Traditional 2FA/MFA is not enough for passwordless identity

At a glance

What this is: This comparison argues that traditional 2FA/MFA leaves avoidable trust gaps while passwordless authentication removes passwords and shared-secret dependence.

Why it matters: For IAM and NHI practitioners, the issue is whether access controls are still anchored to secrets and user prompts that attackers can hijack.

👉 Read Beyond Identity's comparison of traditional 2FA/MFA and passwordless authentication

Context

Traditional authentication is still built around secrets that can be intercepted, replayed, or socially engineered. For NHI and IAM programmes, that matters because the same weaknesses that affect human access often show up again in service accounts, API keys, and other non-human identities.

The core governance problem is not simply adding another factor. It is deciding whether access assurance should continue to depend on shared secrets and user interaction, or move toward device-bound identity and stronger cryptographic trust. That is a familiar transition path for teams modernising their identity controls.

The vendor frames passwordless authentication as the alternative to traditional 2FA/MFA, but the broader point is architectural. Organisations that still treat second factors as a sufficient control may be underestimating how often attackers win through phone-based interception, push fatigue, or stolen session material.

Key questions

Q: What is the difference between traditional MFA and passwordless authentication?

A: Traditional MFA usually adds a second factor on top of a password, so the login flow still depends on a shared secret. Passwordless authentication removes the password and uses device-bound cryptographic proof instead. The practical difference is that passwordless reduces the number of reusable secrets an attacker can steal, replay, or coerce a user into approving.

Q: Why can SMS and OTP-based MFA still be attacked?

A: SMS and OTP-based MFA can still be attacked because the code is a reusable secret delivered through channels that are vulnerable to interception, compromise, and social engineering. If an attacker controls email, the phone line, or the user’s approval habits, the second factor can be defeated without breaking the underlying account directly.

Q: How should organisations decide whether to keep using traditional MFA?

A: Organisations should keep MFA only where the control matches the risk and where stronger phishing-resistant methods are not yet practical. High-value roles, administrative access, and recovery flows should move first. The decision should be based on attack resistance, user behaviour, and recovery design, not on whether a second factor exists on paper.

Q: What is the difference between passwordless authentication and zero trust?

A: Passwordless authentication is an access method, while zero trust is an architecture that requires continuous verification and least privilege. Passwordless can strengthen zero trust by improving the quality of identity proof at login, but it does not replace device trust, authorization, monitoring, or lifecycle controls.

Technical breakdown

Why shared secrets remain the weak point in MFA

Traditional 2FA/MFA often protects a password with a second factor, but the underlying model still depends on secrets that can be phished, intercepted, or replayed. SMS codes, email-delivered one-time passwords, and push prompts all rely on channels that can be socially engineered or compromised. Even when a password is no longer enough by itself, the authentication flow still trusts user action at the point of login. That creates a brittle model for high-risk access, especially where attackers can automate attempts or manipulate users into approving access.

Practical implication: reduce reliance on factors that can be reused, intercepted, or approved under pressure.

How device-bound passwordless authentication changes assurance

Passwordless authentication shifts the trust anchor away from shared secrets and toward device-bound cryptographic keys. A private key stored in a secure enclave or TPM signs a challenge, while the public key can be verified without exposing credentials. That reduces the attack surface because there is no password database to steal and no OTP to replay. In identity terms, the device becomes part of the authenticator, which is stronger than simply layering another secret on top of an insecure first factor.

Practical implication: evaluate whether your strongest access paths are actually bound to hardware-backed identity.

Why compliance does not equal resilience

Many organisations adopted 2FA/MFA because auditors expected stronger authentication, not because the control was maximally resistant to modern attack paths. Compliance language often rewards presence of a second factor, even when that factor is weak in practice. Passwordless approaches can satisfy the need for strong authentication while reducing exposure to shared-secret theft and push fatigue. That distinction matters for governance because security teams should not confuse checklist compliance with durable resistance to account takeover.

Practical implication: map strong-authentication requirements to actual resistance against phishing, replay, and helpdesk abuse.

Threat narrative

Attacker objective: The attacker aims to obtain authenticated access without having to defeat the underlying account directly.

1. Entry occurs when attackers target the password-first flow and then pivot to the second factor through SMS interception, email compromise, or push fatigue.
2. Escalation happens when one-time passwords or push approvals are stolen, replayed, or approved by a user under repeated notification pressure.
3. Impact is account takeover through a login path that appears protected but still depends on compromised or socially engineered secrets.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Google Firebase misconfiguration breach — Firebase misconfigurations exposed 19.8M secrets across developer instances.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Traditional 2FA/MFA is a control upgrade, not an identity model upgrade. Adding a second factor can reduce opportunistic attacks, but it does not remove the trust assumptions created by passwords and shared-secret workflows. In mature IAM programmes, that distinction matters because the attack surface remains centered on what users know and what attackers can intercept. Practitioners should treat MFA as a mitigation step, not a final state.

Passwordless authentication changes the governance question from secret protection to device trust. Once the password is removed, the security model depends more heavily on cryptographic key protection, device integrity, and authentication policy. That is a healthier direction for high-assurance access, but only if teams also manage recovery, device loss, and lifecycle controls. Practitioners should evaluate passwordless as part of a broader identity architecture, not as a standalone control.

Friction is a security variable, not just a UX issue. When authentication is awkward, users bypass controls, abandon enrollment, or accept prompts without scrutiny. The practical consequence is that weaker user experience can degrade security outcomes even when policy looks sound on paper. Teams should measure adoption and bypass behaviour alongside assurance level, because poor usability can undo the intended risk reduction.

Zero trust programmes still fail if authentication rests on reusable secrets. A zero trust posture depends on continuous verification, but verification is only as strong as the identity signals feeding it. If those signals can be phished, replayed, or socially engineered, the architecture inherits the same weaknesses. Practitioners should align authentication design with zero trust objectives, not assume a second factor automatically satisfies them.

Device-bound identity is becoming a baseline expectation for stronger access control. The market direction is clear: security teams want fewer shared secrets, less dependence on SMS, and more cryptographic assurance at login time. That does not eliminate governance work. It shifts the work toward endpoint trust, recovery design, and the treatment of non-human identities that increasingly need similar assurance. Practitioners should plan for identity systems that prove possession rather than request repeated proof from users.

From our research:

• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how slowly remediation often moves in real environments.
• Use 52 NHI Breaches Analysis to study how compromised identities are abused after initial access and where lifecycle controls fail.

What this signals

Ephemeral-looking controls are not the same as low-risk controls. Teams that rely on second factors without removing shared-secret dependency often preserve the same compromise paths in a newer wrapper. The programme implication is straightforward: if authentication still hinges on secrets, the control stack is still vulnerable to phishing, interception, and helpdesk-led recovery abuse.

With 96% of organisations storing secrets outside secrets managers in vulnerable locations including code, config files, and CI/CD tools, the broader identity problem is structural rather than isolated. That means authentication hardening and NHI governance need to move together, or the weakest identity path will keep dictating overall risk. Practitioners should treat credential handling as an architecture issue, not a point control.

Device trust will matter more as organisations raise assurance expectations. Passwordless and phishing-resistant methods improve authentication quality, but only if they are paired with recovery controls and lifecycle governance. Teams should prepare for a model where authentication proves possession of a trusted device, while governance proves that the device, the identity, and the access path remain valid over time.

For practitioners

• Audit every MFA path for shared-secret dependence Inventory password plus OTP, SMS, email, and push-based access paths, then rank them by interception risk and replay exposure. Replace the highest-risk flows first, especially where privileged accounts or admin consoles still depend on reusable secrets.
• Prioritise hardware-backed authentication for privileged users Move administrators, developers, and support staff to device-bound authentication backed by TPM or secure enclave protection. Keep enrollment, recovery, and lost-device procedures documented before expanding rollout.
• Treat push fatigue as an access-control failure mode Set policy for repeated prompt suppression, number matching, or stronger phishing-resistant methods where push approvals are still allowed. Log and investigate abnormal approval patterns as authentication risk signals.
• Map passwordless rollout to NHI governance patterns Use the same lifecycle discipline for service identities, automation accounts, and secrets-bearing workflows that you expect for human users. Align issuance, rotation, and revocation processes so identity assurance does not stop at the workforce edge.

Key takeaways

• Traditional MFA reduces risk, but it does not remove the shared-secret model that attackers still exploit.
• Passwordless authentication improves assurance by shifting trust to device-bound cryptography and away from reusable secrets.
• Identity teams should evaluate authentication through attack resistance, recovery design, and lifecycle governance, not checkbox compliance.

Key terms

• Passwordless Authentication: An authentication approach that removes passwords from the login process and uses stronger proof such as cryptographic keys and device-bound checks. It reduces the reliance on shared secrets that attackers can steal, replay, or coerce users into revealing, which makes it a better fit for high-assurance access.
• Phishing-Resistant Authentication: Authentication that remains effective even when users are tricked into revealing information or approving access. It typically uses cryptographic challenge-response methods rather than codes that can be copied or relayed, and it is especially relevant for privileged access and recovery flows.
• Device-Bound Identity: An identity model that ties authentication proof to a trusted endpoint rather than to a reusable secret alone. The device becomes part of the assurance chain, usually through hardware-backed key storage, which raises the bar for interception and replay attacks.

Deepen your knowledge

Passwordless authentication and phishing-resistant access design are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are modernising authentication from a similar starting point, it is worth exploring.

This post draws on content published by Beyond Identity: Traditional Two-Factor Authentication vs. Beyond Identity’s Passwordless Authentication. Read the original.