TL;DR: Phishing, business email compromise, and ransomware remain enduring people-centric attack patterns, while password sharing and reuse remain common across organisations, according to Axiad. The security boundary has shifted from perimeter controls to authentication resilience and human behaviour management.
At a glance
What this is: This blog argues that people remain the main attack frontier and that phishing-resistant, passwordless MFA should be the baseline for people, machines, and interactions.
Why it matters: It matters because IAM teams must align human authentication, machine identity, and email/document trust so social engineering does not bypass access controls.
By the numbers:
- 69% of respondents shared passwords with colleagues and 51% reuse an average of five passwords across business and personal accounts.
👉 Read Axiad's analysis of people-centric attacks and phishing-resistant authentication
Context
People-centric attacks succeed when authentication still depends on secrets that users can be tricked into revealing or reusing. In practice, that makes identity the control plane for phishing, business email compromise, and ransomware, not just a login layer.
For IAM programmes, the question is not whether passwordless authentication is desirable. It is whether the organisation can replace fragile human-factor controls with phishing-resistant methods for users, admins, devices, and message-based interactions without creating new operational gaps.
Key questions
Q: How should security teams implement phishing-resistant MFA for human users?
A: Start with the accounts that would cause the most damage if compromised, especially administrators and finance users. Use methods that resist password theft and replay, then remove fallback paths that reintroduce shared secrets. The best implementation is the one users can complete consistently without bypassing it for convenience.
Q: Why do people-centric attacks still succeed even when MFA is in place?
A: Because many MFA schemes still depend on secrets that can be phished, intercepted, or socially engineered out of the user. Attackers also exploit process weaknesses, such as payment changes or help-desk resets, where authentication alone does not stop abuse. Stronger factors help, but workflow controls and user vigilance still matter.
Q: What is the difference between human MFA and machine authentication?
A: Human MFA is designed for people who can respond to prompts, remember context, and use authenticators interactively. Machine authentication needs certificate-based trust or PKI because devices and workloads should authenticate with cryptographic identity rather than human factors. Treating them as the same control leads to weak architecture.
Q: Who is accountable when phishing-resistant authentication is not broadly adopted?
A: Accountability sits with identity, security, and business leaders together because the gap is both technical and behavioural. IAM owns the control design, security owns risk reduction, and the business owns the workflows that force users into insecure shortcuts. Frameworks such as the NIST Cybersecurity Framework help assign those responsibilities clearly.
Technical breakdown
Why phishing-resistant MFA matters for human identity
Phishing-resistant MFA reduces the chance that a user can be socially engineered into revealing reusable credentials or a one-time code. In identity terms, the control has to resist both theft and replay, which is why passwords plus SMS or app-based codes are not enough on their own. The article also points out that user behaviour can undermine even well-designed controls when friction is too high. That means authentication design and usability are inseparable parts of human identity security.
Practical implication: move high-risk user populations to phishing-resistant authentication methods that do not rely on shared secrets.
How machine authentication differs from people authentication
The post correctly separates people from machines and interactions. Machines need certificate-based authentication or PKI because workloads and devices do not authenticate like humans, and shared secrets are poor fits for scalable machine identity. A single method will not cover end users, virtual workloads, and email or document trust. The technical point is that each subject type has a different trust anchor, so the architecture must map the authenticator to the identity subject rather than forcing one method everywhere.
Practical implication: align authenticators to subject type, using PKI and certificates for workloads and devices instead of human-style MFA.
Why social engineering still defeats weak identity design
Business email compromise and ransomware exploit the gap between authentication policy and human decision-making. Attackers do not need to break cryptography if they can redirect payment workflows, trick an employee into sharing access, or abuse weak password hygiene. The article’s broader message is that identity controls fail when organisations treat human judgement as a reliable security boundary. Authentication can reduce exposure, but it cannot remove the need for ongoing training and workflow scrutiny.
Practical implication: pair strong authentication with workflow controls and human risk training so identity checks are not the last line of defence.
Threat narrative
Attacker objective: The attacker wants to turn human trust into authorised access, then use that access to steal money, spread malware, or disrupt business operations.
- Entry begins with phishing, smishing, vishing, or similar social engineering that persuades a user to reveal credentials or approve access.
- Escalation occurs when stolen passwords, shared secrets, or reused credentials are used to impersonate the victim and reach email, payment, or workload access.
- Impact follows through business email compromise or ransomware, where the attacker redirects funds, steals information, or disrupts operations at scale.
Breaches seen in the wild
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
- Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
People risk is now an identity problem, not just a training problem. The article is right to treat phishing as a frontline attack pattern, but the deeper point is that human identity remains over-dependent on secrets that can be tricked, reused, or intercepted. When authentication still trusts passwords and second factors that behave like shared secrets, the control plane is already weakened. The implication is that human IAM cannot be separated from credential resilience.
Phishing-resistant authentication should be the default for high-risk human access. The post makes a strong case for passwordless methods because friction-heavy controls often get bypassed by the people they are meant to protect. That aligns with broader NIST zero-trust thinking, where identity assurance has to survive hostile conditions rather than assume honest user behaviour. Practitioners should treat user experience as part of control design, not as an afterthought.
Machine and interaction authentication need different trust anchors than people. The article usefully distinguishes users from devices, workloads, and email flows, which is where many IAM programmes blur important boundaries. Certificates and PKI solve different problems than human MFA, and treating them as interchangeable creates governance blind spots. The implication is that identity architecture must be subject-aware, not control-centric.
Human risk management becomes a lifecycle discipline when attackers target behaviour repeatedly. Monthly awareness touchpoints are not just training activity, they are part of the lifecycle for identities exposed to social engineering. The governance gap is not whether training exists, but whether it is tied to access scope, workflow risk, and credential type. That means security teams should measure human exposure as a managed identity lifecycle problem, not a one-time awareness campaign.
From our research:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- That is why Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs is the right next resource for teams tightening credential lifecycle governance.
What this signals
The practical signal for IAM teams is that phishing-resistant authentication will keep spreading from privileged users into broader workforce populations, but only if identity teams simplify recovery and reset paths at the same time. If the user journey still rewards shortcuts, password reuse and shared access will continue to surface as control failures.
Identity friction debt: when authentication design is too hard to use, users repay that debt with insecure behaviour. Organisations that measure only login success and not exception rate, reset volume, and reuse behaviour will miss the real governance signal.
For programmes that already manage workload identity and secrets, the next step is to treat human authentication as part of the same trust architecture. The NIST Cybersecurity Framework is a useful lens here because the control problem is not isolated to login, it spans govern, protect, and recover.
For practitioners
- Prioritise phishing-resistant MFA for privileged users first Move administrators, finance staff, and other high-value users to phishing-resistant methods before expanding coverage. The goal is to remove reliance on reusable secrets from the identities attackers most often target.
- Separate human, machine, and interaction authentication policies Use different trust models for people, workloads, and email or document authentication. Certificates and PKI fit machines and signed content, while people need phishing-resistant login methods that do not expose shared secrets.
- Reduce password reuse pressure through friction-aware design Review sign-in paths, reset flows, and access exceptions that push users toward workarounds. If the process encourages password sharing or repeated prompts, the control is undermining itself.
- Tie monthly security touchpoints to measurable identity risk Connect workforce training to observed phishing exposure, privileged access usage, and account recovery events. That turns awareness from a calendar task into a control that can be evaluated and adjusted.
Key takeaways
- People-centric attacks remain effective because identity programmes still over-rely on secrets that users can be tricked into revealing or reusing.
- Phishing-resistant authentication, PKI, and separate trust models for people and machines are the main architectural response.
- Authentication only works when it is paired with workflow controls, monthly workforce touchpoints, and governance that reduces insecure workarounds.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Authentication assurance and access control are central to phishing-resistant login design. |
| NIST SP 800-63 | AAL2 | Phishing-resistant MFA aligns with higher assurance expectations for human authentication. |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Zero trust requires continuous verification rather than trust in passwords or shared secrets. |
Strengthen identity assurance for people and machines, then remove insecure fallback paths.
Key terms
- Phishing-resistant authentication: An authentication method that does not rely on secrets a user can be tricked into giving away, such as passwords or one-time codes. In practice, it uses stronger cryptographic or hardware-backed factors so the login process can resist common phishing and replay attacks.
- Passwordless authentication: A sign-in approach that removes the password from the primary authentication flow. It reduces exposure to credential theft and reuse, but it still needs strong device, key, or certificate trust so the identity can be verified without introducing weaker recovery paths.
- Machine authentication: The use of cryptographic identity, certificates, or workload-specific trust to prove that a device, service, or virtual workload is legitimate. It is different from human login because machines cannot rely on interactive factors, and their credentials must be managed as non-human identities.
- Business email compromise: A form of social engineering where an attacker impersonates a trusted person or domain to manipulate payment, change banking details, or extract sensitive information. It often succeeds without malware because the attacker targets process trust and human judgement instead of technical controls.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance in your organisation, it is worth exploring.
This post draws on content published by Axiad: Top Attack Frontier is People – Need for Phishing-Resistant Authentication. Read the original.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
