People-centric attacks and phishing-resistant MFA for IAM teams

At a glance

What this is: This is an analysis of why people-centric attacks remain the dominant identity problem and why phishing-resistant, passwordless MFA is the practical response.

Why it matters: It matters because IAM teams have to protect human, machine, and message flows together, not treat passwordless authentication as a point solution.

By the numbers:

• 69% of respondents shared passwords with colleagues
• 51% reuse an average of five passwords across business and personal accounts

👉 Read Axiad's analysis of phishing-resistant authentication for people and machines

Context

People-centric attacks exploit the gap between how identity controls are designed and how users actually behave under pressure. In this context, phishing-resistant authentication matters because credential theft remains a reliable entry path for attackers targeting both accounts and workflows.

The IAM problem is broader than passwords alone. End-user authentication, device authentication, and email or document authentication all need to be considered together, because attackers increasingly chain social engineering with credential capture and message-based trust abuse.

Key questions

Q: How should security teams reduce phishing risk without frustrating users?

A: Focus first on removing replayable factors from high-value accounts, then simplify the remaining sign-in journey so users do not create workarounds. Phishing-resistant MFA, strong recovery controls, and targeted training work best together. The goal is to make the secure path easier than the insecure one while preserving assurance for privileged actions.

Q: Why do passwords remain such a problem for enterprise identity security?

A: Passwords remain problematic because they are reusable, phishable, and easy to share or reuse across contexts. Once stolen, they can become a reliable entry point for email compromise, financial fraud, and ransomware. Enterprises reduce this risk by moving to cryptographic authentication and limiting where passwords are still accepted.

Q: How do organisations decide where phishing-resistant MFA is most urgent?

A: Prioritise accounts that can approve money movement, change security settings, administer infrastructure, or access sensitive data. Those accounts create the highest blast radius if compromised. Then expand outward to the rest of the workforce and to machine identities that participate in trusted workflows.

Q: What should IAM teams do when users keep bypassing security controls?

A: Treat bypass behaviour as a design signal, not just a compliance issue. Review whether the control is too frequent, too brittle, or too disconnected from how people actually work. Then adjust the control path, reinforce training on current threats, and keep stronger authentication in place for high-risk actions.

Technical breakdown

Phishing-resistant MFA and passwordless authentication

Phishing-resistant MFA is authentication that cannot be easily replayed or tricked out of a user. Passwordless reduces exposure to stolen passwords and intercepted one-time codes by relying on strong authenticators and cryptographic proof instead of shared secrets. In practice, certificate-based authentication and strong device-backed factors are the most resilient patterns discussed here. The technical point is simple: if the attacker can phish the factor, it is not phishing-resistant. That distinction matters for both human login flows and the privileged accounts that control high-risk actions.

Practical implication: Use cryptographic authenticators for high-value human and admin access, not shared-secret or code-based factors alone.

Machine and interaction authentication

The article correctly extends identity thinking beyond people to machines and interactions. Machines can authenticate with PKI at scale, while emails and attached documents can also be authenticated to reduce spoofing and tampering risk. This is an identity design problem, not just a messaging problem, because the same trust model that protects a human session may not protect a workload or a signed document. A single control family rarely covers all three planes, which is why layered authentication architecture matters.

Practical implication: Separate human, workload, and message authentication patterns so controls match the asset and the threat path.

Human risk management as a control layer

Training does not replace authentication, but it does reduce the likelihood that people will bypass controls under friction. The article’s key premise is that security programmes fail when they assume users will absorb unlimited prompt fatigue, password changes, and repeated approvals. Human risk management is therefore a governance layer around identity behaviour, not a substitute for strong authentication. The operational test is whether the programme still works when users are busy, stressed, or targeted by a convincing lure.

Practical implication: Treat user training and behaviour reinforcement as a complement to phishing-resistant MFA, not as its replacement.

Threat narrative

Attacker objective: The attacker wants to turn trusted identity behaviour into a reusable access path that enables fraud, compromise, or ransomware.

1. Entry occurs when attackers use phishing, smishing, vishing, or BEC-style lures to capture credentials or persuade a user to authorise an unsafe action.
2. Escalation follows when stolen passwords or weak factors are reused, intercepted, or combined with compromised shared secrets to reach higher-value accounts or workflows.
3. Impact is realised through account compromise, fraudulent payment changes, ransomware deployment, or broader operational disruption driven by trusted identity abuse.

Breaches seen in the wild

• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

People-centric attack defence is now an identity architecture problem, not just a training problem. The article is right that phishing, BEC, and ransomware all converge on human trust and credential weakness. That means IAM teams cannot keep treating user awareness as the primary control while leaving authentication patterns fragile. Practitioners should read this as a prompt to redesign identity controls around how attackers actually enter, not how policies assume they behave.

Phishing-resistant MFA is the control boundary that separates recoverable authentication from reusable compromise. Once passwords, SMS codes, and shared secrets can be intercepted, the attacker owns a durable access mechanism. Phishing-resistant authentication changes the economics of the attack because the factor is harder to steal and replay. The practitioner implication is that authentication assurance has to be built into the access path, not bolted on as a convenience feature.

Machine and interaction identity belong in the same governance conversation as user identity. The article’s best contribution is its refusal to isolate people from devices and messages. Certificates, PKI, and authenticated documents all become part of the trust model when social engineering spans email, text, and voice. IAM teams should stop treating “human attack” and “machine identity” as separate operating problems when the adversary moves across both.

Human risk management remains necessary, but it only works when friction is bounded. The article notes that monthly user touchpoints may be difficult to sustain, and that is the real governance issue. When control burden is too high, users work around it. Practitioners should treat identity programme design as a usability-and-assurance balance, because controls that are technically strong but operationally ignored do not reduce attack surface.

Persistent password dependence is the named weakness this topic exposes. The security assumption that users can be protected by periodic training plus passwords is designed for a slower, more forgiving threat model. That assumption fails when phishing, smishing, vishing, and BEC can all trigger immediate credential misuse. The implication is that identity governance must move away from replayable factors as its default trust anchor.

From our research:

• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• The same identity hygiene gap shows up in lifecycle governance, and the Lifecycle Processes for Managing NHIs section explains why.

What this signals

Persistent password dependence is the strategic signal here. Even strong awareness programmes lose effectiveness when the underlying factor model remains replayable and user-managed. IAM teams should expect continued pressure to move toward phishing-resistant controls for both human and privileged access, while keeping recovery paths tightly governed.

With the Ultimate Guide to NHIs showing that 97% of NHIs carry excessive privileges, the lesson extends beyond people. Identity programmes need one assurance model that spans users, service accounts, and machine-authenticated workflows, because attackers do not respect those internal boundaries.

The governance shift is toward layered identity assurance, not a single silver bullet. If your programme still treats authentication, machine identity, and message integrity as separate debates, you will miss the places where social engineering crosses from one control plane into another.

For practitioners

• Prioritise phishing-resistant MFA for privileged accounts first Start with administrators, finance users, and any account that can change access, payment, or security settings. Replace replayable factors with cryptographic authenticators and validate that recovery flows do not reintroduce weak verification.
• Extend authentication design to machines and documents Use PKI for device and workload identity, and authenticate email or attached documents where trust decisions depend on message integrity. Treat these as separate identity domains with separate assurance requirements.
• Reduce user friction where it drives bypass behaviour Measure where users abandon controls, create workarounds, or request exemptions. Simplify enrollment, reduce unnecessary prompts, and keep training focused on current attack patterns rather than generic awareness messaging.
• Map social engineering paths to identity controls Trace phishing, smishing, vishing, and BEC scenarios to the exact access points they exploit. Then identify which accounts still rely on shared secrets, weak recovery, or inconsistent verification rules.

Key takeaways

• People-centric attacks remain durable because they exploit identity behaviour, not just technical weakness.
• Phishing-resistant MFA reduces replayable credential risk, but it must cover people, machines, and interactions to be effective.
• The practical decision is to replace weak factors on high-value access first and keep human risk management focused on reducing bypass behaviour.

Key terms

• Phishing-resistant MFA: Multi-factor authentication that cannot be easily fooled by credential theft, code interception, or simple replay. It relies on cryptographic proof or strong device-bound authenticators rather than reusable secrets, which makes it materially harder for attackers to turn social engineering into direct account access.
• Passwordless Authentication: An authentication pattern that removes the password from the sign-in flow and replaces it with stronger factors, often cryptographic or device-bound. It reduces exposure to password reuse and phishing, but only works well when recovery and fallback paths are equally well governed.
• Human Risk Management: The practice of managing how people interact with security controls, especially under pressure, distraction, or deception. It combines training, policy, and friction management so identity systems are still usable enough that users do not bypass them in day-to-day work.
• PKI Authentication: An identity method that uses public and private key pairs plus certificates to prove possession of a trusted credential. In enterprise environments it can authenticate devices, workloads, and messages, giving practitioners a cryptographic way to verify identity beyond passwords and shared secrets.

Deepen your knowledge

Phishing-resistant MFA and passwordless authentication are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building an identity programme that has to cover both users and machine access, it is worth exploring.

This post draws on content published by Axiad: Top Attack Frontier is People - Need for Phishing-Resistant Authentication. Read the original.