TL;DR: Basic MFA methods are being bypassed through Adversary-in-the-Middle proxy attacks, MFA fatigue, and social engineering, while phishing-resistant MFA uses cryptography and domain binding to stop credential interception, according to Versasec. The governance issue is no longer whether MFA exists, but whether it can survive real phishing conditions and lifecycle scale.
At a glance
What this is: This article argues that SMS codes and authenticator-app MFA are no longer sufficient against modern phishing, and that phishing-resistant MFA built on FIDO2, WebAuthn, or PKI changes the authentication model.
Why it matters: Identity teams need to separate usable MFA from phishing-resistant MFA because the former can still be intercepted, while the latter changes what users, helpdesks, and offboarding workflows must govern.
By the numbers:
- The U.S. federal government has required phishing-resistant MFA across its agencies since OMB Memorandum M-22-09.
👉 Read Versasec's analysis of phishing-resistant MFA and credential lifecycle management
Context
Basic MFA reduced password-only risk, but it did not remove the underlying problem of phishable authentication factors. When an attacker can relay or coerce a one-time code, the control still fails under adversary-in-the-middle, push fatigue, and look-alike login scenarios. This is a human identity problem first, but it also affects the broader IAM programme because authentication strength now has to be measured against attacker behaviour, not just policy presence.
For security teams, the practical shift is from shared-secret verification to origin-bound cryptographic verification. That changes not only the login experience, but also provisioning, recovery, helpdesk workflows, and revocation processes tied to credentials and devices. It is the same governance problem seen in machine identity programmes: a stronger authenticator can still fail if lifecycle management is weak, and the article correctly points to that operational gap.
Key questions
Q: How should security teams implement phishing-resistant MFA for privileged access?
A: Start with the accounts most exposed to phishing, such as admins, finance approvers, and remote access users. Use FIDO2, WebAuthn, or certificate-based authentication, then validate enrollment, recovery, and revocation processes so the stronger factor is operationally usable at scale. The control only works when the credential lifecycle is managed as tightly as the login policy.
Q: Why do basic MFA methods still fail against modern phishing attacks?
A: Because many basic MFA methods rely on factors that can be relayed, replayed, or socially engineered in real time. An attacker using an AiTM proxy or MFA fatigue can capture the code or approval and use it to create a valid session. The weakness is not the existence of MFA, but the absence of cryptographic binding to the login origin.
Q: What do security teams get wrong about phishing-resistant MFA?
A: They often focus on the authenticator type and ignore the operational layer around it. Hardware-backed MFA creates new tasks for issuance, lost-device handling, PIN resets, and revocation. If those workflows are slow or ambiguous, the organisation has improved cryptography but weakened governance, which is exactly how strong controls become fragile in practice.
Q: Who is accountable when a phishing-resistant MFA rollout fails?
A: Accountability sits with both identity governance and the teams operating credential lifecycle processes. If a certificate, key, or passkey is not revoked, replaced, or recovered correctly, the failure is not only technical. It is a governance issue that spans authentication policy, helpdesk execution, and offboarding discipline.
Technical breakdown
Why shared-secret MFA remains phishable
Traditional MFA often relies on an OTP, push approval, or app-generated code that is separate from the session being authenticated. That creates a reusable secret or approval signal that an attacker can steal, relay, or pressure a user into approving. In an Adversary-in-the-Middle attack, the proxy sits between the user and the real service, capturing the factor in real time. MFA fatigue attacks exploit the same weakness by turning approval into a social-engineering target. The issue is not that MFA is absent, but that the factor is not bound to the origin of the request.
Practical implication: treat any factor that can be replayed or relayed as phishable, even when it satisfies policy on paper.
How FIDO2, WebAuthn, and PKI change the trust model
FIDO2 and WebAuthn use public key cryptography so the authenticator signs a challenge that is tied to the legitimate domain. PKI-based authentication uses a certificate stored on a smart card or USB token, which similarly avoids exposing a reusable secret to the login page. The crucial design change is domain binding, sometimes called origin binding, which prevents a cloned site from obtaining a valid assertion. In both cases, the authenticator verifies the request context before release, which breaks the relay path that basic MFA leaves open.
Practical implication: prioritise phishing-resistant factors for high-risk users, privileged roles, and any workflow exposed to external login surfaces.
Why credential lifecycle management becomes part of authentication security
Hardware-backed MFA is only resilient if issuance, replacement, PIN reset, and revocation are tightly governed. Once organisations move from app-based MFA to tokens, smart cards, or passkeys, they inherit a lifecycle problem that looks familiar from NHI governance: who gets what credential, when it is replaced, and how it is removed during offboarding. The article is right to connect phishing resistance with a credential management system, because strong authentication at scale depends on operational control, not just cryptography. Without that layer, organisations trade one form of exposure for another.
Practical implication: design the credential lifecycle alongside the authentication method, not after rollout.
Threat narrative
Attacker objective: The attacker wants to turn a legitimate user interaction into a valid authenticated session without needing the actual password or device-bound trust relationship.
- entry: The attacker reaches the real user through a phishing page, proxy site, or repeated push prompts that mimic a legitimate login flow.
- escalation: The attacker relays the OTP or approval signal in real time, or coerces a user into approving the request, turning valid MFA into an access path.
- impact: The attacker authenticates to the target account, bypasses the intended login assurance, and gains access to protected systems or data.
Breaches seen in the wild
- MITRE ATT&CK Enterprise Matrix — MITRE ATT&CK Enterprise — adversary tactics and techniques, threat detection, attack chain mapping, credential access, lateral movement, privilege escalation.
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Phishable MFA is a trust model problem, not a factor-counting problem. Organisations often treat any second factor as sufficient, but the article shows why that assumption breaks under proxy interception and social engineering. The control failure is not just weaker authentication, it is the belief that a reusable or relayed factor can prove session legitimacy. Practitioners should stop equating MFA presence with phishing resistance.
Phishing-resistant MFA is where human IAM and lifecycle governance meet cryptographic proof. FIDO2, WebAuthn, and PKI change authentication from shared-secret verification to cryptographically bound origin verification. That makes the login request itself part of the control boundary, which is why helpdesk resets, token replacement, and offboarding now sit inside the security model. Teams that ignore lifecycle governance will create a new operational weak point around the stronger authenticator.
Credential management is the hidden control layer behind strong authentication. The article correctly identifies that hardware-backed MFA at enterprise scale fails without issuance, replacement, and revocation discipline. That is the same pattern NHIMG sees across identity programmes: the control that looks strongest in design can become brittle in operation if lifecycle ownership is unclear. The practical lesson is to govern credentials as assets, not just as login methods.
Phishing resistance is becoming a baseline expectation for regulated identity programmes. The reference to U.S. federal requirements and CISA guidance signals where policy is moving, even outside government. Security teams should expect auditors and internal risk owners to ask whether MFA is actually phish-resistant, not merely multi-factor. That changes the standard from compliance checkbox to attack-path resilience.
From our research:
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- A separate finding shows that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, including 38% with no or low visibility and 47% with only partial visibility, according to The State of Non-Human Identity Security.
- For a broader lifecycle lens, read NHI Lifecycle Management Guide for provisioning, rotation, and offboarding patterns that also matter when credentials are hardware-backed.
What this signals
Phishing-resistant MFA is becoming a governance expectation, not an optional hardening step. As attackers move from password guessing to real-time relay and coercion, the relevant question becomes whether the authentication method can survive hostile conditions. Security teams should treat origin-bound factors as the baseline for privileged and remote access, then verify that recovery and offboarding do not reintroduce weak links.
Credential lifecycle ownership now determines whether stronger authentication remains usable. Hardware-backed MFA introduces dependency on issuance, replacement, and revocation workflows, which means identity, operations, and helpdesk teams all influence the final security outcome. If your programme can see access but cannot revoke or replace it cleanly, the control is not mature enough for high-risk use.
Certificate and token management is the new control surface for phishing resistance. The same lifecycle discipline that protects NHI programmes applies here, especially where credentials outlive devices or employment events. For a stronger lifecycle baseline, teams can anchor on the NHI Lifecycle Management Guide and the Ultimate Guide to NHIs , Key Challenges and Risks when aligning revocation, visibility, and ownership.
For practitioners
- Replace phishable MFA on high-risk accounts Move privileged users, admins, finance approvers, and remote-access accounts to FIDO2, WebAuthn, or certificate-based authentication where the login request is origin-bound and not relayed through a shared secret. Use hardware-backed factors for the accounts most likely to be targeted by AiTM attacks.
- Align credential lifecycle with authentication design Define issuance, replacement, PIN reset, revocation, and offboarding workflows before rollout. If a user loses a token or leaves the organisation, the credential must be removed through the same governance process that manages its issuance.
- Use a credential management system for scale Centralise provisioning and audit trails for smart cards, security keys, and passkeys so helpdesk handling does not become the weakest point in the authentication chain. The objective is to keep strong authentication operationally sustainable across distributed workforces.
- Test authentication against real phishing conditions Validate login flows against proxy-based interception, prompt fatigue, and credential relay scenarios rather than only checking whether a second factor exists. A control that works in a clean demo but fails against a cloned site is not phishing-resistant.
- Review offboarding and certificate revocation speed Measure how quickly credentials are revoked after leaver events and whether stale certificates or keys remain valid during account teardown. Offboarding delays can undermine even the strongest authentication method if access survives beyond employment or device ownership.
Key takeaways
- Basic MFA reduces password risk, but it does not stop relay, proxy, or fatigue-based phishing attacks.
- Phishing-resistant MFA changes the trust model by binding authentication to the legitimate origin and eliminating reusable secrets.
- Enterprise adoption succeeds only when credential lifecycle governance, helpdesk workflows, and offboarding are managed alongside the stronger factor.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-53 Rev 5, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Authentication assurance is central to resisting phishing and relay attacks. |
| NIST SP 800-53 Rev 5 | IA-2 | IA-2 governs identification and authentication for users, including strong methods. |
| NIST Zero Trust (SP 800-207) | Phishing-resistant MFA supports continuous verification in a zero-trust model. | |
| NIST SP 800-63 | SP 800-63B | This guidance defines authenticator assurance and phishing-resistant authentication methods. |
Map privileged login assurance to PR.AC-1 and replace phishable factors where risk is highest.
Key terms
- Phishing-resistant MFA: Multi-factor authentication that cannot be easily relayed or replayed by a phishing attacker. It uses cryptographic binding, such as FIDO2 or certificate-based authentication, so the authenticator verifies the real origin of the login request before releasing access.
- Adversary-in-the-Middle Attack: A phishing technique where the attacker sits between the user and the legitimate service and relays authentication in real time. The goal is to capture or forward valid session material without needing to defeat the underlying password directly.
- Credential Management System: A control layer that issues, tracks, replaces, and revokes authentication credentials at scale. In strong authentication programmes, it prevents token administration from becoming the operational weakness that undermines cryptographic security.
- Origin Binding: A cryptographic property that ties authentication to the legitimate website or service domain. It prevents a cloned or look-alike site from receiving a usable authentication assertion, which is why it matters for phishing-resistant login flows.
What's in the full article
Versasec's full article covers the operational detail this post intentionally leaves for the source:
- Why the vendor distinguishes FIDO2, WebAuthn, and PKI as the practical phishing-resistant options
- How its credential management approach ties issuance, replacement, and revocation into one workflow
- Where the article maps phishing-resistant MFA to U.S. federal guidance and CISA recommendations
- What enterprise credential administration looks like when hardware-backed authentication is rolled out at scale
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or lifecycle governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-07-09.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org