Phishing-resistant passwordless authentication is becoming the baseline

At a glance

What this is: This RSA Security article argues that phishing-resistant passwordless authentication is the practical response to credential theft and weak MFA patterns.

Why it matters: It matters because IAM programmes still relying on passwords, OTPs, or shared secrets are exposing both human and non-human identities to the same interception and replay risks.

By the numbers:

• 87% of companies are either deploying or plan to deploy passkeys to enhance security and UX.
• more than 175 million Amazon customers now using passkeys to log in.

👉 Read RSA Security's analysis of phishing-resistant passwordless authentication

Context

Phishing-resistant authentication means the login factor is cryptographically bound to the device or origin, so the attacker cannot simply copy a password or OTP and reuse it elsewhere. For IAM teams, the question is not whether passwords are inconvenient, but whether they still fit modern threat conditions across workforce, customer, and machine-facing access.

The governance gap is broader than phishing alone. Passwords and shared secrets create a reusable trust artifact, which means the same weakness can surface in human sign-in flows, service access patterns, and any identity journey that still depends on replayable credentials. That makes passwordless a lifecycle and assurance issue, not just an authentication UX choice.

RSA Security frames the move as phased rather than all-at-once, which is the right operating model for most enterprises. The starting position is common: organisations usually have pockets of strong auth already, but they have not yet turned that into a consistent phishing-resistant standard across all high-value access paths.

Key questions

Q: How should security teams implement phishing-resistant MFA in existing IAM environments?

A: Start with the most exposed and highest-value access paths, then phase in device-bound methods such as passkeys, FIDO2 keys, or smart cards. Keep the rollout tied to use case, user population, and assurance needs so you can replace replayable secrets without breaking operations or creating unmanaged exceptions.

Q: Why do passwords and OTP-based MFA still create phishing risk?

A: Because they remain transferable secrets. Attackers can steal, proxy, or replay them through fake login pages and man-in-the-middle kits, which means the authentication event can be copied even when a second factor is present. Phishing resistance requires binding the login to the real device or origin.

Q: What should IAM teams measure when moving to passwordless authentication?

A: Measure how much access still depends on replayable credentials, how many high-risk flows remain on OTPs, and whether the enrolled devices can be revoked and recovered cleanly. Those indicators show whether passwordless is reducing attack surface or simply adding another layer on top of old trust assumptions.

Q: Which access scenarios should be prioritised for phishing-resistant authentication first?

A: Prioritise administrative access, remote access, regulated workflows, and any application exposed to external attackers. Those are the places where credential interception has the highest blast radius, and they usually produce the clearest business case for stronger authentication.

Technical breakdown

Why device-bound authentication changes phishing economics

Phishing-resistant authentication works by binding the verifier to the legitimate device or origin, so the credential is not a transferable secret on the network. Passkeys, FIDO2 keys, smart cards, and device-based biometrics all reduce the chance that a captured credential can be replayed from a fake site. That changes the attacker’s job from stealing something reusable to defeating a cryptographic trust relationship. The important point for IAM architects is that the control is designed around origin and possession, not just user memory or a shared one-time code.

Practical implication: prioritise authenticators that prove device and origin binding for all privileged and high-risk sign-ins.

Why OTP-based MFA still leaves a replay path

Traditional MFA can still be phishable when one factor is a password and the second factor is an OTP sent by SMS, email, or an authenticator app. Attackers can intercept, proxy, or replay those codes through adversary-in-the-middle kits and fake portals. From an identity architecture perspective, this is still secret-based authentication, just with an extra step. The control fails because the second factor is often not cryptographically tied to the intended website or session. That is why many modern guidance documents now treat phishing resistance as a separate requirement from MFA presence.

Practical implication: do not classify OTP-based MFA as a phishing-resistant control for sensitive access decisions.

How phased passwordless rollout avoids governance drift

A phased rollout starts with an inventory of where passwords are used, then sets target states by use case, method, and user flow. That sequencing matters because different populations have different device, compliance, and usability constraints. For example, a healthcare worker in gloves and masks may need hardware-backed authentication, while a remote workforce may move first to passkeys and push approvals. The governance task is to maintain assurance consistency while the implementation path varies by audience. Without that structure, organisations often end up with mixed controls that look modern but still leave critical access paths dependent on replayable secrets.

Practical implication: map passwordless adoption by use case and assurance level before changing the authentication standard.

Threat narrative

Attacker objective: The attacker wants reusable access to the identity, and then to the systems and data reachable from that account.

1. Entry occurs when an attacker tricks the user into entering credentials or an OTP into a fake login flow or man-in-the-middle portal.
2. Escalation occurs when the captured secret is replayed against services that still accept password-plus-OTP or other shared-secret authentication.
3. Impact occurs when the attacker gains account access that should have been protected by phishing-resistant verification, enabling compromise of the user or connected systems.

Breaches seen in the wild

• Cisco Active Directory credentials breach — Kraken ransomware group leaked Cisco Active Directory credentials.
• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Phishing resistance is now an identity governance requirement, not an authentication feature. Passwords and OTPs create a reusable trust artifact that attackers can intercept, proxy, or replay. Once that artifact exists, the same weakness can reach workforce logins, customer journeys, and adjacent privileged workflows. The practitioner conclusion is that IAM governance must treat phishing resistance as a control baseline, not as an optional hardening layer.

Standing shared secrets are the real problem, because they preserve the attack surface even when MFA is present. Organisations often assume that adding a second factor closes the loop, but OTP-based MFA still leaves a secret in transit or on a device that can be manipulated. The implication is that programme owners should stop measuring success by MFA coverage alone and instead measure how much access is still dependent on replayable credentials.

Passwordless adoption exposes the quality of an organisation’s identity inventory. The article’s phased approach only works if teams can identify where passwords exist, which populations need what kind of authenticator, and which flows are still legacy-dependent. That is a lifecycle governance problem as much as an authentication redesign problem. Practitioners should treat the rollout as a discovery exercise for identity debt.

Phishing-resistant authentication changes the control model for both human and machine access. Even though this article focuses on user login, the broader lesson is that any identity relying on transferable secrets inherits the same interception and replay risk. That makes passwordless part of a wider programme that spans human IAM, privileged access, and NHI hygiene. The practical conclusion is to align assurance levels across identity classes rather than modernising only the front door.

Device-bound credentials shift the security boundary from knowledge to possession and origin. That sounds simple, but it has deep governance consequences because the organisation now has to trust the enrolled device and the registration process, not just the secret itself. The implication is that identity teams need stronger device lifecycle, recovery, and revocation processes to make passwordless sustainable.

From our research:

• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
• A separate finding from the same research shows that 1 in 4 organisations are already investing in dedicated NHI security capabilities.
• That visibility problem is why teams should pair phishing-resistant authentication with lifecycle governance, and our 52 NHI Breaches Analysis is the next resource to use when you need breach-pattern context.

What this signals

Passwordless is now part of the wider identity debt problem: organisations that still rely on transferable credentials usually have inconsistent enrollment, recovery, and revocation processes around them. That means the authentication upgrade will only hold if device lifecycle and fallback governance are redesigned alongside it.

The broader programme signal is that phishing resistance should be treated as a trust-boundary decision, not a UI change. IAM teams that can identify which access paths still depend on shared secrets will be better positioned to prioritise passkeys, hardware keys, and device-bound biometrics where the risk justifies the change.

As the environment shifts, the most exposed identities will be the ones with the weakest recovery and exception handling. That is why passwordless planning belongs with access governance, not separate from it, and why teams should compare their current state against the OWASP Non-Human Identity Top 10 when secrets and identity-bound trust overlap.

For practitioners

• Inventory every password-dependent access path Map workforce, customer, admin, and API-facing flows that still depend on passwords or OTPs, then rank them by business criticality and phishing exposure. Start with privileged and externally reachable systems.
• Classify OTP-based MFA as transitional only Treat SMS, email, and app-based one-time codes as interim controls, not phishing-resistant authentication, and document which applications still rely on them for high-risk access.
• Stand up device-bound options for high-risk users Prioritise passkeys, FIDO2 keys, smart cards, or equivalent device-bound factors for administrators, finance users, and remote staff accessing sensitive systems.
• Tie passwordless rollout to identity lifecycle controls Add enrollment, device recovery, revocation, and fallback-path governance before broad deployment so the new auth model does not create unmanaged exception paths.

Key takeaways

• Passwords and OTP-based MFA still leave a replayable trust path that attackers can exploit, even when organisations believe they have “multi-factor” coverage.
• The strongest authentication controls are the ones that bind proof to the real device or origin, because that removes the transferable secret attackers need.
• Passwordless success depends on identity inventory, lifecycle governance, and exception handling, not just on deploying new authenticators.

Key terms

• Phishing-resistant authentication: Authentication that cannot be easily copied, replayed, or proxied by an attacker. The proof is bound to a legitimate device, origin, or cryptographic key, which makes intercepted secrets far less useful and reduces the value of fake login pages and man-in-the-middle attacks.
• Passwordless authentication: A sign-in method that removes passwords from the primary authentication flow. In practice, it uses passkeys, device-bound credentials, biometrics, or hardware keys to prove identity while reducing dependence on reusable secrets that attackers can steal or reuse.
• Device-bound credential: A credential that only works from the enrolled device or trusted origin where it was created. This limits replay and credential forwarding, but it also increases the importance of device enrollment, recovery, and revocation processes in the identity lifecycle.
• Replayable secret: A credential an attacker can capture and use again elsewhere, such as a password or one-time code sent over an interceptable channel. Replayable secrets are central to phishing risk because theft of the secret can be enough to impersonate the user.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: Passwordless Phishing-Resistant Passwordless Best Practices. Read the original.