TL;DR: 2023 breach patterns kept converging on stolen credentials, password reuse, and MFA bypass, while the average cost of a breach reached $4.5 million, according to IBM and Apple cited by Axiad. Passwordless, phishing-resistant authentication is no longer an edge case; it is the baseline control families now need to close.
At a glance
What this is: This is an analysis of 2023 breach patterns showing how passwords, basic MFA, and credential reuse kept enabling compromise.
Why it matters: It matters because IAM teams need to treat phishing-resistant authentication as a control gap across human, workload, and delegated access programmes, not a user convenience upgrade.
By the numbers:
- In 2023, data breaches were up by 20% over 2022, according to a study from Apple cited by Axiad.
- The average cost of a data breach was $4.5 million in 2023, the highest average on record, according to IBM cited by Axiad.
👉 Read Axiad's analysis of top 2023 data breaches and passwordless authentication
Context
Password-based authentication still leaves organisations exposed because passwords are reusable secrets, and reusable secrets are exactly what attackers harvest, replay, and sell. In this article, Axiad argues that traditional passwords and basic MFA no longer match the way modern credential attacks actually work.
The IAM implication is broader than login hardening. Human authentication, delegated admin access, and even machine-facing identity flows all inherit the same trust problem when shared secrets remain in circulation. That is why phishing-resistant authentication has become an identity governance issue, not just an access management preference.
Key questions
Q: How should security teams reduce account takeover risk from reused credentials?
A: They should remove reusable secrets from high-risk access paths and replace them with phishing-resistant authentication. That means prioritising privileged users, support teams, and sensitive applications first, then enforcing strong credential lifecycle controls where passwords still exist. The goal is to stop attackers from turning old breach data into fresh authenticated access.
Q: When does basic MFA create a false sense of protection?
A: Basic MFA becomes misleading when the second factor can be phished, relayed, intercepted, or socially engineered. If an attacker can still complete login with captured prompts or one-time codes, the control is adding friction but not true replay resistance. Organisations should judge MFA by whether it resists adversary-in-the-middle abuse, not by whether it exists at all.
Q: What do organisations get wrong about passwordless authentication?
A: The most common mistake is assuming passwordless means hidden passwords or a user experience change. In practice, passwordless only changes the security model if there is no shared secret for an attacker to steal, replay, or reset. If the password still exists behind the scenes, the organisation has renamed the problem rather than removed it.
Q: Who is accountable when credential stuffing leads to a breach?
A: Accountability usually sits with the organisation that allowed reusable secrets, weak second factors, and insufficient authentication governance to persist in a high-risk environment. Standards bodies and public guidance increasingly expect phishing-resistant authentication for sensitive access, so the burden is on the operator to justify weaker methods.
Technical breakdown
Why password reuse turns breaches into account takeovers
Credential stuffing succeeds because attackers do not need to break cryptography, they only need valid username and password pairs from prior breaches. Once reused credentials match across services, the attacker logs in as the user and often bypasses perimeter-focused controls. This is why password reuse remains a structural weakness rather than a user hygiene issue. In identity terms, the problem is that authentication trust is being anchored to a secret that already escaped its original context and can be replayed indefinitely across systems.
Practical implication: eliminate shared-secret dependence where account takeover risk matters most.
Why basic MFA is not the same as phishing-resistant authentication
Basic MFA reduces risk, but it does not automatically stop phishing, smishing, vishing, or adversary-in-the-middle attacks. If the second factor can be relayed, intercepted, or socially engineered, the attacker still completes authentication. Phishing-resistant methods such as certificate-based authentication and FIDO-backed authenticators bind the proof to the device and origin in a way that is much harder to replay. The architectural distinction matters because the control must resist credential theft, not merely add another prompt.
Practical implication: classify MFA methods by replay resistance, not by the fact that they add a second step.
How certificate-based authentication changes the identity trust model
Certificate-based authentication shifts trust away from something the user knows to something the device proves with private-key material. That makes compromise harder because there is no reusable password to phish in the first place. In practice, the security gain comes from binding identity to cryptographic possession and from central certificate lifecycle management through PKI. This does not remove governance work, but it changes the failure mode from password theft to device or certificate lifecycle abuse, which is a narrower and more governable problem.
Practical implication: treat PKI and certificate lifecycle as the control plane for high-assurance login.
Threat narrative
Attacker objective: The attacker aims to turn stolen or replayed credentials into authenticated access that can be used for account takeover, token theft, and lateral intrusion.
- Entry begins when attackers obtain reused credentials through credential stuffing, phishing, smishing, vishing, or social engineering.
- Escalation occurs when basic MFA or weak second factors are bypassed, allowing the attacker to authenticate as the legitimate user or administrator.
- Impact follows as the attacker accesses customer records, support systems, session tokens, or downstream networks and uses that access for broader compromise.
Breaches seen in the wild
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
- Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Password reuse is still an enterprise identity failure, not a user habit. The article’s examples show that attackers continue to convert previously exposed secrets into live access because many programmes still rely on reusable passwords as an authentication root of trust. That is a governance problem because the trust model assumes secrets stay private after first use. Practitioners should treat password reuse as a standing identity exposure condition, not a training issue.
Phishing-resistant authentication is the minimum viable response to modern credential theft. Axiad is right to separate basic MFA from methods that actually resist replay and relay attacks. SMS, OTP, and push-based prompts can still be defeated when the attacker can insert themselves into the authentication flow. For IAM teams, the field standard is shifting from adding factors to verifying whether the factor can survive adversarial interception.
Shared-secret trust debt: authentication models that still depend on passwords accumulate risk every time a credential is reused, phished, or reset. The article’s central pattern is that the same secret can be compromised once and then reused many times across systems and accounts. That is not an isolated control gap, it is a structural debt in the authentication model. Practitioners should recognise that the longer passwords remain in the stack, the more the identity perimeter is funded by residual trust in compromised secrets.
Human identity controls now set the precedent for broader NHI governance. When organisations normalise passwordless and phishing-resistant methods for employees and admins, they also raise the bar for service accounts, privileged workflows, and delegated access patterns that still depend on shared secrets. The governance lesson is that authentication assurance should be consistent across identity classes wherever the access path is high impact. Practitioners should align human and non-human authentication standards rather than managing them as separate security philosophies.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
- For a broader breach lens, see 52 NHI Breaches Analysis for root cause patterns and control failures.
What this signals
Passwordless as a control baseline: enterprises that keep passwords in privileged or support workflows are preserving the exact replayable secret model attackers continue to exploit. The operational signal is not whether a password exists anywhere, but whether a compromise can still become a valid session in one step.
A simple truth now sits underneath authentication programmes: if a factor can be replayed, phished, or socially engineered, it is not yet a durable trust boundary. That is why phishing resistance belongs in the same conversation as privileged access governance and identity assurance.
For teams modernising access controls, the next move is to compare human authentication policies with service and workload identity practices. The more an organisation removes shared secrets from one identity class, the harder it becomes to justify leaving them in another.
For practitioners
- Inventory every password-dependent access path Map where reusable secrets still gate access across employees, admins, vendors, and high-value applications. Prioritise the paths that can reach support tools, customer records, identity systems, and privileged consoles.
- Replace replayable MFA with phishing-resistant authenticators Move high-risk users and privileged roles to certificate-based authentication or FIDO-backed authenticators, then phase out SMS, voice, OTP, and push methods that can be relayed or socially engineered.
- Separate authentication strength by risk tier Apply stronger login controls to support desks, identity admins, finance users, and any account that can reset credentials or reach sensitive data. Do not give every application the same authentication posture.
- Treat certificate lifecycle as a governance dependency Pair phishing-resistant authentication with certificate issuance, revocation, and renewal controls so cryptographic trust does not become a new source of sprawl or stale access.
Key takeaways
- The article shows that modern breaches still start with stolen or reused credentials, not exotic exploit chains.
- Its evidence base ties password reuse, basic MFA weakness, and token theft to real compromise events affecting large user populations.
- The practical answer is to move high-risk access to phishing-resistant methods and treat certificate lifecycle as part of identity governance.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity verification and authentication strength are central to the breach pattern discussed. |
| NIST SP 800-63 | Digital identity assurance and authenticators are directly relevant to passwordless and phishing-resistant MFA. | |
| NIST Zero Trust (SP 800-207) | AC-3 | Zero Trust depends on strong, continuous identity assurance rather than password trust. |
Map privileged and sensitive access to stronger authentication and remove weak login methods where risk is highest.
Key terms
- Passwordless Authentication: An authentication model that removes the user-entered password from the login process. In practice, the security value depends on whether any shared secret still exists behind the scenes, because hidden passwords can still be stolen, reset, or replayed.
- Phishing-resistant Authentication: An authentication method designed to resist credential interception, relay, and social engineering. Strong implementations bind proof to a cryptographic device or certificate, which makes them materially harder to reuse than passwords, OTPs, push prompts, or SMS codes.
- Credential Stuffing: An attack pattern where previously exposed username and password combinations are replayed against other services until one works. It succeeds because many users reuse secrets, and many systems still trust replayable credentials as if they were newly proven.
Deepen your knowledge
Passwordless and phishing-resistant authentication are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are replacing shared-secret access paths or aligning human and non-human identity controls, it is worth exploring.
This post draws on content published by Axiad: Top data breaches in 2023 and why organizations need passwordless, phishing-resistant authentication. Read the original.
Published by the NHIMG editorial team on 2025-08-06.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
