TL;DR: 93% of organisations still use passwords for business, even as 45% plan to adopt passwordless technology and 27% plan phishing-resistant MFA within the next year, signalling a slow shift away from credential-based risk, according to Axiad’s 2023 State of Authentication Survey. Passwords remain the weak link because AI-assisted phishing still outpaces governance and adoption friction, according to Axiad.
At a glance
What this is: This survey shows passwordless and phishing-resistant MFA are gaining attention, but password dependence remains entrenched in enterprise authentication.
Why it matters: It matters because human authentication controls still shape access risk across IAM programmes, while the same password habits also influence how teams think about NHI trust and autonomous access boundaries.
By the numbers:
- 93% of respondents are still using passwords for business.
- 45% said they will use passwordless technology over the next year.
- 27% said they will use phishing-resistant multi-factor authentication (MFA) over the next year.
👉 Read Axiad's State of Authentication Survey findings on passwordless MFA
Context
Password-based authentication remains a control problem because compromise starts before most security teams notice. In human IAM programmes, the issue is not simply whether a password exists, but whether the organisation still depends on a reusable secret that can be phished, replayed, or stolen at scale.
The survey points to a gradual shift toward passwordless and phishing-resistant MFA, but also shows the operational drag that slows adoption. Fear of change, technology replacement concerns, time constraints, and staffing gaps all keep organisations tied to older authentication patterns even as guidance from CISA and NIST pushes in the opposite direction.
Key questions
Q: How should security teams phase in phishing-resistant MFA without disrupting users?
A: Start with the accounts that create the highest blast radius, such as administrators, remote access users, and employees handling sensitive data. Use a staged rollout that preserves existing identity provider workflows, limits exception use, and replaces reusable secrets with device-bound authenticators where possible. That approach reduces user friction while removing the easiest credential theft path.
Q: Why do passwords still persist even when organisations know they are risky?
A: Passwords persist because migration is operationally hard, not because the risk is unclear. Organisations worry about change management, legacy integration, staffing, and the perceived cost of replacing existing controls. Those barriers keep reusable secrets in place longer than security teams intend, which means the risk becomes a governance issue as much as an authentication issue.
Q: How do you know if phishing-resistant MFA is actually improving security?
A: Look for reduced reliance on reusable passwords, fewer successful phishing-based account takeovers, and fewer exception paths that fall back to weaker factors. A real improvement also shows up when high-risk users are migrated first and when authentication events are tied to device-bound verification rather than one-time codes or shared secrets.
Q: What is the difference between passwordless authentication and phishing-resistant MFA?
A: Passwordless authentication removes passwords from the login flow, while phishing-resistant MFA specifically ensures the authenticator cannot be easily intercepted or replayed. Some passwordless methods are also phishing-resistant, but the two terms are not identical. Security teams should assess whether the control prevents credential reuse in real phishing scenarios, not only whether it removes the password field.
Technical breakdown
Why passwords remain a reusable attack surface
Passwords concentrate risk because they are static, human-managed secrets that can be copied, guessed, phished, or reused across services. Unlike phishing-resistant MFA, password-based authentication does not bind the login event to a cryptographic device or a strong possession factor. That makes the credential itself the primary target. In practice, attackers do not need to defeat the entire IAM stack when the first factor is still a shared secret exposed through social engineering, credential stuffing, or malware. Passwords are therefore not just an authentication method. They are an identity attack surface that scales with every account, every login, and every exception to better controls.
Practical implication: treat password dependence as an attack-surface reduction problem, not a user-experience preference.
What phishing-resistant MFA changes in the authentication chain
Phishing-resistant MFA changes the trust model by requiring an authenticator that resists interception and replay, such as a hardware-backed passkey or a device-bound credential flow. The goal is not simply adding a second step, but removing the attacker's ability to reuse captured login material in a separate session. This matters because many phishing campaigns now proxy authentication in real time, making traditional OTP-based MFA insufficient in high-risk environments. For IAM teams, the technical shift is toward verifiable possession, stronger session binding, and reduced reliance on secrets that can be copied out of band.
Practical implication: prioritise authentication methods that bind access to the device and session, not to a reusable code.
Why Zero Trust depends on routine verification, not one-time login
Zero Trust Architecture assumes access must be continuously re-evaluated rather than granted once and trusted for the rest of the session. In that model, authentication is a checkpoint, not a finish line. Passwordless and phishing-resistant MFA fit this approach because they reduce the chance that an attacker can simply reuse stolen credentials to enter the environment. The article also notes that Axiad layers this on top of existing identity providers rather than forcing rip-and-replace migration, which reflects a common enterprise reality: stronger authentication must fit into current control planes, not bypass them.
Practical implication: align authentication modernization with Zero Trust policy enforcement and existing IdP workflows.
Breaches seen in the wild
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
- Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Password dependence is still the most durable human identity risk because it preserves a reusable secret at the point of access. The survey shows that 93% of respondents still use passwords for business, even while phishing-resistant approaches are gaining attention. That means the core exposure is not theoretical. It is the continued acceptance of a control that attackers already know how to target at scale. Practitioners should treat password persistence as a governance failure, not just a technical debt issue.
Phishing-resistant MFA is not a feature preference, it is an authentication trust boundary shift. The value is not in adding another prompt, but in removing the replayable secret from the attack path. That change matters most where credential theft, adversary-in-the-middle phishing, and session hijacking are realistic threats. The practical implication is that authentication strategy must be evaluated by what it prevents from being reused, not by how many steps it adds.
The real barrier is adoption friction, not lack of guidance. Fear of change, rip-and-replace concerns, time pressure, and staffing limits explain why many programmes remain password-dependent even after receiving direction from CISA and NIST. This is a governance problem because the decision to delay modernisation keeps the organisation aligned to a weaker control model. Practitioners should frame migration as risk removal, not technology substitution.
Phishing-resistant MFA only becomes durable when identity teams design for migration paths, not ideal-state resets. The article’s emphasis on layering over existing IdPs reflects the operational reality that authentication change has to survive enterprise complexity. That means the control conversation is really about sequencing, scope, and exception handling across human identities. Teams that cannot stage the transition will keep passwords in the critical path longer than they should.
From our research:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means many identity teams are still operating with incomplete machine-identity inventories.
- For a broader control baseline, review Ultimate Guide to NHIs , Key Challenges and Risks alongside authentication modernisation planning.
What this signals
Passwordless adoption will only matter if identity teams treat authentication as part of a wider trust model. The organisations that replace passwords without tightening session policy, conditional access, and recovery paths will keep the same exposure in a different form. In practice, the authentication programme has to connect to Zero Trust Architecture and identity governance instead of sitting beside them.
The stronger signal here is that migration friction is now a programme design issue. Fear of change, legacy application constraints, and limited staff are not side notes. They are the reasons weak authentication survives long after teams agree it should not.
Identity attack surface reduction: This is the useful concept to carry forward. The question is no longer whether passwords are bad in the abstract, but how much reusable credential exposure the enterprise is willing to keep while better controls remain half-deployed.
For practitioners
- Inventory password-dependent login paths Map every human authentication flow that still accepts reusable passwords, including legacy IdPs, service portals, remote access, and exception accounts. Prioritise the paths with external exposure and privileged access first.
- Migrate high-risk users to phishing-resistant factors first Start with administrators, remote workers, and users handling sensitive data. Use device-bound authenticators and phase out OTP-based methods where adversary-in-the-middle phishing is credible.
- Use Zero Trust as the migration frame Tie authentication changes to routine verification, conditional access, and session-level policy checks so the programme improves control rather than simply replacing one login method with another.
- Plan around operational friction early Document where rip-and-replace concerns, staffing gaps, and legacy application constraints will slow adoption, then build a staged rollout and exception process that does not leave passwords in permanent use.
Key takeaways
- Passwords remain the default authentication method for most organisations, which keeps reusable credential risk at the centre of human IAM.
- The survey shows rising interest in passwordless and phishing-resistant MFA, but adoption is still slowed by migration friction and legacy constraints.
- Security teams should frame modern authentication as attack-surface reduction and Zero Trust alignment, not as a user-interface upgrade.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Phishing-resistant access control is directly relevant to stronger authentication. |
| NIST SP 800-63 | Digital identity guidance applies to authentication assurance and phishing resistance. | |
| NIST Zero Trust (SP 800-207) | Zero Trust requires continuous verification instead of one-time credential trust. |
Replace weak login factors with stronger access controls and reduce password-only paths.
Key terms
- Phishing-resistant MFA: Multi-factor authentication that is designed to resist real-time phishing and credential replay. It usually relies on cryptographic, device-bound verification rather than reusable codes, which means the authenticator cannot be easily intercepted and reused by an attacker in another session.
- Passwordless authentication: An authentication approach that removes passwords from the login process. The stronger versions use possession-based and cryptographic methods, often tied to a trusted device, so the user proves identity without relying on a reusable secret that can be phished or stolen.
- Zero Trust Architecture: A security model that assumes access should not be trusted simply because a user or device already authenticated. It requires ongoing verification, policy enforcement, and constrained access decisions, which makes weak first-factor authentication a poor fit for modern control design.
Deepen your knowledge
Phishing-resistant MFA, passwordless adoption, and Zero Trust authentication are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are modernising authentication in a mixed human and non-human environment, it is worth exploring.
This post draws on content published by Axiad: The Path to Passwordless, Phishing-Resistant MFA: Emerging but Still a Long Road Ahead. Read the original.
Published by the NHIMG editorial team on 2025-08-06.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
