Phishing-resistant MFA remains a gap in fragmented IAM estates

At a glance

What this is: This article argues that phishing-resistant MFA, especially certificate-based authentication, is necessary because legacy MFA and siloed IAM systems leave exploitable authentication gaps.

Why it matters: It matters because IAM teams need consistent, phishing-resistant controls across human identity programmes, especially where multiple IAM systems, remote access, and passwordless adoption create uneven protection.

By the numbers:

• 70% of organizations use 3 or more IAM systems across their organization, and more than half use 4 or more.
• 84% said their organization had experienced an identity-related breach in the past year.
• 80% of organizations had at least one individual who fell victim to a phishing attempt by CISA Assessment teams.

👉 Read Axiad's analysis of phishing-resistant MFA and certificate-based authentication

Context

Phishing-resistant MFA is a control problem, not just an authentication preference. When users can be coerced, credentials can be intercepted, or MFA challenges can be replayed, the assurance model behind traditional login flows breaks down across human identity programmes.

The issue becomes sharper in environments with multiple IAM systems, where one stack may be stronger than another and attackers only need one weak path. Certificate-based authentication is presented here as a way to reduce inconsistency across authentication methods, devices, and operating systems.

Key questions

Q: How should security teams implement phishing-resistant MFA across multiple IAM systems?

A: Start by mapping every authentication path, not just the primary login portal. Then standardize phishing-resistant methods for high-value users and applications, remove weaker fallbacks where possible, and close exceptions in legacy systems. The goal is consistent assurance across the estate, because attackers will target the weakest path rather than the most modern one.

Q: Why do multiple IAM systems make phishing resistance harder to govern?

A: Multiple IAM systems often support different authentication methods, policies, and exceptions. That creates uneven protection, so one platform may be resistant while another still accepts replayable factors. Governance becomes harder because security teams must validate coverage, not just capability, across every system that issues or verifies access.

Q: What do security teams get wrong about MFA and phishing risk?

A: They often assume that any MFA meaningfully blocks phishing. In practice, SMS, push, and other interceptable methods can still be defeated through social engineering, SIM swapping, or man-in-the-middle attacks. The right question is whether the factor is replay-resistant and bound to the real authenticator, not whether it is simply a second step.

Q: Who should own phishing-resistant authentication governance in an enterprise?

A: Ownership should sit with identity and security leadership jointly, because the control spans IAM architecture, user experience, device posture, lifecycle management, and privileged access. If ownership is scattered, gaps appear in exceptions, recovery flows, and legacy integrations. Accountability must cover the whole authentication estate, not a single project team.

Technical breakdown

Why phishing-resistant MFA is different from standard MFA

Standard MFA adds a second factor, but that second factor can still be captured, forwarded, or replayed through phishing, SIM swapping, or man-in-the-middle techniques. Phishing-resistant MFA binds authentication to a cryptographic proof that cannot be trivially copied from a login prompt. Certificate-based authentication is one example because the authenticator proves possession of a private key rather than revealing a reusable code. That changes the attacker problem from stealing a code to defeating the underlying trust anchor.

Practical implication: assess whether your MFA methods are replay-resistant, not just multi-factor on paper.

How certificate-based authentication reduces login interception risk

Certificate-based authentication uses certificates and strong tokens to authenticate a user without relying on one-time codes that can be intercepted in transit. In practice, the verification occurs against a device-held credential, which makes browser-based credential capture far less effective. It also supports passwordless flows and can be layered across different systems, which matters when organizations operate more than one IAM platform. The control value comes from cryptographic binding, not user convenience alone.

Practical implication: prioritize authentication methods that tie access to device-held keys rather than transmissible codes.

Why IAM sprawl creates uneven phishing exposure

When organizations run multiple IAM systems, authentication policy often diverges by application, platform, or business unit. That creates inconsistent protections, because one system may support phishing-resistant methods while another still permits weaker factors. Attackers exploit the weakest authentication path, not the strongest one. Governance must therefore examine the whole authentication estate, including legacy systems, remote access paths, and operating-system differences, if it wants meaningful phishing resistance.

Practical implication: inventory authentication methods across all IAM systems before treating phishing resistance as complete.

Threat narrative

Attacker objective: The attacker aims to obtain authenticated access by bypassing user verification controls rather than defeating the account directly.

1. Entry occurs when the attacker uses phishing, SIM swapping, or a lookalike login page to capture a user's credentials or MFA challenge.
2. Escalation follows when the attacker reuses the captured factor or intercepts the authentication flow to obtain a valid session.
3. Impact is unauthorized account access through a login path that appeared protected but was still replayable or interceptable.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Phishing resistance is now a control consistency problem, not a point solution problem. The article’s central weakness is not that MFA exists, but that MFA is deployed unevenly across multiple IAM systems. Once authentication protections vary by stack, the attacker only needs one route that still accepts replayable or interceptable factors. The governance takeaway is that phishing resistance must be measured across the full authentication estate, not assumed from a single modern login path.

Certificate-based authentication represents a stronger assurance model because it removes the easiest phishing target: the reusable code. Codes, prompts, and SMS factors can be forwarded or intercepted, while device-bound cryptographic proof is harder to replay at scale. That makes CBA especially relevant where remote work, legacy systems, and mixed operating environments create uneven login assurance. Practitioners should treat it as a way to close a class of interception failures, not as a universal identity silver bullet.

IAM fragmentation is the real governance defect that phishing attackers exploit. A programme with three or four IAM systems cannot claim equivalent protection if one system still allows weaker MFA paths. This is the kind of control drift that turns identity security into a patchwork of exceptions. The implication is that authentication governance must track policy consistency, method strength, and coverage by system, not just adoption counts.

Phishing resistance should be evaluated as part of identity surface reduction, not as a standalone user experience upgrade. The article links stronger authentication to lower operational friction and less dependence on IT reset workflows, but the strategic value is in reducing the number of ways an attacker can translate social engineering into account control. That aligns directly with NIST CSF and zero trust thinking: verify strongly, consistently, and across all access paths.

Certificate-based authentication creates a better baseline for passwordless access, but only if lifecycle discipline matches the cryptography. Strong authenticator design does not remove the need for provisioning, recovery, revocation, and inventory control. In other words, better factors do not fix weak identity governance by themselves. Practitioners should align authentication modernization with lifecycle controls, or the same estate that resists phishing can still accumulate access risk.

From our research:

• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
• Only 5.7% of organisations have full visibility into their service accounts, which means most teams still cannot see the identity estate they are trying to govern.
• For the broader risk picture, 52 NHI Breaches Analysis shows how unmanaged identity exposure repeatedly turns into real incident paths.

What this signals

Phishing-resistant MFA will increasingly be judged by coverage, not capability. Most enterprises can buy a control that claims resistance, but very few can prove the same standard applies everywhere users authenticate. That is why IAM fragmentation is now a governance issue, not merely an architecture nuisance. Teams should expect board and audit questions to shift from whether phishing-resistant MFA exists to where it is still bypassable.

Phishing resistance and lifecycle discipline now move together. A stronger authenticator still needs issuance, recovery, revocation, and inventory control, which means IAM and identity governance teams must coordinate more tightly than they often do today. This is especially true where strong authentication is layered over legacy systems that still require exception handling. If the control cannot be lifecycle-managed, it will not stay resistant in practice.

Identity attack surface reduction is the strategic frame that connects human login risk to broader NHI governance. Once teams start measuring which access paths remain interceptable, the same lens naturally applies to service accounts, tokens, and other secrets that persist longer than intended. The pattern is familiar across identity domains: weak governance multiplies the ways access can be abused. For the reader's programme, that means authentication modernization should be paired with inventory, revocation, and exception management.

For practitioners

• Map authentication methods by application and IAM system Create an inventory of every login path, then identify where SMS, push approvals, or other replayable factors remain in use. Prioritize systems with customer, remote worker, or privileged access exposure.
• Replace interceptable factors with phishing-resistant options Where risk justifies it, move high-value access to certificate-based authentication or other cryptographically bound methods that do not rely on transmitted codes.
• Test for bypass paths in legacy and siloed IAM estates Review whether older platforms, federated apps, or administrative portals still accept weaker MFA than the rest of the estate. Close exceptions or isolate them behind stronger controls.
• Align authentication rollout with lifecycle governance Plan issuance, recovery, rotation, and revocation so that strong authenticators remain manageable at scale and do not create orphaned access or unsupported edge cases.

Key takeaways

• Phishing-resistant MFA is only effective when it is consistent across every IAM system and login path.
• Certificate-based authentication improves assurance by removing easy interception and replay opportunities from the authentication flow.
• Identity teams should treat authentication modernization as part of broader identity governance, not as a standalone security feature.

Key terms

• Phishing-resistant MFA: A multi-factor authentication method that cannot be easily bypassed by intercepting or replaying a login challenge. It relies on stronger proof, often cryptographic, so the authenticator is bound to the device or session rather than transmitted in a form an attacker can reuse.
• Certificate-based authentication: An authentication method that uses digital certificates and private keys to prove identity. Instead of sending a reusable code, the user or device proves possession of a cryptographic credential, which raises the bar for phishing, replay, and interception attacks.
• IAM sprawl: The condition where multiple identity and access management systems coexist with different policies, methods, and exceptions. It creates uneven control coverage, making it harder to apply the same security standard to every user, application, and administrative path.
• Replayable factor: An authentication factor that can be captured and used again by an attacker, such as a code, prompt response, or intercepted token. Replayable factors weaken assurance because they can be detached from the genuine user once the attacker has access to the exchange.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: Why phishing-resistant MFA is critical in 2023, and how CBA can help. Read the original.