Password-based MFA weaknesses expose the limits of phishable factors

At a glance

What this is: This is an analysis of why password-based MFA still fails when the second factor is phishable and the password remains in the authentication flow.

Why it matters: It matters because IAM teams must treat authentication as an NHI governance problem too, especially where service workflows, shared credentials, and human login habits create weak links.

By the numbers:

• Compromised credentials are the source of three out of every five attacks, according to Verizon’s 2021 Data Breach Investigations Report.

👉 Read Beyond Identity’s analysis of password-based MFA vulnerabilities

Context

Password-based MFA reduces risk, but it does not remove the core trust problem in authentication: if the password or second factor can be phished, intercepted, or coerced, the control still fails under real attacker pressure. For IAM and NHI governance, that means the issue is not only user login hygiene. It is whether the organisation can prove that the credential and the device behind it are both trustworthy.

The article argues that phishable factors such as SMS codes, OTPs, push approvals, and magic links can be abused through interception or prompt bombing. That pattern is familiar in identity security: controls built to slow attackers often create friction that users work around, which weakens the control further. For security teams, this is a typical failure mode, not an edge case.

Key questions

Q: How should security teams reduce phishing risk in MFA without creating more user friction?

A: Use phishing-resistant authentication for the highest-risk access first, then phase out phishable factors such as SMS, email links, and push approvals. Bind access to a device or cryptographic key, and keep fallback paths tightly controlled. The goal is not zero friction at any cost. It is to move friction away from the attacker and toward the rare recovery case.

Q: When does password-based MFA create more risk than it removes?

A: It creates more risk when users can be tricked into approving prompts, when OTPs travel through interceptable channels, or when fallback recovery paths are weak. At that point, MFA adds ceremony without adding assurance. Organisations should assume the control is failing if an attacker can win by abusing the second factor rather than breaking it.

Q: What is the difference between passwordless MFA and traditional MFA?

A: Traditional MFA adds a second factor on top of a password, usually through an approval, code, or message that can still be phished or intercepted. Passwordless MFA removes the password and shifts assurance to cryptographic credentials, biometrics, and device checks. That changes the trust model from copied secrets to harder-to-replay identity proofs.

Q: Why do continuous authentication checks matter after login?

A: Because many attacks succeed after the initial login, not before it. Continuous checks let security teams re-evaluate device posture and user behaviour during the session, so a compromised endpoint or suspicious pattern can reduce trust before the attacker reaches sensitive systems. That is especially useful for privileged and high-value workflows.

Technical breakdown

Why password-based MFA remains phishable

Password-based MFA adds a second check, but the security model still depends on factors attackers can intercept, coerce, or replay. SMS, email links, OTPs, and push approvals all rely on channels that can be stolen or manipulated. Prompt bombing works because the attacker turns user fatigue into a bypass path. When authentication assumes the user will carefully validate each challenge, it fails under normal operational noise. The technical issue is not just credential theft. It is that the assurance level of the factor is too low for high-risk access.

Practical implication: Treat phishable second factors as risk reducers, not proof of identity.

Passwordless authentication and device-bound identity

Passwordless MFA shifts trust away from memorised secrets and toward cryptographic keys, local biometrics, and device-level checks. Cryptographic credentials are harder to intercept because they bind authentication to the device and the private key never leaves it. Device checks add context by validating whether the endpoint is patched, intact, and in policy. This is a stronger model for both human and machine access because it reduces dependence on secrets that can be copied. It also aligns more closely with Zero Trust Architecture, where authentication is continuous and contextual rather than one-time and static.

Practical implication: Prioritise device-bound authentication for access paths that expose sensitive systems or automation.

Continuous authentication as a control pattern

Continuous authentication extends identity assurance beyond the login event by re-checking posture and behaviour during the session. That matters because many attacks succeed after initial authentication, not during it. Re-evaluation every few minutes can detect posture drift, suspicious behaviour, or device tampering that one-time MFA would miss. For NHI governance, the broader lesson is that ephemeral trust should remain ephemeral. If credentials or sessions can outlive their expected security context, they become easier to abuse than the login event itself.

Practical implication: Use session revalidation for high-value workflows instead of relying on a single login decision.

Threat narrative

Attacker objective: The attacker wants to bypass second-factor checks and turn one stolen credential into durable account access.

1. Entry occurs when an attacker obtains a password and triggers repeated MFA prompts or intercepts OTPs through email, SMS, or push channels.
2. Escalation follows when the user accepts a fatigue-based prompt or the attacker reuses the phishable factor to register a device and complete authentication.
3. Impact is full account takeover, which can extend to broader network access if the account has privileged reach or weak session controls.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Phishable MFA is a control smell, not a control strategy. If the second factor can be copied, forwarded, or socially engineered, the access decision remains vulnerable to the same attacker pressure that defeated the password. Organisations should stop treating any phishable factor as equivalent to strong assurance. The right conclusion is to remove trust from channels users and attackers can both influence.

Device binding is the missing identity control in many IAM programs. Passwordless authentication matters because it binds access to an endpoint, not just a secret or a user prompt. That matters even more as NHI populations grow, since service workflows need identity assurance that does not depend on human memory or manual challenge approval. Practitioners should make device trust part of the access decision.

Continuous verification reduces the value of stolen credentials. One-time MFA creates a narrow security checkpoint, but attackers often win after that checkpoint has passed. Re-checking posture and behaviour during the session narrows the window for abuse and better fits Zero Trust Architecture. Teams should design for authentication that degrades trust over time instead of granting it once.

Passwordless controls change the economics of identity attack paths. Attackers prefer the cheapest route, which is usually the least resistant one. When prompts, codes, and links are still in play, the economics favour phishing and social engineering. When access depends on cryptographic credentials and local checks, the attacker has to work much harder. Practitioners should prioritize control changes that raise attacker cost, not just user friction.

Ephemeral credential trust debt: any access flow that still depends on reusable or phishable factors accumulates hidden risk until the organisation removes the factor entirely. That debt shows up in help desk workarounds, prompt fatigue, and credential reuse. Teams should measure it as an access governance issue, not a usability nuisance.

From our research:

• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the Ultimate Guide to NHIs.
• Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
• Ultimate Guide to NHIs , Key Challenges and Risks ties this gap to over-privilege, visibility, and persistent credential exposure.

What this signals

Ephemeral credential trust debt: organisations that keep phishable factors in circulation are accumulating risk faster than they are reducing it. For programmes built around human login controls, the lesson is to redesign authentication around the assurance level of the factor, not the convenience of the user experience.

With 97% of NHIs carrying excessive privileges, per the Ultimate Guide to NHIs, passwordless and device-bound authentication become more than human-login improvements. They are part of a broader effort to stop low-assurance credentials from scaling across workloads, service accounts, and automated access paths.

For security roadmaps, the practical signal is clear: prioritise high-value access paths, then eliminate fallback methods that let weak factors survive the migration. The fastest reduction in identity risk comes from removing the most abusable trust assumptions, not from adding one more approval step.

For practitioners

• Replace phishable second factors on high-risk access paths Start with administrator, finance, and production access where SMS, email OTPs, and push approvals still exist. Move those populations to phishing-resistant methods that rely on cryptographic credentials and device checks, then remove fallback paths that recreate the old risk.
• Bind authentication to managed devices Require device-level security checks for privileged access, remote access, and any workflow that can reach sensitive systems. Validate patch state, endpoint integrity, and enrollment before access is granted, and revalidate when the session risk changes.
• Shorten the trust window with continuous revalidation Use session-based checks for behavioural drift and endpoint posture every few minutes for critical systems. This reduces the chance that one successful login becomes a long-lived compromise and aligns better with continuous verification models in Zero Trust.
• Document and remove MFA fallback paths Inventory recovery channels, help desk overrides, and legacy fallback methods that allow users to bypass stronger authentication. Each exception should have an expiry date, a compensating control, and an owner who reviews whether it is still justified.

Key takeaways

• Password-based MFA still depends on phishable factors, so it reduces risk without eliminating the attacker’s easiest route.
• Compromised credentials remain a major breach driver, which makes authentication assurance a governance issue, not just a usability decision.
• Passwordless, device-bound, and continuously revalidated access models better fit high-risk IAM and NHI environments than static second-factor checks.

Key terms

• Phishing-Resistant Authentication: Authentication designed so the factor cannot be easily intercepted, replayed, or approved by mistake. It typically relies on cryptographic proof tied to a device or local biometric validation, which raises the attacker’s cost and reduces the value of prompt bombing, OTP theft, and message interception.
• Passwordless MFA: A login model that removes the password from the authentication flow and replaces it with stronger assurance methods. In practice, it uses cryptographic keys, biometrics, and device checks to reduce dependence on reusable secrets that can be phished, guessed, or forwarded.
• Continuous Authentication: A control pattern that re-evaluates identity and device trust during an active session, not only at login. It helps security teams detect posture changes, suspicious behaviour, or endpoint compromise after access has already been granted, which is where many attacks actually succeed.
• Prompt Bombing: An attacker technique that floods a user with repeated MFA requests until one is approved out of confusion, fatigue, or annoyance. It works because the control depends on a human making a quick decision under pressure, rather than on a factor that cannot be socially engineered.

Deepen your knowledge

Passwordless authentication, phishing-resistant MFA, and continuous verification are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are modernising access control for users and non-human identities, it is worth exploring.

This post draws on content published by Beyond Identity: Password-Based MFA Vulnerabilities. Read the original.