TL;DR: Identity-based attacks using stolen credentials have risen by 71% and now drive some of the most damaging cloud breaches, according to IBM and the Snowflake-linked incidents discussed by Axiad. The lesson is structural: MFA alone is not enough when phishing, credential reuse, and third-party access remain viable entry points.
At a glance
What this is: Axiad argues that identity gaps in cloud access show why organisations need both x.509 certificates and FIDO passkeys, not MFA alone, to reduce phishing-resistant authentication risk.
Why it matters: IAM teams need to treat phishing resistance as a programme design issue across human, NHI, and delegated access paths, because weak authentication still opens the door to high-impact identity abuse.
By the numbers:
- Identity-based cyberattacks have become the top global cybercrime attack vector, with a 71% rise in attacks using valid login credentials.
👉 Read Axiad's analysis of x.509 certificates and FIDO for phishing-resistant access
Context
Identity attack surface is the area where credentials, authenticators, and access paths can be abused. In cloud environments, that surface expands quickly when people, service accounts, and third-party access all rely on reusable login methods that can be phished or stolen.
The article’s core issue is not authentication in the abstract. It is the gap between standard MFA and phishing-resistant controls, especially where organisations assume a single factor or a single method can cover every access path. That assumption breaks down when attackers use stolen credentials, bypass weak MFA flows, or move through unprotected demo and cloud accounts.
Key questions
Q: How should security teams reduce phishing risk in cloud identity environments?
A: Security teams should prioritise phishing-resistant authentication for the access paths that can reach sensitive cloud services, privileged consoles, and third-party integrations. MFA alone is not enough if the control can be bypassed, socially engineered, or inconsistently enforced. Combine device-bound trust, strong account lifecycle governance, and explicit exception management so stolen credentials do not become an easy path into cloud data.
Q: Why do valid credentials remain such a major enterprise risk?
A: Valid credentials work because they bypass many traditional perimeter controls and often inherit legitimate access. Once stolen, they can be used from normal login flows, especially where MFA is weak, incomplete, or excluded. That is why identity security has to focus on assurance strength, not just login success, and on reducing how far a compromised identity can move once inside.
Q: How can organisations tell whether their MFA programme is actually strong enough?
A: Look for coverage gaps, exception paths, and methods that can be reset, replayed, or coerced through user interaction. A strong programme has consistent enforcement, phishing-resistant options for high-risk access, and monitoring for fallback methods that quietly weaken assurance. If users can get to sensitive systems through a weaker route, the programme is not truly resistant.
Q: What is the difference between FIDO passkeys and x.509 certificates in enterprise access?
A: FIDO passkeys remove passwords and rely on device-bound, biometric-backed authentication, while x.509 certificates use PKI-backed trust tied to hardware or managed endpoints. Both reduce phishing exposure, but they fit different parts of the estate. Many organisations need both because application support, device coverage, and workflow fit are not identical across the enterprise.
Technical breakdown
Why standard MFA still leaves an identity attack surface
Standard MFA reduces risk, but it does not eliminate it. If a method can be prompted, replayed, or socially engineered, attackers can still turn identity into an access path. The article’s examples show that breached accounts, weakly protected demo access, and third-party systems remain attractive because they often sit outside the strongest authentication enforcement. In practice, MFA quality matters as much as MFA presence. Risk rises when coverage is uneven, exception handling is informal, or users can bypass the control during convenience-driven workflows.
Practical implication: verify where MFA can be bypassed, weakened, or excluded before treating it as a control boundary.
How x.509 certificates change phishing resistance for enterprise access
x.509 certificates use PKI-backed device or token trust instead of human-entered secrets. That shifts authentication away from something a user can be tricked into revealing and toward something bound to a managed cryptographic identity. The article positions this as useful for workforce devices and applications such as Windows, macOS, Salesforce, and Microsoft 365 where certificate-based trust can fit existing access patterns. The important detail is not that certificates are newer, but that they remove the phishing interaction from the authentication step.
Practical implication: map high-risk user populations and admin access flows to certificate-based authentication where phishing resistance is required.
Why FIDO passkeys close gaps that passwords and prompts cannot
FIDO passkeys replace shared or memorised secrets with device-bound, biometric-backed authentication. That makes credential theft materially harder because the user is not typing a secret that can be harvested through phishing or reused elsewhere. The article also notes an operational constraint: passkeys are not universally supported across every site or device, so they cannot yet be treated as the only answer. For practitioners, the architectural point is that FIDO handles the human interaction layer well, but coverage gaps still require complementary controls.
Practical implication: use FIDO where it is supported, then identify the applications and platforms that still need a second phishing-resistant path.
Breaches seen in the wild
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
- Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Phishing-resistant authentication is now an identity architecture problem, not a login preference. The article shows that stolen credentials still unlock material cloud access when MFA is uneven or bypassable. That means the control question is not whether organisations have authentication, but whether their authentication design can survive phishing, social engineering, and exception sprawl. Practitioners should treat authentication method selection as a core identity risk decision.
x.509 and FIDO solve different parts of the same trust problem. Certificates anchor device or token trust in PKI, while FIDO removes user-entered secrets from the attack path. The article’s key insight is that neither control fully replaces the other across the enterprise. A mixed access estate needs more than one phishing-resistant mechanism if it is to cover all applications, devices, and user journeys.
Standing access plus weak authentication creates a compound exposure window. The breaches discussed in the article were not just credential events; they were trust failures in environments where access was already broadly available. Once an attacker obtains a valid identity, cloud systems and third-party accounts can turn that identity into rapid data access. The implication is that authentication hardening and access scope reduction have to be evaluated together, not separately.
Identity attack surface reduction is becoming a board-level resilience metric. The combination of cloud migration, valid-credential abuse, and third-party exposure means identity controls now shape incident probability as much as perimeter controls once did. A programme that cannot measure phishing resistance across its main access paths is carrying hidden risk. Practitioners should view coverage, not just control adoption, as the real governance test.
Cross-domain identity governance matters because the same failure pattern appears in human, NHI, and delegated access paths. The article centres on human authentication, but the underlying lesson is broader: any identity that can be phished, reused, or insufficiently bound to device trust expands the attack surface. That makes identity assurance a shared governance concern across workforce logins, service access, and machine-mediated workflows.
From our research:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, which means identity assurance gaps are already part of normal operating conditions.
- With LLMjacking: How Attackers Hijack AI Using Compromised NHIs, we see the same pattern in AI-linked identity abuse: exposed secrets become fast-moving attack paths, not theoretical weaknesses.
What this signals
Phishing resistance is becoming a coverage problem, not a feature check. Many programmes can say they have MFA, but far fewer can prove that sensitive access paths are protected by methods that cannot be phished or bypassed. That is where x.509, FIDO, and stronger exception governance matter. Security teams should treat authentication inventory as a control map, not a policy statement.
The broader market signal is that identity assurance is now shaping cloud resilience as directly as network segmentation once did. When attackers can turn a stolen credential into a legitimate session, the organisation has already lost the first decision point. Teams should expect more scrutiny of access methods, more pressure to eliminate weak fallback routes, and more demand to prove that high-risk access is actually phishing resistant.
For practitioners
- Map authentication exceptions across cloud access paths Inventory where MFA is missing, bypassable, or inconsistently enforced across employees, contractors, demo accounts, and admin workflows. Prioritise the paths that can reach sensitive cloud data or third-party platforms.
- Deploy phishing-resistant authentication for high-risk roles Use x.509 certificates or FIDO passkeys where users access privileged or sensitive systems, and reserve weaker methods only where the application or device landscape still forces them.
- Separate demo and non-production access from production trust Treat demo accounts and shared testing environments as distinct identity domains with their own controls, review cadence, and revocation rules. Do not let lower-trust access patterns inherit production reach.
- Validate third-party access before cloud systems become shared blast radius Require explicit review of vendor and partner credentials that can reach cloud storage or customer data. Reconfirm who owns the account, what it can reach, and how quickly it can be disabled after role changes.
Key takeaways
- Identity-based breaches keep succeeding because organisations still rely on authentication paths that attackers can phish, replay, or bypass.
- The article’s evidence shows that valid credentials are now a primary attack vector, so authentication strength and coverage matter as much as policy intent.
- Teams should pair phishing-resistant methods with exception cleanup and access review, or they will keep hardening the wrong part of the stack.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity proofing and access control are central to the article's authn gap. |
| NIST SP 800-63 | The post is about authentication assurance and phishing resistance. | |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero Trust requires strong, continuous identity assurance across access paths. |
Use 800-63 guidance to select authenticators that resist replay, phishing, and social engineering.
Key terms
- Phishing-resistant authentication: Authentication that cannot be easily captured and replayed by an attacker through deception. In practice, this means removing reusable secrets from the login step and binding access to hardware, cryptographic proof, or device-backed trust that is harder to trick a user into surrendering.
- X.509 certificate authentication: A certificate-based authentication method that uses public key infrastructure to prove identity. It binds trust to a device, token, or managed endpoint rather than a memorised password, which makes phishing much harder and supports stronger enterprise access assurance.
- FIDO passkey: A passwordless authentication credential based on the FIDO standard. It uses cryptographic keys stored on a user device and often biometric confirmation to verify the user, reducing dependence on secrets that can be phished, reused, or guessed.
- Identity attack surface: The total set of identity controls, credentials, and access paths that an attacker can exploit to get into an environment. It includes human logins, service access, third-party accounts, and fallback methods that reduce assurance when primary controls fail.
Deepen your knowledge
Phishing-resistant authentication, x.509 certificates, and FIDO passkeys are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building stronger identity controls across cloud and delegated access, it is worth exploring.
This post draws on content published by Axiad: Identity Gaps: The Need to Use Both x.509 & FIDO. Read the original.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
