Good enough MFA leaves identity teams exposed to phishing

At a glance

What this is: This is an Axiad compliance-focused analysis arguing that basic MFA is still too easy to bypass and that phishing-resistant authentication is increasingly necessary.

Why it matters: It matters because IAM teams still rely on weak second factors in environments where credential theft and interception remain common, leaving both human identities and downstream access controls exposed.

By the numbers:

• 93% of organizations are still using passwords at work for business.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes and as quickly as 9 minutes in some cases.

👉 Read Axiad's analysis of why good enough MFA is not enough

Context

Phishing-resistant authentication is the difference between a second factor that merely exists and one that meaningfully constrains account takeover. The article argues that basic MFA, especially SMS, OTPs, and push approvals, can still be bypassed through phishing, SIM swapping, and man-in-the-middle kits, which means many programmes are defending the login flow without defending the identity behind it.

For IAM leaders, the problem is not whether MFA has been deployed, but whether the deployed method actually changes attacker economics. When organisations stop at “good enough” MFA, they often create a compliance posture that looks complete while leaving the most common credential theft paths intact for human identities and any downstream systems that inherit those sessions.

Key questions

Q: What breaks when organisations rely on basic MFA against phishing attacks?

A: Basic MFA breaks when the attacker can relay, proxy, or socially engineer the second factor in real time. SMS codes, OTPs, and push approvals can all be captured and reused, so the identity service sees a valid response even though the user authenticated through a fraudulent channel. That leaves account takeover possible despite having “MFA” enabled.

Q: Why do phishing-resistant factors matter more for privileged accounts?

A: Privileged accounts are the highest-value targets because compromise often leads to broader administrative reach, session abuse, or lateral movement. Phishing-resistant MFA reduces the chance that an attacker can replay stolen credentials or approval events, which makes it materially harder to impersonate the user and then expand access from that initial foothold.

Q: How do security teams measure whether MFA is actually protecting the business?

A: Measure whether your strongest factor is enforced on the accounts and applications that matter most, not just whether MFA exists somewhere in the stack. Look for the percentage of privileged users on cryptographic authenticators, the number of fallback methods still allowed, and how often recovery paths bypass the stronger control.

Q: Who is accountable when weak MFA remains enabled after a phishing incident?

A: Accountability usually sits across identity governance, security operations, and application ownership because each group can leave a weak path in place. If the control gap was an allowed fallback method, the question is not only who approved it but whether policy, recovery design, and access reviews were aligned with the risk of replayable authentication.

Technical breakdown

Why basic MFA still fails against modern phishing kits

Basic MFA adds a second step, but not necessarily a stronger trust model. SMS codes, one-time passwords, and push approvals can all be intercepted, relayed, or socially engineered in real time. Man-in-the-middle phishing kits proxy the authentication flow so the attacker captures the session token or approval response after the user has already authenticated. In practice, the protection is anchored in shared secrets and user interaction rather than cryptographic proof of origin. That makes the control brittle when the attacker can position themselves between the user and the service.

Practical implication: if your MFA can be replayed or proxied, it is not phishing-resistant enough for high-value accounts.

What phishing-resistant MFA changes in the identity trust model

Phishing-resistant MFA shifts authentication from something a user knows or receives to something the authenticating device or key can prove cryptographically. FIDO2/WebAuthn and PKI-based methods bind the authentication event to the relying party, which prevents credential reuse on a fake site. That changes the control from a human-verifiable prompt into a machine-verifiable assertion. It also reduces reliance on shared secrets, which are exactly what phishing kits and session interception attacks are designed to steal. This is why the assurance improvement is structural, not cosmetic.

Practical implication: adopt cryptographic authenticators for privileged and remote access paths where replay-resistant assurance matters most.

Why implementation complexity becomes a governance issue

The article treats implementation effort as a major blocker, but that is really an identity governance issue disguised as an integration concern. Stronger MFA usually requires changes in enrollment, recovery, device lifecycle, and exception handling. If those processes are weak, organisations fall back to legacy methods because they are easier to support. The result is a programme that technically supports phishing resistance but operationally preserves weaker pathways for users who are hard to migrate, hard to train, or too risky to interrupt. Governance quality determines whether the stronger control is actually adopted.

Practical implication: define recovery and exception paths before rollout, or the weakest authentication method will remain the default.

NHI Mgmt Group analysis

Good enough MFA is an assurance problem, not a checkbox problem. The article shows how organisations can satisfy a policy requirement while still leaving the authentication ceremony vulnerable to phishing, relay attacks, and SIM swap abuse. That means the programme has met the form of MFA without gaining the substance of resistance. Practitioners should treat MFA quality as part of access assurance, not just enrolment coverage.

Phishing-resistant authentication is the point at which identity control starts constraining attacker reuse. SMS, OTPs, and push approvals can be captured and replayed because they depend on transferable secrets or user responses. Cryptographic authenticators change the trust boundary so the attacker cannot simply reuse what they steal. In NIST CSF terms, this is a protect-function issue that directly affects the integrity of the authenticate step.

The real governance gap is exception handling. Many programmes know how to enable stronger MFA for the standard user journey, but they struggle to remove fallback methods, reset flows, and legacy device paths. Those exceptions become the easiest route into the environment. The implication is that authentication policy, recovery policy, and device lifecycle policy have to be governed together, or the weakest path becomes the operational default.

Identity security teams should stop treating phishing resistance as a future-state luxury. The control is most valuable where the blast radius of account compromise is highest, especially privileged users, administrators, and remote access. Once those populations remain on weaker factors, the organisation is effectively accepting that some identities will always be easier to impersonate than others. That is a governance choice, not a technical inevitability.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, showing that identity compromise is already a mainstream operational issue, not a niche control failure.
• For a broader breach lens, 52 NHI Breaches Analysis shows how identity compromise patterns repeat when credential governance lags behind access sprawl.

What this signals

Good enough MFA will remain a risk magnet until organisations treat assurance level as a policy decision. If a programme still allows replayable second factors on privileged or remote access paths, the control design is accepting avoidable impersonation risk. Teams should align authentication strength with account criticality, then remove fallback methods that silently undo the stronger control.

Phishing resistance has become part of lifecycle governance, not just login hardening. Enrollment, device replacement, lost-token handling, and recovery all determine whether cryptographic factors stay in place or degrade into weaker methods. The practical next step is to review which access journeys still depend on SMS, OTP, or push approval, then rework the exception paths.

As MFA migration accelerates, the identity attack surface shifts from password theft to recovery abuse and session theft. That means security teams need to look beyond the authentication event itself and inspect the entire access path, including support workflows and fallback routes. The organisations that close those gaps first will see the biggest reduction in account takeover exposure.

For practitioners

• Prioritise phishing-resistant MFA for privileged access Move administrators, help desk operators, and remote access users to cryptographic authenticators first, because these accounts carry the highest account-takeover impact and are the easiest to monetise after compromise.
• Retire weak fallback methods and recovery bypasses Remove SMS, OTP, and push-based exceptions wherever possible, and redesign account recovery so it does not quietly reintroduce the same weak factor you are trying to eliminate.
• Map authentication methods to actual assurance levels Inventory which applications still accept weaker second factors, then classify them by business criticality so you can target the highest-risk paths before broadening rollout.
• Treat enrollment and device lifecycle as control dependencies Build clear processes for enrollment, device replacement, lost-key handling, and reauthentication so stronger MFA does not collapse into unsupported exceptions during normal operations.

Key takeaways

• Basic MFA can satisfy policy language while still leaving users vulnerable to phishing, relay attacks, and other real-time interception techniques.
• The scale of the problem is already visible in identity breach research, where compromised non-human identities are associated with repeated successful attacks across enterprises.
• The decisive control change is not adding more MFA prompts, but replacing replayable factors and cleaning up the recovery paths that preserve them.

Key terms

• Phishing-resistant MFA: Multi factor authentication that cannot be easily replayed, proxied, or captured by a fake login page. The strongest forms use cryptographic proof tied to the authenticating device or key, which raises the bar beyond passwords, SMS codes, and one-time passwords.
• Man-in-the-middle phishing: An attack in which a criminal places themselves between the user and the real service to intercept credentials, approvals, or session artefacts. The user believes they are authenticating normally, while the attacker relays the exchange and captures reusable identity material.
• Fallback authentication path: An alternate login or recovery method that activates when the primary control is unavailable. These paths often become the weakest part of an identity programme because they are designed for convenience and continuity, but they can quietly preserve replayable or lower-assurance access.
• Assurance level: The degree of confidence an organisation has that the person or system accessing a resource is really the intended identity. In practice, it reflects how resistant the authentication method is to theft, replay, or interception, and how much trust the programme places in that control.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: Today's “Good Enough MFA” Should Be Phishing-Resistant. Read the original.