TL;DR: Phishing remains a dominant entry path, with 83% of organisations reporting attacks in 2021 and traditional MFA still bypassed through SIM swapping and man-in-the-middle techniques, according to Axiad. Phishing-resistant MFA shifts authentication away from reusable secrets and OTP interception, but it also exposes how much of modern IAM still depends on phishable trust steps.
At a glance
What this is: This is an analysis of why phishing-resistant MFA matters, and its key finding is that traditional MFA patterns can still be phished even when passwords alone are no longer enough.
Why it matters: It matters because IAM teams cannot treat MFA as a finished control when attackers can still bypass OTPs and capture credentials across human identity workflows.
By the numbers:
- 15 billion spam emails are sent across the internet each day.
- 83% of organizations reported phishing attacks in 2021.
👉 Read Axiad’s analysis of phishing-resistant MFA and passwordless identity
Context
Phishing-resistant MFA is a human identity control problem, not just a login preference. The issue is that many MFA deployments still rely on secrets, codes, or channels that attackers can intercept, replay, or socially engineer around. Once that happens, the access path still looks legitimate even though the authentication event was compromised.
For IAM and PAM teams, the practical question is whether the organisation is protecting the authentication ceremony or only adding another step to it. The article argues that traditional MFA often reduces risk without eliminating phishing exposure, which is why phishing-resistant methods are becoming the more defensible baseline for high-risk access.
Key questions
Q: What breaks when organisations rely on SMS or email MFA for sensitive access?
A: The control breaks when the second factor can be intercepted, relayed, or socially engineered. SMS, email, and OTP-based MFA improve security over passwords, but they still leave room for SIM swapping and man-in-the-middle phishing. For sensitive access, that means the organisation is still authenticating through a phishable channel rather than using a proof method that resists interception.
Q: Why do phishing-resistant methods matter more for privileged users?
A: Privileged users create the highest blast radius if their accounts are taken over, so a phishable factor is a bigger governance problem there. Phishing-resistant MFA reduces the chance that an attacker can replay the login ceremony or capture a one-time code. That makes it the more defensible choice for administrators, remote access, and high-impact business workflows.
Q: What do security teams get wrong about saying MFA is already in place?
A: They often treat MFA as a binary control when the real question is which MFA method is deployed and whether the channel can be phished. Not all MFA creates the same assurance. If the factor depends on SMS, email, or a replayable prompt, the organisation still has a credential interception problem even though the checkbox is marked complete.
Q: Who should own the move to phishing-resistant authentication?
A: Identity, security architecture, and access governance teams should own it together because the decision affects assurance, user experience, and privileged access policy. The strongest methods should be mandated where compromise would be costly, and access reviews should confirm that the required method is actually enforced. That makes authentication a governance control, not just a deployment choice.
Technical breakdown
Why traditional MFA is still phishable
Traditional MFA often combines a password with a second factor such as an OTP delivered by SMS, email, or an authenticator prompt. That improves security over passwords alone, but it still depends on interceptable channels and user behaviour that attackers can manipulate. SIM swapping lets an attacker redirect verification codes, while man-in-the-middle phishing pages capture both the primary credential and the second factor in real time. The result is that MFA can authenticate the attacker instead of the user when the ceremony is phishable.
Practical implication: classify SMS, email, and OTP-based MFA as transitional controls, not as sufficient protection for high-risk access.
How phishing-resistant MFA changes the trust model
Phishing-resistant MFA uses cryptographic authentication rather than shared secrets or reusable codes. The article points to FIDO2 WebAuthn and PIV smart cards, both of which bind authentication to a trusted device and a local unlock method such as biometrics or a PIN. Because the private key never leaves the device and there is no code for an attacker to replay, the phishing window changes materially. This is less about adding another factor and more about removing the attacker’s ability to harvest a factor remotely.
Practical implication: prioritise phishing-resistant methods for privileged users, remote access, and any workflow where credential interception would be a material business risk.
Why passwords still matter to the overall attack path
Even when MFA is present, password reuse and password fatigue still shape the attack surface. If users must remember many passwords, they reuse them, and that gives attackers a better chance of turning one phishing success into broader account compromise. That is why phishing-resistant MFA is often part of a passwordless transition. The operational value is not only stronger authentication, but also reducing the human failure modes that create repeatable access paths.
Practical implication: pair phishing-resistant MFA with passwordless adoption and credential hygiene work, or you will keep the underlying phishing problem alive.
Threat narrative
Attacker objective: The attacker wants trusted access that looks like a legitimate user session so they can take over accounts and extend compromise beyond the initial phish.
- Entry begins with phishing at scale, where a victim is lured to a lookalike login page or coerced through a fraudulent verification flow.
- Credential access follows when the attacker captures the password and the second factor through SMS interception, email compromise, or a man-in-the-middle relay.
- Impact occurs when the attacker uses the harvested authentication material for account takeover, lateral access, and, in some cases, ransomware deployment.
Breaches seen in the wild
- Emerald Whale breach — exposed Git config files led to 15K secrets stolen and 10K repo compromises.
- CI/CD pipeline exploitation case study — full server takeover via exposed .git directory and mismanaged CI/CD pipeline secrets.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Phishing-resistant MFA is now the point where human IAM either closes the loop or keeps reintroducing the same attack path. Traditional MFA reduces risk, but it still accepts phishable channels as part of the authentication model. That means the control can be bypassed without breaking the account itself, which is why the problem remains structural rather than purely operational. The practitioner conclusion is simple: if the second factor can be replayed or intercepted, it is not the end state for identity assurance.
SMS and email OTPs create an interception window, not a trust guarantee. The article’s examples, including SIM swapping and man-in-the-middle attacks, show that the factor is only as strong as the channel carrying it. That matters for human identity governance because many programmes still treat “MFA enabled” as a binary milestone. The practitioner conclusion is to measure the transport path, not just the checkbox.
Phishing-resistant MFA aligns authentication with cryptographic proof rather than user memory. FIDO2 and PIV shift the burden away from reusable secrets and toward device-bound credentials that are far harder to phish. This does not solve every IAM problem, but it removes one of the oldest credential abuse patterns from the human access chain. The practitioner conclusion is to reserve phishable MFA only where the risk is genuinely low.
Human identity programmes that keep passwords in the path are preserving attacker advantage. Password reuse and password fatigue are not side issues, they are the conditions that let phishing scale across accounts. Once a user can be tricked into handing over both a password and a second factor, the access model has already failed to separate identity from interception. The practitioner conclusion is to treat passwordless and phishing-resistant authentication as a governance decision, not a user-experience upgrade.
From our research:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
- For related governance guidance, see Ultimate Guide to NHIs , Regulatory and Audit Perspectives for how assurance controls map to audit expectations.
What this signals
Phishing-resistant authentication is becoming a governance baseline, not an advanced option. The more organisations rely on remote work, privileged cloud access, and distributed identity paths, the more fragile phishable MFA becomes. Teams that still depend on OTP-heavy controls should expect pressure to prove where those methods are still acceptable and where device-bound proof is now required.
Human identity programmes need a stronger assurance ladder. There is a meaningful difference between “MFA enabled” and “phishing-resistant MFA enforced for high-risk access.” That distinction will matter more in access reviews, audit conversations, and security architecture decisions as attackers continue to target the easiest interception path.
Credential interception should be treated as a design problem, not just a user training problem. If the login method can be relayed or replayed, awareness training cannot compensate for the control gap. The more durable response is to remove the attacker’s opportunity to steal or forward the authentication factor in the first place.
For practitioners
- Replace OTP-based MFA on high-risk accounts Move privileged users, remote administrators, and sensitive business roles to phishing-resistant methods first. Prioritise FIDO2 WebAuthn or PIV where credential interception would enable broad access, and keep SMS and email OTPs out of elevated workflows.
- Review authentication channels for interception risk Map every place where the organisation still relies on SMS, email, or push approvals that can be relayed through a phishing page. If the factor can be read, forwarded, or replayed by an attacker, treat it as a weak control path.
- Reduce password reuse pressure Pair MFA upgrades with passwordless rollout and stronger credential hygiene so users are not forced to remember and recycle passwords across systems. That reduces the chances that one phish becomes a repeatable account compromise pattern.
- Align governance with phishing-resistant assurance levels Define which applications, user groups, and administrative paths require device-bound authentication instead of generic MFA. Use access reviews to verify that the strongest authentication method is actually enforced where the impact of compromise is highest.
Key takeaways
- Traditional MFA reduces password risk, but it does not eliminate phishing when the second factor is still interceptable.
- The scale of phishing remains high enough that authentication design has become a board-relevant identity governance issue, not just an IT setting.
- Phishing-resistant MFA and passwordless design should be prioritised for privileged and high-impact access first, where compromise is hardest to absorb.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST SP 800-63, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST SP 800-63 | Phishing-resistant authentication maps directly to digital identity assurance and authenticator strength. | |
| NIST CSF 2.0 | PR.AC-7 | Covers user authentication and access enforcement, central to this article's MFA argument. |
| NIST Zero Trust (SP 800-207) | PR.AC | Zero Trust requires strong identity verification before granting access to protected resources. |
Use authenticator assurance guidance to replace replayable MFA with phishing-resistant methods for high-risk access.
Key terms
- Phishing-resistant MFA: Multi-factor authentication that cannot be easily replayed, intercepted, or proxied by an attacker. It relies on cryptographic proof tied to a trusted device rather than OTPs or channels that can be socially engineered, making it materially harder for phishing campaigns to succeed.
- Man-in-the-middle phishing: A phishing technique where the attacker sits between the user and the legitimate service, relaying credentials and authentication in real time. This defeats many traditional MFA flows because the attacker captures the full login session instead of just the password.
- SIM swapping: A social engineering attack that moves a victim’s phone number to an attacker-controlled SIM or device. When OTPs are delivered by SMS, the attacker can receive verification codes and use them to complete account takeover.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or identity lifecycle management in your organisation, it is worth exploring.
This post draws on content published by Axiad: The Importance of Phishing-resistant MFA. Read the original.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
