TL;DR: Phishing remains the dominant identity attack path, with IDSA reporting that 84% of organisations experienced an identity-related breach in the past year and 59% of those were phishing attacks, while CISA found 80% of organisations had at least one person fall for a phishing attempt. Legacy MFA and siloed IAM do not close that gap reliably.
At a glance
What this is: This is an analysis of why phishing-resistant MFA matters, and the key finding is that legacy MFA and fragmented IAM architectures still leave organisations exposed to phishing and MFA-bypass techniques.
Why it matters: It matters because identity teams must treat phishing resistance as a control-design problem across human identity and IAM estates, not as a single authentication feature.
By the numbers:
- 84% said their organization had experienced an identity-related breach in the past year.
- 80% of organizations had at least one individual who fell victim to a phishing attempt by CISA Assessment teams.
- 70% of organizations use 3 or more IAM systems across their organization, and more than half use 4 or more.
👉 Read Axiad's analysis of phishing-resistant MFA and certificate-based authentication
Context
Phishing-resistant MFA is a control response to a simple problem: attackers do not need to defeat every authentication layer if they can trick one person or intercept one weak factor. The practical challenge is that many enterprise identity programmes still mix strong and weak methods across multiple IAM systems, creating uneven enforcement and inconsistent user journeys.
That inconsistency matters across human identity governance because phishing resistance fails when controls are siloed, legacy MFA remains in place, or the same user is authenticated differently across environments. The article argues for certificate-based authentication as the mechanism that can unify those paths and reduce exploitable variation.
Key questions
Q: How should security teams implement phishing-resistant MFA across multiple IAM systems?
A: Start by identifying every authentication path that still accepts weaker factors, then apply a consistent phishing-resistant method to the highest-risk use cases first. Certificate-based authentication is useful when the estate spans multiple IAM systems, because it can normalize assurance without requiring a single platform migration. The goal is uniform policy coverage, not isolated strong pockets.
Q: Why do legacy MFA methods still leave organisations exposed to phishing?
A: Legacy MFA often depends on transferable factors such as SMS codes or push approvals, which attackers can intercept through SIM swapping or man-in-the-middle techniques. Those methods may add friction, but they do not eliminate the phishing pathway. Security teams should judge MFA by resistance to replay and interception, not by whether a second factor exists.
Q: How can IAM teams know whether phishing resistance is actually working?
A: Look for consistency across systems, low dependence on fallback methods, and reduced use of transferable factors in sensitive access paths. If users can still authenticate through weaker methods in some applications or platforms, the programme is not truly phishing resistant. Measurement should focus on coverage and assurance uniformity, not just deployment counts.
Q: What should organisations do when phishing-resistant controls are hard to roll out?
A: Treat rollout friction as a governance signal, not a reason to keep weak factors in place. Simplify enrollment, reset, and renewal so the strong method is practical for users and support teams. If the process is cumbersome, exceptions will accumulate and the control will erode under operational pressure.
Technical breakdown
Why phishing-resistant MFA differs from legacy MFA
Phishing-resistant MFA is designed so the authentication ceremony cannot be replayed through a fake login page or intercepted out of band. Legacy MFA often relies on factors such as SMS or push approval, which can be captured through SIM swapping, man-in-the-middle interception, or social engineering. Certificate-based authentication changes the trust anchor by tying the login to a strong possession factor and device-bound certificate material rather than a transferable code. That makes the attack harder because the attacker has to compromise the cryptographic credential, not just persuade a user or intercept a message.
Practical implication: Treat SMS and other transferable factors as weak assurance for high-risk access paths and replace them where phishing exposure is material.
How certificate-based authentication overlays fragmented IAM estates
Certificate-based authentication can sit across multiple IAM systems rather than forcing a single rip-and-replace migration. That matters because many enterprises run several identity platforms, and inconsistent policy coverage creates weak links that attackers can target. A certificate-based model allows the same phishing-resistant control to be applied more uniformly across operating systems, user populations, and access scenarios. In practice, this makes identity assurance more consistent, which is often the real weakness in large estates: not the absence of MFA, but the uneven quality of MFA across systems.
Practical implication: Map where authentication policy diverges across IAM platforms and prioritize the gaps that allow weaker factors to remain in production.
Lifecycle management is part of phishing resistance
Phishing resistance is not only about initial sign-in. If certificate issuance, reset, provisioning, and credential lifecycle handling are cumbersome, users and administrators look for shortcuts that reintroduce weak authentication patterns. CBA is presented here as a way to streamline lifecycle operations while maintaining stronger assurance, which is important because identity programmes fail when security friction pushes teams back toward convenience-based exceptions. That is especially true in distributed environments where users self-service resets or where IT cannot manually manage every credential event.
Practical implication: Design certificate lifecycle processes so secure enrollment, reset, and renewal are usable enough that teams do not revert to weaker fallback methods.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Phishing-resistant MFA is a control boundary problem, not a product feature problem. The real failure in many identity programmes is the assumption that any second factor meaningfully reduces phishing risk. SMS codes, push prompts, and other transferable factors can still be intercepted or socially engineered, so the control boundary remains porous. Practitioners should evaluate assurance strength by attack path, not by the presence of an MFA label.
Identity fragmentation creates the very inconsistencies attackers exploit. When organizations run multiple IAM systems, one system often ends up stronger than another, and the weaker path becomes the easiest route in. This is not just an implementation issue; it is a governance issue because authentication policy is no longer uniformly enforced across the estate. Teams should treat cross-IAM inconsistency as an attack surface.
Certificate-based authentication is most valuable where authentication quality must be normalized across platforms. The article’s key insight is that CBA can overlay diverse environments and give the enterprise a more consistent phishing-resistant baseline. That matters for Windows, Apple, and Linux estates alike, where identity controls are often unevenly mature. Practitioners should see CBA as a standardization mechanism for assurance, not merely as a stronger login method.
Phishing resistance and lifecycle governance are inseparable in enterprise IAM. If credential issuance, reset, and renewal create friction, users and support teams will pressure the programme into weaker exceptions. The governance lesson is that secure authentication must be operationally sustainable, or it will erode under its own complexity. Identity leaders should measure whether the control can survive real-world administration, not just lab validation.
From our research:
- 80% of organizations had at least one individual who fell victim to a phishing attempt by CISA Assessment teams, according to LLMjacking: How Attackers Hijack AI Using Compromised NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
- That same lifecycle gap shows why Ultimate Guide to NHIs remains relevant when organisations try to harden authentication and credential handling together.
What this signals
Phishing resistance is now a programme design issue, not a point-control purchase. The organizations that will reduce identity exposure fastest are the ones that standardize assurance across every IAM system, not the ones that merely deploy another factor in one part of the estate. That is where consistency beats feature count.
Credential lifecycle and authentication hardening have to move together. If certificate enrollment, renewal, and recovery remain awkward, support teams will keep weak fallbacks alive. The operational signal is simple: strong authentication only survives when the lifecycle is easier than the exception path.
As identity programmes tighten user authentication, they should also re-check how much variance exists between platforms, because variance is where phishing survives. The broader lesson aligns with the Ultimate Guide to NHIs , Key Challenges and Risks: unmanaged inconsistency is usually the real control failure.
For practitioners
- Inventory weak authentication paths across all IAM systems Map every place where SMS, push, or other transferable factors are still accepted, then rank those flows by business criticality and exposure to phishing.
- Standardise phishing-resistant controls for high-risk access Use certificate-based authentication or equivalent strong possession factors for privileged users, remote access, and sensitive applications where replay and interception are realistic threats.
- Remove authentication inconsistencies between platforms Compare login policy across Windows, Apple, Linux, and federated applications to find where users get different assurance levels for the same access outcome.
- Design credential lifecycle workflows to avoid fallback risk Make enrollment, reset, renewal, and recovery usable enough that help desks and users do not reintroduce weaker authentication methods under pressure.
Key takeaways
- Phishing-resistant MFA matters because phishing still drives a large share of identity breaches, and weaker MFA methods remain interceptable.
- The practical weakness is not simply absence of MFA, but inconsistent authentication quality across multiple IAM systems and platforms.
- Certificate-based authentication becomes most useful when teams need a consistent, operationally sustainable phishing-resistant baseline.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-7 | Phishing-resistant MFA strengthens identity verification for user access. |
| NIST SP 800-63 | AAL3 | CBA aligns with high-assurance authentication for sensitive digital identity flows. |
| NIST Zero Trust (SP 800-207) | PR.AC-1 | Phishing-resistant MFA supports continuous trust decisions in zero trust models. |
Replace weak MFA paths with phishing-resistant controls for sensitive access and privileged users.
Key terms
- Phishing-resistant MFA: Phishing-resistant MFA is multi-factor authentication designed to prevent credential capture, replay, and interception during login. It relies on factors that cannot be easily transferred into a fake session, which makes it materially stronger than SMS codes or push-based approvals for sensitive access.
- Certificate-based authentication: Certificate-based authentication uses cryptographic certificates bound to a device or strong token to verify identity. It is often used to strengthen authentication across multiple platforms and IAM systems, because the trust signal is harder to steal or replay than a shared secret or one-time code.
- Phishing resistance: Phishing resistance is the ability of an authentication control to withstand attempts to trick users, intercept secrets, or replay login artefacts. In practice, it is measured by whether the method can survive lookalike portals, social engineering, and man-in-the-middle attacks without exposing reusable credentials.
Deepen your knowledge
Phishing-resistant MFA and certificate-based authentication are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to harden identity assurance across a fragmented estate, it is a practical place to start.
This post draws on content published by Axiad: Why phishing-resistant MFA is critical in 2023, and how CBA can help. Read the original.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
