwordless authentication?

A: They sometimes treat passwordless as a convenience feature instead of an anti-phishing control. Its real value is that there is no password to steal, replay, or reuse on a fake site. It works best when paired with phishing-resistant MFA, lifecycle governance, and disciplined account recovery.

Q: Who is accountable when a phishing attack leads to account takeover?

A: Accountability sits with the identity programme, the business owner of the account, and the teams that designed recovery and access governance. Frameworks such as NIST SP 800-63 and Zero Trust place responsibility on authenticators, assurance, and continuous verification, not only on end users.

Technical breakdown

How credential phishing turns a message into account takeover

Credential phishing typically starts with impersonation and urgency. An attacker sends a message that looks like it came from IT, HR, a bank, or a common SaaS service, then pushes the target toward a fake login page or reply path. Once credentials are captured, the attacker can authenticate as the user, reuse the session, and expand into other systems. The technical issue is not only deception at the inbox. It is that the stolen secret often becomes a valid identity artefact across email, cloud apps, and downstream services.

Practical implication: treat credential phishing as an identity compromise problem, not just a messaging problem.

Why multi-channel phishing raises IAM risk

Credential phishing no longer depends on email alone. SMS, voice calls, social platforms, collaboration tools, and QR codes all give attackers alternative ways to deliver a lure and bypass familiar controls. That matters because users often trust the channel they are already using for work or support. When the message arrives through a trusted collaboration path, the attacker can harvest credentials even if email controls are strong. The result is broader attack surface, weaker detection consistency, and more opportunities to bypass link scanning and message hygiene.

Practical implication: extend anti-phishing controls and user verification rules across every business communication channel.

Why passwordless and phishing-resistant MFA change the attack economics

Passwordless authentication removes the secret that phishing is trying to steal, while phishing-resistant MFA blocks the attacker from replaying a harvested secret through a fake site. In practice, that shifts the attacker from easy credential theft to harder device-bound or cryptographic attack paths. SSO also reduces the number of entry points that must be defended, but only if it is paired with strong authentication and lifecycle governance. The core technical point is that credential phishing exploits reusable secrets, so reducing secret reuse directly reduces exposure.

Practical implication: prioritise phishing-resistant authentication on the highest-risk access paths first, especially where reusable credentials still exist.

Threat narrative

Attacker objective: The attacker wants reusable credentials that can be turned into account takeover, lateral movement, and further social engineering.

1. Entry begins when the attacker impersonates a trusted source and delivers a credential lure through email, SMS, collaboration tools, or QR codes.
2. Credential harvesting occurs when the target enters a username and password into a fake login page or responds to a deceptive prompt that forwards the secret to the attacker.
3. Impact follows when the attacker reuses the stolen identity to access email, cloud services, or internal systems, then moves laterally or launches follow-on phishing from the compromised account.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Credential phishing is now an identity control failure, not a user-training failure. The article shows that attackers have industrialised credential theft across email, SMS, collaboration tools, and QR codes, which means the weak point is no longer a single channel. Once a credential is captured, it becomes a reusable identity artefact that can be replayed across cloud and business systems. Practitioners should treat phishing as a cross-channel access control problem, not an awareness campaign problem.

Reusable secrets are the real structural weakness in human identity programmes. Passwords, shared logins, and legacy MFA flows give attackers something durable to steal and reuse. That is why passwordless and phishing-resistant MFA matter: they reduce the attacker's ability to convert deception into durable access. The lesson for IAM teams is that every reusable credential expands the blast radius of social engineering.

Multi-channel phishing exposes a governance gap between authentication policy and real user behaviour. Security teams often defend the inbox while leaving collaboration apps, support channels, and mobile prompts less governed. The article's own examples show that attackers will route around whichever control is easiest to bypass. Practitioners should assume that trusted business channels are part of the identity attack surface.

Zero Trust only works here when identity signals are hardened at the point of entry. The article correctly connects phishing resistance, SSO consolidation, MFA, and risk-based analytics. But the governance point is broader: Zero Trust cannot compensate for weak credential issuance and weak recovery paths. Teams should validate the entire authentication and recovery chain, not only the primary login flow.

From our research:

• 88.5% of organisations acknowledge that their non-human IAM practices lag behind or are merely on par with their human identity and access management efforts, according to the 2024 Non-Human Identity Security Report.
• Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to the 2024 Non-Human Identity Security Report.
• For a broader breach pattern view, the 52 NHI breaches Report shows how credential compromise turns into downstream access abuse across real incidents.

What this signals

Credential phishing is no longer isolated to human inboxes. As organisations consolidate access through SSO, federation, and support workflows, the same social engineering patterns increasingly overlap with workload credentials and delegated access paths. That is why the gap between human IAM maturity and machine identity maturity matters to every programme, not just security awareness teams.

Ephemeral access only helps when the account recovery path is equally hardened. If passwordless or passkey adoption removes one attack route but help desk resets remain easy to social-engineer, the organisation has shifted risk rather than reduced it. Security teams should look at sign-in, recovery, and exception handling as one control plane.

With 23.7% of organisations still sharing secrets through insecure methods such as email or messaging applications, per the 2024 Non-Human Identity Security Report, credential phishing should be read as part of a broader secret-handling problem, not a standalone phishing problem.

For practitioners

• Remove reusable credentials from high-risk access paths Prioritise passwordless or phishing-resistant authentication for administrators, finance users, and anyone with access to sensitive cloud or SaaS systems. Start where credential replay would have the highest blast radius, then extend coverage through the identity lifecycle.
• Extend phishing controls beyond email Apply verification, filtering, and user reporting workflows to SMS, collaboration tools, and help desk channels. Attackers are using whichever channel users trust most, so the defence model must cover every place where identity prompts can appear.
• Reduce the value of stolen credentials Use SSO, conditional access, and session controls to limit how far a compromised account can travel. Pair that with fast account review and recovery procedures so a successful phish does not become a long-lived access event.
• Harden recovery and support paths Review password reset, help desk verification, and account recovery flows for the same social engineering pressure that phishing uses. Many account takeovers succeed after the initial phish because recovery is easier to abuse than sign-in.

Key takeaways

• Credential phishing succeeds because it turns deception into reusable identity access, which then enables takeover and lateral movement.
• The scale of the problem has accelerated sharply, with AI-assisted lures and multi-channel delivery making traditional email-only defences insufficient.
• The strongest response is to reduce reusable secrets, harden recovery paths, and extend identity controls beyond the inbox.

Key terms

• Credential Phishing: Credential phishing is a social engineering attack that tricks a person into handing over login secrets such as passwords or passcodes. In identity programmes, it matters because the stolen secret can be reused to impersonate the user, access applications, and bypass ordinary authentication controls.
• Phishing-Resistant MFA: Phishing-resistant MFA is multi-factor authentication designed so the user cannot easily be tricked into sharing or replaying the factor on a fake site. It relies on stronger cryptographic binding, typically to the device or origin, which sharply reduces the value of harvested credentials.
• Passwordless Authentication: Passwordless authentication lets a user sign in without entering a reusable password. It reduces exposure to phishing because there is no password to steal, reuse, or spray, although the surrounding recovery and exception processes still need strong governance.
• Zero Trust Architecture: Zero Trust Architecture is an access model that assumes no request is trusted by default, even inside the network. For identity teams, it means authentication, context, and session state must be continuously evaluated so that a stolen credential does not automatically become durable access.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: Passwordless Credential Phishing: What It Is and How to Prevent It. Read the original.