Traditional MFA is giving way to phishing-resistant authentication

At a glance

What this is: The article argues that traditional MFA is no longer sufficient and maps seven authentication trends, led by passkeys, adaptive authentication, liveness detection and continuous verification.

Why it matters: IAM teams need to reassess how they authenticate human users, privileged users and session activity before bypass techniques become the default path around legacy MFA.

By the numbers:

• 60% of phishing-related breaches now use bypass techniques that traditional MFA cannot stop.
• 1% of users blindly accept the first push notification they receive.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

👉 Read 1Kosmos's analysis of modern authentication trends beyond traditional MFA

Context

Traditional MFA was built around the assumption that a second factor would be enough to stop account takeover. Attackers have now industrialised bypass techniques such as push fatigue, phished one-time passwords and session hijacking, which means the control is being attacked at the session boundary rather than just the login page.

For IAM programmes, this is not just an authentication problem. It affects workforce access, privileged access and customer identity flows, because the risk is no longer limited to credential theft. The real question is how to keep trust valid after the initial login and how to reduce the value of any stolen secret or accepted prompt.

Key questions

Q: How should security teams reduce account takeover risk without creating more login friction?

A: Security teams should move from static MFA prompts to phishing-resistant authentication and risk-based session controls. Passkeys, hardware-backed authenticators and adaptive checks reduce replay risk while cutting unnecessary friction for low-risk logins. The key is to reserve stronger challenges for high-value accounts and suspicious contexts, not every access attempt.

Q: Why do traditional MFA methods fail against phishing and push fatigue?

A: Traditional MFA often fails because it still depends on a user approving a prompt or entering a code that can be phished, replayed or coerced. Attackers exploit the approval step, not just the password. Once users are conditioned to accept prompts, the control becomes vulnerable to social engineering rather than pure technical defeat.

Q: How do organisations know if their authentication controls are actually working?

A: They should measure successful bypass attempts, repeated push approvals, abnormal session continuation after risk changes, and the share of privileged access protected by phishing-resistant methods. A healthy programme shows fewer reusable secrets, fewer fatigue-driven approvals and more risk-based step-up at the session level.

Q: Who is accountable when an MFA bypass leads to account compromise?

A: Accountability should sit with the identity and access owner for the affected population, plus the security team responsible for authentication policy and monitoring. Governance frameworks such as Zero Trust and enterprise IAM controls require that sign-in, session trust and privileged access are designed and reviewed together, not separately.

Technical breakdown

Why traditional MFA fails against modern bypass techniques

Traditional MFA assumes that possession of a second factor proves the right user is present at sign-in. That assumption weakens when attackers can phish OTPs, overwhelm users with push notifications or steal session state after authentication. In practice, the attack is no longer about guessing a password, it is about coercing or replaying the approval step that sits beside the password. Once that approval is treated as routine, users become trained to click through risk. Practical implication: treat MFA as one layer in a broader session-control model, not as a final barrier.

Practical implication: reduce reliance on static MFA prompts for high-risk access paths and move controls closer to the session lifecycle.

How passkeys and phishing-resistant MFA change the trust model

Passkeys and other phishing-resistant methods replace shared secrets with public-key cryptography. The private key stays on the device, while the authenticator verifies the website before completing the challenge, which removes the attacker’s ability to replay a password, code or push approval on a fake login page. That shifts the trust model away from user memory and toward device-bound proof. For enterprise IAM, the important change is not convenience, it is that the credential itself becomes non-reusable outside the legitimate context. Practical implication: prioritise device-bound authentication for privileged and high-risk user populations first.

Practical implication: target device-bound authentication first where credential replay would cause the most damage.

Continuous authentication and behavioural biometrics in session security

Continuous authentication extends identity verification beyond the login event by checking behavioural and contextual signals throughout the session. Behavioural biometrics can spot changes in typing rhythm, navigation style or pointer movement, while adaptive authentication can weigh device reputation, location and time of access. Together, these methods help detect when a session has drifted from the authenticated user’s normal profile. The value is strongest when the business impact of account takeover is high and session theft is a realistic path. Practical implication: apply continuous verification to sensitive workflows, not every low-risk interaction.

Practical implication: reserve continuous controls for high-value sessions where takeover or hijacking would create material loss.

Threat narrative

Attacker objective: The attacker wants durable access that survives the initial login and can be used to reach sensitive systems, accounts or data without further challenge.

1. entry: attackers begin with phishing, MFA fatigue or session hijacking to get past the initial authentication checkpoint.
2. escalation: they convert a one-time approval into usable access by replaying stolen OTPs, abusing push approvals or taking over active sessions.
3. impact: once inside, they can move through accounts and data flows that still trust the authenticated session rather than the user’s ongoing behaviour.

Breaches seen in the wild

• Microsoft Midnight Blizzard breach — Midnight Blizzard (APT29) exploited legacy test account without MFA to breach Microsoft.
• Salt Typhoon US telecoms breach — Salt Typhoon APT used stolen credentials and Cisco CVE to breach US telecoms.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Traditional MFA is a login control, not a session trust model. The article makes clear that attackers are now targeting the approval step, the token, and the session itself rather than only the password. That means identity governance can no longer treat authentication as a single event with a binary pass or fail outcome. Practitioners should read this as a signal to separate initial sign-in from ongoing trust decisions.

Passkeys matter because they remove the shared-secret problem, not because they are fashionable. Passwords, SMS codes and OTPs all create interceptable or replayable artefacts. Cryptographic, device-bound authentication changes the attacker’s economics by making the proof non-portable. For IAM teams, the practical conclusion is that phishing resistance should be prioritised where account takeover would produce the greatest blast radius, especially for privileged users.

Continuous authentication is the real Zero Trust question for human identity. Zero Trust assumes trust must be continuously re-established, yet many identity programmes still stop at the login ceremony. Behavioural biometrics and adaptive authentication only become meaningful when they are treated as ongoing risk signals, not novelty features. This shifts the programme conversation from stronger sign-in to sustained trust validation across the session.

Identity governance has to account for user experience as an attack surface. MFA fatigue works because the user interface itself becomes a target for coercion and habituation. That means security leaders need to evaluate not just whether a control is technically sound, but whether it can be trained into submission at scale. The governance implication is that authentication policy, UX design and detection logic now have to be managed together.

From our research:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
• 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
• For a deeper governance baseline, see NHI Lifecycle Management Guide for the lifecycle controls that support continuous trust decisions.

What this signals

Passkeys will become table stakes, but the differentiator will be how far identity teams can extend trust beyond login. The next maturity step is not just replacing passwords, it is deciding which sessions deserve continuous verification and which do not. That choice should align with privilege, data sensitivity and the organisation’s tolerance for takeover risk.

Identity programmes that still treat MFA as the finish line will accumulate hidden risk. Push fatigue, OTP interception and session hijacking all exploit the gap between authentication and ongoing access. Teams should expect authentication policy to merge more tightly with detection, user behaviour analytics and Zero Trust enforcement over the next planning cycle.

As modern authentication expands, the governance question shifts from factor count to factor resilience. A programme with three weak factors can still be easier to defeat than one strong, device-bound method paired with adaptive controls. The practical takeaway is to map controls to attack paths rather than to compliance checklists.

For practitioners

• Prioritise phishing-resistant authentication for high-risk users Start with administrators, finance users and other privileged populations where session compromise would have the largest blast radius. Use device-bound passkeys or hardware-backed authenticators for those groups before broadening to the rest of the workforce.
• Reduce MFA fatigue exposure in approval workflows Limit repetitive push prompts, add number matching or contextual challenge logic, and flag users who repeatedly approve high-risk requests from unusual contexts. Pair this with monitoring for repeated prompt abuse.
• Add session-level risk signals to access policy Use device reputation, location drift, time-of-day anomalies and behaviour changes to trigger step-up checks or session termination when trust weakens after login.
• Pilot continuous verification on sensitive applications Apply behavioural biometrics and adaptive authentication first to critical apps where takeover or hijacking would expose data, funds or administrative control. Measure false positives before expanding the scope.

Key takeaways

• Traditional MFA is no longer a sufficient endpoint for access security because attackers are bypassing the approval step and the session itself.
• Phishing-resistant methods such as passkeys change the trust model by removing reusable secrets, but they need to be paired with session-level monitoring.
• Identity teams should treat authentication as an ongoing trust decision, with stronger controls focused on privileged users and sensitive applications.

Key terms

• Phishing-resistant authentication: Authentication that cannot be easily replayed, intercepted or socially engineered through shared secrets. In practice, it uses cryptographic proof tied to the legitimate device or authenticator, which makes fake login pages and stolen codes far less effective against the identity flow.
• Continuous authentication: A model that keeps evaluating identity after the initial login instead of treating sign-in as a one-time event. It uses behavioural and contextual signals to confirm that the active user, device and session still fit the expected trust profile.
• MFA fatigue: A social-engineering technique that overwhelms users with repeated authentication prompts until one is accepted out of habit, frustration or confusion. It exploits human behaviour at the approval step and turns a legitimate control into an attacker entry point.
• Passkey: A cryptographic authenticator that replaces passwords with device-based keys and public-key verification. The private key stays on the user’s device, which reduces phishing, credential reuse and replay risk compared with shared secrets or one-time codes.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Kosmos: Authentication trends in 2026 that go beyond traditional MFA. Read the original.