Phishing-resistant MFA is now the baseline for identity security

At a glance

What this is: Axiad argues that “good enough” MFA is no longer sufficient because common second-factor methods remain vulnerable to phishing and related bypass techniques.

Why it matters: This matters because IAM programmes that stop at basic MFA still leave human identities exposed, and those same trust assumptions often shape how organisations think about NHI and autonomous access control.

By the numbers:

• 93% of organizations are still using passwords at work for business.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

👉 Read Axiad's analysis of why phishing-resistant MFA is replacing good enough MFA

Context

Multi factor authentication is meant to reduce account takeover risk, but not every MFA method changes the threat model in a meaningful way. SMS codes, one-time passwords, and push approvals can still be bypassed through phishing, SIM swapping, and man-in-the-middle attacks, which means the control often protects compliance more than it protects identity.

For identity teams, the issue is not whether MFA exists, but whether the method resists real-world credential capture and replay. That distinction matters across human IAM and, by extension, any programme that assumes a second factor creates durable trust.

This is a human identity problem first, but it also exposes a broader governance pattern: teams often confuse presence of a control with resistance to the attack path it was supposed to block.

Key questions

Q: How should security teams implement phishing-resistant MFA for privileged users?

A: Start with the identities that can do the most harm if compromised, then move outward in waves. Use FIDO2 or PKI-based authenticators, enforce origin binding where possible, and remove SMS, OTP, and push approvals from privileged paths. The goal is not just stronger login, but a credential type that cannot be replayed through phishing or relay attacks.

Q: Why do basic MFA methods still leave account takeover risk in place?

A: Because the second factor can still be phished, relayed, swapped, or approved under pressure. A code or push prompt improves security only if the attacker cannot intercept or trick the user into handing it over. If the factor is replayable, the attacker does not need to break authentication, only to reuse it.

Q: What signals show that MFA is not actually phishing-resistant?

A: Look for SMS, OTP, push approvals, and broad exception use on high-value accounts. If users can approve login from a fraudulent prompt, if help desk resets re-enable weak factors, or if administrators still rely on shared-secret methods, the programme is not resistant enough to withstand modern phishing.

Q: Who should be first in line for phishing-resistant authentication?

A: Privileged users, remote access populations, and any identity that reaches sensitive business systems should go first. These accounts offer the highest payoff for attackers and the fastest containment benefit for defenders. Once those paths are protected, teams can tackle broader workforce rollout with less operational pressure.

Technical breakdown

Why basic MFA still fails against phishing and MITM attacks

Basic MFA improves security over passwords alone, but it still relies on shared secrets or transaction prompts that attackers can intercept, relay, or socially engineer. SMS and OTP-based methods are vulnerable because the code can be phished, SIM-swapped, or replayed in a man-in-the-middle flow. Push notifications can also be abused through fatigue and approval bombing. In practice, the problem is not second factor quantity but factor integrity. If the factor can be captured and replayed, it does not reliably bind the login to the real user or device.

Practical implication: replace vulnerable second factors with phishing-resistant authentication for any high-value human access path.

How phishing-resistant MFA changes the trust model

Phishing-resistant MFA such as FIDO2 and PKI-based authentication uses cryptographic proof instead of reusable secrets. The authenticator signs a challenge that is bound to the origin and the device, which makes relay attacks much harder to execute. This changes the identity model from code possession to cryptographic possession plus origin binding. For IAM programmes, that is the real shift: the control no longer depends on the user recognising a fraudulent prompt before the attacker can complete the session.

Practical implication: prioritise origin-bound, cryptographic authenticators for privileged and externally exposed accounts.

Why rollout complexity keeps organisations on weaker controls

The adoption gap is rarely about not understanding the risk. It is usually about migration cost, user support burden, application compatibility, and the effort required to replace familiar authentication patterns. Teams often choose controls that are easier to deploy inside existing platforms, even when the resulting assurance is weak. That creates a governance mismatch: the policy says strong authentication is required, but the implementation still allows replayable factors and brittle exceptions.

Practical implication: map the applications, user groups, and exceptions that block phishing-resistant rollout before treating MFA coverage as complete.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Good enough MFA is a control label, not an assurance model: A one-time code or push prompt can satisfy a policy checkbox while still leaving the identity susceptible to phishing, relay, and approval abuse. The deeper problem is that many programmes measure deployment presence instead of resistance to the actual attack path. Practitioners should treat factor strength as a governance question, not a feature checklist.

Phishing-resistant authentication is the point where human IAM stops depending on user judgement at the moment of attack: FIDO2 and PKI-based methods remove the need for a human to detect a fake prompt quickly enough to save the session. That changes the assurance boundary from user behaviour to cryptographic binding. For IAM teams, that is the difference between a convenience layer and a control that meaningfully reduces account takeover.

Basic MFA is especially weak wherever the identity is high-value or externally reachable: The combination of remote access, privileged actions, and reusable second factors creates a narrow but repeated failure pattern. This is where identity blast radius becomes visible, because one compromised login can reach many downstream systems. The practical conclusion is to align authentication strength with the consequence of compromise, not with the minimum compliance requirement.

Phishing-resistant MFA closes part of the human identity gap, but it also exposes a broader programme issue: Organisations often modernise one control at a time while leaving adjacent governance processes unchanged. If access reviews, conditional access, and privileged workflows still assume legacy authentication, the environment remains internally inconsistent. Practitioners should use authentication modernisation as a trigger to re-evaluate the surrounding IAM control stack.

Authentication modernization without lifecycle discipline simply moves the weak point: Stronger login controls do not fix stale entitlements, excessive privilege, or unmanaged exception paths. The identity programme still needs joiner-mover-leaver governance, privileged access review, and exception management to keep phishing-resistant MFA from becoming a standalone island of strength. The implication is clear: assurance has to be cumulative, not isolated.

From our research:

• The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
• For a broader breach lens, 52 NHI Breaches Analysis shows how credential exposure turns into repeatable operational failure.

What this signals

Phishing-resistant MFA is becoming the dividing line between policy compliance and real assurance. Teams that still depend on replayable second factors should expect attackers to keep targeting the authentication layer rather than the perimeter. The programme signal is simple: if the factor can be captured, the control is already behind the threat.

Identity assurance is now inseparable from exception management. Migration often stalls not on the primary design, but on legacy applications, help desk workflows, and temporary access paths that quietly preserve weaker methods. That is where Ultimate Guide to NHIs remains useful, because the same governance discipline applies when credential strength, lifecycle, and access scope have to be managed together.

93% of organizations are still using passwords at work for business, according to Axiad, which means the gap is not awareness but execution. For IAM leaders, the operational question is whether authentication modernisation is being sequenced with access reviews, privileged controls, and user support capacity. Without that sequencing, phishing-resistant MFA becomes another partially deployed control rather than a programme-wide shift.

For practitioners

• Prioritise phishing-resistant MFA for high-risk accounts Start with administrators, finance users, remote workers, and any account that can reach sensitive systems. Replace SMS, OTP, and push-based second factors where the exposure to phishing or man-in-the-middle replay is highest.
• Map applications that block cryptographic authenticators Inventory legacy apps, federated login paths, and exception workflows that cannot yet support FIDO2 or PKI-based authentication. Use that map to define a migration sequence instead of relying on a blanket MFA mandate.
• Retire weak second factors before expanding access Do not widen remote access, privileged access, or self-service enrolment while vulnerable factors remain in place. Tighten access paths first, then remove the shared-secret methods that create relay risk.
• Pair authentication modernisation with access review discipline Use the rollout of phishing-resistant MFA to reassess privileged entitlements, conditional access rules, and exception handling. Stronger login assurance does not compensate for stale or excessive access.

Key takeaways

• Basic MFA can satisfy a policy requirement while still leaving identity vulnerable to phishing, relay, and approval-based attack paths.
• Axiad cites that 93% of organisations still use passwords for business, which shows how far the authentication baseline remains from resilient practice.
• The practical response is to move high-risk users to phishing-resistant methods first and align the rollout with access review and exception management.

Key terms

• Phishing-resistant MFA: Authentication that uses cryptographic proof instead of reusable secrets or easily relayed prompts. The authenticator binds the login to the real device and origin, making common phishing, relay, and man-in-the-middle attacks far harder to execute successfully.
• Replayable second factor: A second authentication step that an attacker can capture and reuse, such as an SMS code, OTP, or approved push prompt. These factors add friction for attackers, but they do not fully prevent account takeover when the factor can be intercepted or socially engineered.
• Origin binding: A cryptographic property that ties an authentication response to the legitimate site or service being accessed. It reduces the value of fake login pages because a credential response generated for one origin cannot be reused on another without failing verification.

Deepen your knowledge

Phishing-resistant MFA and human identity assurance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are modernising authentication while still carrying legacy exceptions, it is worth exploring.

This post draws on content published by Axiad: Today’s “Good Enough MFA” Should Be Phishing-Resistant. Read the original.