TL;DR: Traditional MFA and 2FA are increasingly bypassed by phishing, credential stuffing, push bombing, and man-in-the-middle attacks, prompting CISA, NIST, and the White House to push phishing-resistant MFA, according to Axiad. The core issue is that many programmes still treat MFA as sufficient when the real control gap is whether the factor can withstand modern adversary tooling.
At a glance
What this is: This is an analysis of why conventional MFA no longer provides enough identity protection and why phishing-resistant MFA is becoming the practical baseline.
Why it matters: It matters because IAM teams have to reassess authentication, federation, and device-bound credential strategies across human access, service identities, and modern workload flows.
By the numbers:
- PKI-based authentication typically accounts for 40% of use cases.
- FIDO accounts for approximately 60% of use cases.
👉 Read Axiad's analysis of phishing-resistant MFA and identity risk
Context
Phishing-resistant MFA is the point where authentication moves from a user challenge to a cryptographic trust model. The article argues that traditional MFA is no longer sufficient because attackers can bypass it through phishing kits, credential stuffing, social engineering, man-in-the-middle attacks, and push bombing, which makes the identity attack surface wider than the factor count suggests.
For IAM teams, the real question is not whether MFA exists, but whether the organisation is using methods that can withstand contemporary phishing and replay techniques. That distinction affects human sign-in, federation, and device-bound authentication patterns, and it also shapes how identity programmes think about certificate-based authentication, FIDO, and proof-of-possession controls.
Key questions
Q: How should security teams implement phishing-resistant MFA for high-risk access?
A: Security teams should reserve phishing-resistant MFA for privileged, remote, and externally exposed access first, then expand it to broader workforce use. The most effective pattern is to bind the factor to cryptographic proof, the expected origin, and the device or key holder, rather than relying on user-entered codes that can be relayed.
Q: Why do traditional MFA methods fail against phishing attacks?
A: Traditional MFA fails because many methods still depend on a code, prompt, or approval that an attacker can intercept, relay, or coerce in real time. Once the factor is replayable, the second step no longer proves the original user is present. That turns MFA into a weaker speed bump instead of a durable identity control.
Q: What do teams get wrong about phishing-resistant authentication?
A: Teams often assume any MFA is enough if it uses more than one factor. In reality, assurance depends on whether the factor resists phishing, proxying, and replay. Organisations also overgeneralise one method across every use case, even though workstation, browser, mobile, and server access have different authentication requirements.
Q: Should organisations use PKI or FIDO for passwordless access?
A: Most organisations need both, because PKI and FIDO solve different access patterns. FIDO is well suited to browser and SSO scenarios, while PKI is often better for non-browser and certificate-bound environments such as workstations, RDP, and server authentication. The right choice depends on where the credential must work.
Technical breakdown
Why traditional MFA breaks under modern phishing
Traditional MFA assumes the attacker must steal or replay a second factor in a way that the verifier can detect. In practice, phishing kits, reverse proxies, and session interception let attackers capture one-time codes or token-bearing approvals in real time, then reuse them before the user or system can react. Push fatigue attacks add pressure by turning the second factor into an approval reflex instead of an identity check. Once the factor is replayable, the control becomes a signalling mechanism rather than a trust boundary.
Practical implication: treat any MFA method that can be proxied or replayed as insufficient for high-risk access paths.
Phishing-resistant MFA with PKI and FIDO
Phishing-resistant MFA relies on cryptographic proof rather than user-entered secrets. PKI binds identity to certificates and private keys, which can be used across workstation, server, mobile, and SSO scenarios. FIDO uses public key cryptography and origin binding so a credential works only with the intended relying party. The article’s key technical point is that these are not interchangeable features. They address different authentication surfaces, and many enterprises need both to cover browser and non-browser use cases.
Practical implication: map PKI and FIDO to distinct authentication journeys instead of treating them as a single MFA category.
Identity assurance depends on protocol and context
Authentication strength is not just about factor count. It depends on the protocol, the trust anchor, and whether the credential can be reused outside the intended context. SAML, OAuth, OIDC, RADIUS, and certificate-based flows each introduce different assurance boundaries, and weak links often appear at provisioning, federation, or device enrolment rather than at login itself. That is why security teams need to evaluate the full identity path, not just the sign-in screen.
Practical implication: review authentication assurance across provisioning, federation, and session issuance, not only at point of login.
Breaches seen in the wild
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
- Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Phishing-resistant MFA is now an identity governance baseline, not an advanced option. The article’s core message is that conventional MFA no longer maps cleanly to attacker behaviour. When push prompts, codes, and replayable challenges can be bypassed, the control no longer deserves the same confidence as cryptographic authentication. Practitioners should treat authentication assurance as a governance decision, not a feature checkbox.
The important failure mode here is factor replayability. Traditional MFA often relies on a second factor that the user can transcribe, approve, or forward into an attacker-controlled session. That creates an exploitable identity handoff window between user intent and verifier trust. The implication is that organisations must separate strong-looking MFA from phishing-resistant MFA in policy, risk scoring, and access decisions.
Phishing-resistant authentication window: the real issue is not whether MFA exists, but whether the authentication artefact survives relay, proxying, and prompt abuse. This concept matters because identity teams often measure control presence instead of control resilience. A login flow that can be proxied is not equivalent to one that binds the credential to the origin and the device. Practitioners should classify authentication by replay resistance, not by enrollment count.
PKI and FIDO should be viewed as complementary control planes. The article correctly separates browser-heavy use cases from workstation and non-browser access paths. That means mature IAM programmes need design choices based on where the credential is used, not on a single corporate standard for every login. The implication is that identity architecture should be segmented by protocol, assurance level, and user journey.
Zero Trust only works when the authentication layer is actually phishing resistant. NIST-style zero trust assumptions fail if the first trust decision can be socially engineered. Strong authentication is not a side control in this model. It is one of the few points where the programme can still establish reliable identity assurance before downstream authorisation, segmentation, or conditional access logic runs. Practitioners should align authentication policy with the trust model they claim to operate.
From our research:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means identity assurance problems frequently persist below the authentication layer.
- This matters because rotation and offboarding discipline are part of the same trust model, and the Ultimate Guide to NHIs , Key Challenges and Risks shows how visibility gaps compound risk.
What this signals
Phishing-resistant MFA is becoming a programme design issue, not a sign-in preference. Teams that still treat authentication as a front-door problem will miss how quickly attacker tradecraft has moved to relay and approval abuse. The governance shift is to rate each access path by replay resistance and assurance quality, then align policy with the risk of the credential being used.
The broader signal is that identity programmes need clearer boundaries between credential possession, user presence, and verifier confidence. If those three are conflated, MFA dashboards can look healthy while the actual control is brittle. For practitioners, that means authentication standards must be rewritten as assurance tiers, not as a list of enabled options.
Replay-resistant authentication is now part of the zero trust conversation. NIST-style zero trust depends on reliable identity inputs, and organisations should read this as a cue to tighten their trust anchors before expanding conditional access or fine-grained authorisation. The practical next step is to link authentication policy to protocol choice, federation design, and device binding, then validate those assumptions against NIST Cybersecurity Framework 2.0.
For practitioners
- Separate phishing-resistant MFA from legacy MFA in policy Update assurance policies so replayable methods such as SMS, email OTP, and generic push approval are not treated as equivalent to certificate- or FIDO-backed authentication for sensitive access paths.
- Map authentication methods to specific access journeys Use PKI for workstation, server, mobile, and non-browser scenarios, and use FIDO for browser and SSO use cases where origin binding matters most.
- Re-score privileged access on replay resistance Require higher assurance for admin, remote desktop, federation, and VPN entry points, then block methods that can be proxied or socially engineered in real time.
- Review federation and provisioning as part of authentication assurance Check whether SAML, OAuth, OIDC, and device enrolment flows preserve the same identity confidence you expect at sign-in, then close the weakest handoff points.
Key takeaways
- Traditional MFA no longer provides consistent protection when attackers can relay, proxy, or fatigue the second factor.
- Phishing-resistant authentication changes the control model by binding identity to cryptographic proof rather than user-entered codes.
- IAM teams should separate assurance tiers by use case, then align policy, federation, and privileged access to replay-resistant methods.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Authentication assurance depends on protecting non-human and machine-bound credentials. |
| NIST CSF 2.0 | PR.AC-7 | Strong authentication and proof of identity are central to access control decisions. |
| NIST Zero Trust (SP 800-207) | SA-3 | Zero trust requires reliable identity inputs before conditional access and segmentation. |
Classify authentication methods by replay resistance and bind privileged access to stronger proof.
Key terms
- Phishing-resistant MFA: Multi-factor authentication that uses cryptographic proof rather than replayable codes or easy-to-intercept approvals. It reduces the chance that an attacker can proxy or steal the second factor in real time, and it is the right standard for access paths where identity assurance must survive phishing.
- Public key infrastructure: A trust system that uses certificates and key pairs to prove identity and secure communications. In identity programmes, PKI is especially useful when access must work across workstations, servers, mobile devices, and non-browser systems, because the credential can be bound to a device or private key.
- FIDO authentication: A passwordless authentication method that uses public key cryptography and origin binding to verify a user without exposing reusable secrets. It is strongest where browser and SSO access dominate, because the credential can only be used with the intended relying party.
- Replay resistance: The degree to which an authentication factor or session token cannot be captured and reused by an attacker. Replay resistance is a practical test of MFA quality because a control that can be proxied or forwarded may look strong while still failing under phishing or man-in-the-middle abuse.
Deepen your knowledge
Phishing-resistant MFA and identity assurance are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are rebuilding authentication policy for high-risk access paths, it is worth exploring.
This post draws on content published by Axiad: Is Your MFA Broken? Read the original.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
