Why passwordless, phishing-resistant MFA is now the baseline

At a glance

What this is: Axiad argues that 2023 breach patterns show passwords and basic MFA are no longer enough, and that passwordless, phishing-resistant authentication is now the practical baseline.

Why it matters: For IAM teams, this matters because the same credential-theft patterns that break human authentication also shape NHI and autonomous access risk, so control design has to move beyond reusable secrets and weak second factors.

By the numbers:

• Just 9 months into 2023, data breaches were up by 20% over 2022.
• The average cost of a data breach was $4.5 million in 2023, the highest average on record.

👉 Read Axiad's analysis of 2023 data breaches and phishing-resistant authentication

Context

Password-based authentication keeps failing because it assumes a shared secret can remain private long enough to be trusted. Once that assumption breaks, credential stuffing, phishing, and token theft can move from nuisance attacks to full account compromise across both human and machine access paths.

Axiad uses several 2023 breaches to show how attackers increasingly log in instead of break in. The practical issue for identity programmes is not whether MFA exists, but whether the factor can actually resist phishing, replay, and stolen-credential reuse in real conditions.

Key questions

Q: How should security teams implement phishing-resistant MFA for privileged access?

A: Start with the accounts that matter most: administrators, helpdesk operators, and service desks that can reset credentials or issue tokens. Replace weak factors with certificate-based or FIDO-backed authentication, and enforce the stronger methods at the highest-risk entry points first. The goal is not MFA coverage, but replay-resistant assurance for the accounts attackers value most.

Q: Why do passwords and basic MFA still fail in real breaches?

A: Because attackers do not need to defeat the system if they can reuse, relay, or socially engineer the factor. Passwords are reusable secrets, and many basic MFA methods still depend on channels that can be phished or proxied. Once a credential is exposed, the same login path can become a repeatable compromise path.

Q: What do security teams get wrong about passwordless authentication?

A: They often assume passwordless automatically means phishing-resistant, when some products only hide the password from the user. The control question is whether a secret can be replayed or stolen elsewhere. If the answer is yes, the organisation has changed the user experience but not the attack surface.

Q: Who is accountable when stolen credentials lead to session-token theft?

A: Accountability sits with the team that owns the affected identity workflow, including support, recovery, and token lifecycle controls. If a support system can expose session material, then identity governance has to cover that pathway as part of access design, logging, and revocation. NIST CSF and Zero Trust both point toward stronger control over trust boundaries.

Technical breakdown

Why passwords and basic MFA fail under credential replay

Passwords are reusable secrets, which makes them durable attack targets after breach data is exposed. Basic MFA often reduces one path but still relies on factors that can be phished, replayed, or socially engineered, especially when attackers can reuse previously stolen credentials at scale. Credential stuffing works because it turns one organisation’s weakness into another organisation’s authentication failure. Once users reuse passwords across services, attackers do not need to break cryptography or bypass policy. They only need a valid login path. That is why the problem is structural, not just behavioural.

Practical implication: remove reusable secrets from primary authentication paths and treat password reuse as an architectural control failure, not a user-training issue.

What makes phishing-resistant MFA different

Phishing-resistant MFA binds authentication to the legitimate channel and the legitimate device, so the secret cannot be casually relayed to an attacker in real time. Certificate-based authentication backed by PKI and FIDO-based authenticators are the two approaches Axiad identifies as truly phishing resistant. By contrast, SMS, voice, one-time passwords, and mobile push with number matching can still be intercepted, tricked, or proxied. The key distinction is whether the authenticator proves possession in a way the attacker cannot reuse. That is why 'MFA' is not a sufficient label by itself.

Practical implication: classify authenticators by phishing resistance, not by the MFA label, and remove weak factors from high-risk access paths.

Why stolen sessions are as dangerous as stolen passwords

The Okta example shows that attackers increasingly target support workflows and session material, not just login credentials. A stolen credential used against a support system can expose customer session tokens, which then become a bypass route into downstream environments. This matters because session tokens often inherit trust from the original authentication event. If token governance is weak, a single support compromise can become a many-customer access problem. Identity teams should therefore think about session lifecycle, not just initial login strength.

Practical implication: control session token exposure, support-system access, and downstream token revocation with the same rigor as primary authentication.

Threat narrative

Attacker objective: The attacker’s objective is to convert a single credential compromise into durable account, session, or support-system access that unlocks broader data exposure.

1. Entry occurs through reused or stolen credentials, often harvested from prior breaches or phishing campaigns that succeed because the target still trusts shared secrets.
2. Escalation happens when attackers turn the initial login into broader access, including support tooling, session token theft, or account takeover across connected services.
3. Impact follows when compromised credentials or tokens are reused to expose customer data, move laterally, or trigger larger downstream breaches across many organisations.

Breaches seen in the wild

• Salesloft OAuth token breach — hackers stole OAuth tokens to access Salesforce data via Salesloft.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Passwords are a failed trust primitive, not a weak convenience feature. This article is really about the collapse of shared-secret authentication as a dependable control boundary. Credential stuffing succeeds because authentication still accepts a reusable secret as proof of identity, even after that secret has already been exposed elsewhere. The implication is that identity programmes need to stop treating password strength as the core defence and start treating the absence of reusable secrets as the baseline.

Phishing resistance is the real control objective, not MFA adoption. Many organisations report MFA coverage while still relying on factors that can be proxied, relayed, or tricked. That leaves a false sense of assurance because the control name sounds mature even when the authenticator remains exploitable. The practical conclusion is that authentication assurance must be measured by resistance to replay and relay, not by whether a second factor exists.

Session governance matters as much as login governance. The Okta example shows that an attacker can move from initial access to session-token abuse through trusted support paths. That means authentication controls alone do not contain the blast radius once tokens exist. Practitioners need to treat session issuance, reuse, and revocation as first-class identity controls, not as an implementation detail.

Human authentication failures and machine access failures are converging around the same secret problem. The article focuses on people, but the underlying lesson applies across IAM, NHI, and autonomous access: any reusable credential becomes a scalable attack surface once exposed. That convergence is why identity teams should govern secrets, authenticators, and recovery paths as one control plane rather than separate silos.

Authentication programmes that still depend on user-chosen secrets are carrying identity debt. The debt is visible in repeated breaches, but the deeper issue is structural: the control model assumes secrets can stay secret in an environment built for replay, phishing, and token theft. Practitioners should treat this as a migration problem, not a tuning problem, because the current model is already behind the threat.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
• For the broader control model behind this pattern, see Ultimate Guide to NHIs , Key Challenges and Risks for the governance issues that make exposure persistent.

What this signals

Passwordless authentication is becoming a governance requirement rather than a user-experience enhancement, because the breach pattern behind credential stuffing is now well established. When shared secrets remain in play, identity teams inherit the risk of replay rather than controlling the moment of authentication.

Reusable-secret debt: organisations still carrying passwords and weak MFA are accumulating a hidden migration burden that will surface in support workflows, reset paths, and privileged access first. The most credible near-term programme change is to re-rank authentication work by replay risk, not by deployment convenience.

For practitioners comparing policy to implementation, the relevant control family is already clear in NIST Cybersecurity Framework 2.0, especially access governance and recovery controls. The practical signal to watch is whether high-value accounts can still be compromised using a credential that was never meant to be permanent.

For practitioners

• Classify authenticators by phishing resistance Inventory every login method and separate truly phishing-resistant options from weak MFA patterns such as SMS, OTP, and push approval. Use that classification to prioritise privileged, helpdesk, and high-risk administrative access first.
• Remove reusable secrets from high-value access paths Eliminate passwords where certificate-based authentication or FIDO-backed login can replace them, especially for administrators and support staff. Preserve exception paths only where the business can justify the residual replay risk.
• Harden support and recovery workflows Treat support portals, reset flows, and identity recovery as privileged pathways with strict step-up controls, logging, and approval separation. A stolen support credential should not be enough to expose session tokens or reset a broad set of customers.
• Revoke and rotate tokens on trust boundary change Define when session material must be invalidated, including after suspected compromise, role change, or support-case escalation. Token governance should be explicit, measurable, and tied to access lifecycle events.

Key takeaways

• Passwords and basic MFA remain vulnerable because attackers increasingly win by reusing or relaying credentials rather than breaking cryptography.
• The scale of 2023 breach activity shows why authentication design now has to prioritise phishing resistance and token governance, not just factor count.
• The strongest immediate move is to replace reusable secrets with phishing-resistant methods and to treat support and recovery paths as privileged identity workflows.

Key terms

• Phishing-resistant authentication: Authentication that cannot be easily relayed, replayed, or socially engineered into an attacker-controlled session. In practice, this usually means cryptographic authenticators such as FIDO or certificate-based methods that bind the login to the real user and device.
• Credential stuffing: An attack pattern in which previously exposed usernames and passwords are tried across other services until one works. It succeeds because people reuse secrets and organisations often still accept them as valid proof of identity, even after breach exposure.
• Session token: A temporary credential that proves an authenticated session is still valid after login. If token governance is weak, a stolen token can bypass the original authentication event and let an attacker act as the user without repeating the login process.
• Passwordless authentication: A login model that removes the need for a shared password as the primary secret. The term only delivers security value when the replacement method is resistant to phishing, replay, and secret extraction, not when the password is merely hidden from the user.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by Axiad: Top Data Breaches in 2023 and Why Organizations Need Passwordless, Phishing-Resistant Authentication. Read the original.