Passwordless phishing-resistant MFA is still a long way off

At a glance

What this is: This is Axiad’s analysis of why passwordless, phishing-resistant MFA is gaining traction but remains difficult to operationalise across enterprises.

Why it matters: It matters because authentication changes affect human IAM controls, Zero Trust design, and the broader identity posture that also shapes how organisations govern machine and autonomous access.

By the numbers:

• 93% of respondents are still using passwords for business.
• 52% have fallen victim to one.
• 45% said they will use passwordless technology over the next year.
• 80% of respondents said either CISA, NIST, or the White House OMB is impacting their authentication strategy.

👉 Read Axiad's analysis of the 2023 State of Authentication Survey

Context

Passwordless authentication is meant to reduce reliance on passwords and the phishing paths that target them. In practice, the problem is less about whether the technology exists and more about whether organisations can replace familiar login habits without breaking user workflows or creating integration debt across the identity stack.

Axiad’s survey points to a familiar identity governance pattern: awareness is ahead of adoption. Teams understand that phishing-resistant MFA and passkeys are safer than passwords, but they still have to deal with legacy IdPs, migration cost, staff capacity, and operational risk. That tension is what keeps authentication modernisation slow even when the security case is already clear.

Key questions

Q: How should organisations roll out passwordless authentication without breaking access?

A: Start with the highest-risk populations first, such as privileged users and remote access roles, then move outward in phases. Build the rollout around application compatibility, help desk readiness, and recovery design. The best programmes reduce passwords without creating new exception paths that attackers can exploit. A staged approach lowers operational risk while keeping the security gains visible.

Q: Why do password-based attacks still succeed even when organisations think they are prepared?

A: Preparation often focuses on awareness and detection, while the actual weakness sits in credential reuse, phishing susceptibility, and recovery workflows. Many organisations overestimate resilience because they have controls in place, but those controls do not always block real-world credential theft. The gap is between perceived readiness and the practical security of the full authentication journey.

Q: What do teams get wrong about phishing-resistant MFA?

A: They often treat it as a narrow login upgrade instead of an end-to-end identity control. If enrolment, recovery, and exception handling remain weak, attackers simply move to those paths. Phishing-resistant MFA only changes the attack surface when the entire authentication lifecycle is designed to resist impersonation and fallback abuse.

Q: Who should own passwordless migration in an identity programme?

A: Ownership should sit with identity security, IAM operations, and application platform teams together, because the work spans policy, user experience, and integration. If one team owns only the factor replacement, the programme will stall at exceptions and unsupported systems. Strong governance requires shared accountability across the access stack.

Technical breakdown

Why passwords remain the default authentication control

Passwords persist because they are deeply embedded in user experience, application integration, and incident response workflows. Even when organisations accept that passwords are weak, changing them can trigger dependency chains across SSO, MFA enrolment, help desk processes, and legacy apps that do not support modern authentication. The result is a control that is known to be fragile but remains operationally convenient. In governance terms, the problem is not just credential weakness, but the cost of replacing an established access model with one that requires more coordination across identity infrastructure, device trust, and policy enforcement.

Practical implication: map every application and identity path that still depends on passwords before setting migration targets.

How phishing-resistant MFA changes the identity attack surface

Phishing-resistant MFA, including passkeys and FIDO-based methods, is designed to stop credential replay by binding authentication to the device and the origin of the request. That removes the usefulness of harvested passwords and many common phishing lures. However, it does not solve every identity risk. If recovery workflows, account enrolment, or fallback methods remain weak, attackers often shift to those weaker paths instead. For security teams, the change is best understood as a reduction in attack surface, not a total end to identity abuse.

Practical implication: secure enrolment, recovery, and fallback flows with the same rigor as primary login.

What Zero Trust authentication actually requires

The article frames passwordless adoption as part of Zero Trust because stronger authentication only matters if the system verifies access continuously and contextually. Zero Trust is not just a login method. It depends on the identity provider, device posture, policy engine, and application layer working together so trust is never assumed permanently. Passwordless can support this model, but only when organisations align it with conditional access and verification at each sensitive interaction, not only at initial sign-in.

Practical implication: treat passwordless as one control in a broader Zero Trust access model, not as a standalone programme.

NHI Mgmt Group analysis

Passwordless adoption is really a governance migration problem, not a pure authentication upgrade. The survey shows that most organisations understand the risk of password-based compromise, but understanding does not remove dependency on legacy workflows, support models, and application constraints. That is why adoption lags even when the security case is mature. Practitioners should treat the transition as an identity programme change effort, not a feature roll-out.

Phishing-resistant MFA shifts the burden from secret protection to control-plane discipline. Once passwords are no longer the primary factor, the weak points move to enrolment, recovery, device binding, and exception handling. Those are the places attackers will target next, because they often receive less governance attention than the login event itself. Practitioners should audit the full authentication journey, not just the first factor.

Authentication guidance from CISA, NIST, and OMB is accelerating policy change, but policy pressure alone will not finish the job. The survey suggests that external guidance can move strategy, yet operational resistance still slows execution. That means identity leaders need a phased adoption model that balances security intent with application readiness, user friction, and support capacity. Practitioners should plan for controlled migration rather than wholesale replacement.

Identity modernisation now depends on reducing authentication friction without reintroducing weak fallback paths. Passwordless initiatives fail when they simply move risk into account recovery, help desk resets, or unmanaged exceptions. The real measure of success is whether the organisation closes the old password attack paths while preserving access continuity. Practitioners should measure the full residual risk, not just password removal.

From our research:

• 80% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• For broader lifecycle and offboarding context, see Ultimate Guide to NHIs - Key Challenges and Risks.

What this signals

Phishing-resistant MFA should be treated as a migration programme with operational dependencies, not a checkbox control. The organisations that succeed will be the ones that retire password dependencies in parallel with recovery redesign, application remediation, and support model changes. That is where authentication modernisation usually succeeds or fails.

The broader signal is that identity teams are being pushed toward stronger authentication by external guidance, but the real constraint is programme capacity. If the migration is not staged, exception-heavy environments will preserve the very password paths attackers continue to exploit.

With 71% of NHIs not rotated within recommended time frames, per Ultimate Guide to NHIs, the lesson for IAM teams is broader than passwords alone. Any identity control that depends on human discipline rather than enforced lifecycle design will lag attacker behaviour.

For practitioners

• Inventory password-dependent access paths Map which applications, admin workflows, and recovery processes still require passwords or password resets. Prioritise the paths that expose high-value accounts or privileged access first.
• Harden fallback and recovery flows Apply phishing-resistant verification to enrolment, account recovery, and help desk-assisted resets so attackers cannot bypass stronger primary authentication by targeting the weakest exception path.
• Phase phishing-resistant MFA by risk tier Start with privileged users, remote access, and sensitive applications, then expand to broader workforce populations once device support and support coverage are stable.

Key takeaways

• Passwordless and phishing-resistant MFA are advancing, but password dependence remains the default in most enterprises because migration is operationally difficult.
• The survey data shows a clear gap between confidence and reality: organisations believe they are ready, yet many have already suffered password-based compromise.
• The fastest path forward is phased modernisation that secures enrolment, recovery, and exception handling alongside primary authentication.

Key terms

• Phishing-Resistant MFA: An authentication method that is designed to resist phishing and credential replay because the proof of identity is bound to the legitimate device or origin. In practice, it reduces the value of stolen secrets, but only when enrolment, recovery, and fallback flows are controlled with the same discipline.
• Passwordless Authentication: An access method that removes the password as the primary login factor and replaces it with stronger methods such as passkeys, device-bound credentials, or cryptographic authenticators. The security outcome depends on how well the organisation governs migration, support, and exception handling.
• Zero Trust Authentication: An access model that does not assume trust based on a single successful login event. It combines identity verification, device context, and policy checks so access is continuously evaluated rather than granted once and reused indefinitely.
• Fallback Path: A secondary authentication or recovery route that users and help desks rely on when the primary method fails. Fallback paths often become the easiest route for attackers if they are not protected with stronger verification than the main login flow.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: The Path to Passwordless, Phishing-Resistant MFA: Emerging but Still a Long Road Ahead. Read the original.