TL;DR: Traditional MFA remains vulnerable to phishing, credential stuffing, push bombing, and man-in-the-middle attacks, even as CISA, NIST, and the White House push organisations toward phishing-resistant authentication, according to Axiad. The real issue is not whether MFA exists, but whether it resists modern identity attack paths.
At a glance
What this is: This is an analysis of why older MFA approaches no longer reliably stop phishing-driven identity compromise and why phishing-resistant MFA is now the practical baseline.
Why it matters: It matters because IAM teams cannot treat MFA as a box-tick control when attackers routinely bypass it, and the same trust gap affects both human authentication and broader identity governance.
By the numbers:
- PKI-based authentication typically accounts for 40% of use cases and can be leveraged for non-browser uses across workstations, mobile, Microsoft AD, and server authentication.
- FIDO accounts for approximately 60% of use cases, covering browser-based authentication use cases such as single-sign on applications and Windows workstations.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
👉 Read Axiad's analysis of why traditional MFA fails against phishing
Context
MFA is only as strong as the factors and flows behind it. When phishing kits, push bombing, credential stuffing, and man-in-the-middle attacks can sidestep a login challenge, the control stops behaving like a barrier and starts acting like an inconvenience layer.
For IAM and identity security teams, the key question is whether authentication is phishing-resistant enough to hold under real attack conditions. That matters across human identity programmes, and it also sets the tone for how organisations think about assurance, trust, and lifecycle control more broadly.
Key questions
Q: How should security teams decide which MFA methods to keep?
A: Keep the MFA methods that can withstand modern phishing and relay attacks, not just the ones that are easiest to deploy. Prioritise phishing-resistant options for privileged users, remote access, and high-value applications. Retire SMS, email, and push-only methods where the business risk outweighs their convenience.
Q: Why do traditional MFA methods still fail in real attacks?
A: Traditional MFA often fails because attackers do not need to break the factor itself. They can trick users into approving a login, relay credentials through a fake site, or intercept the authentication session in real time. The weakness is the trust model, not simply the number of factors.
Q: How do organisations know if their MFA is strong enough?
A: A useful test is whether the method resists phishing, replay, and man-in-the-middle attacks without relying on user judgment at the last moment. If a code or push approval can be captured, relayed, or fatigue-accepted, the method is not phishing-resistant enough for high-risk access.
Q: What is the difference between PKI and FIDO for authentication?
A: PKI is better suited to certificate-backed, device-centric, and non-browser use cases such as workstations and servers. FIDO is better suited to browser-based logins and user-presence workflows. Most organisations need both, because each covers different parts of the identity and application landscape.
Technical breakdown
Why traditional MFA breaks under phishing and social engineering
Traditional MFA adds a second or third factor, but it does not automatically bind the session to a trustworthy request. Phishing pages can relay credentials in real time, push bombing can exploit user fatigue, and man-in-the-middle kits can capture or replay authentication flows. The result is that the factor exists, but the authentication event is no longer proof of user intent or legitimate origin. In practice, this means the control is still vulnerable when attackers can interpose themselves between the user and the identity provider.
Practical implication: evaluate MFA by attack resistance, not by factor count.
How phishing-resistant MFA changes the authentication model
Phishing-resistant MFA uses public key cryptography to bind authentication to a device or credential that cannot be replayed in the same way as a shared secret or one-time code. FIDO and PKI are the two common patterns discussed here. PKI is stronger for non-browser and device-centric use cases, while FIDO is widely used for browser-based login flows. The architectural point is that the verifier challenges a private key or certificate-backed identity rather than trusting a code that can be stolen mid-session.
Practical implication: map authentication methods to the use cases they can actually secure.
Where PKI and FIDO fit in identity security architecture
PKI and FIDO are not interchangeable, because they solve different parts of the identity surface. PKI supports certificates, workstation access, server authentication, and other non-browser flows. FIDO is strongest where browser-based authentication and user presence matter. A mature architecture uses both where appropriate, then layers SSO, federation, and provisioning controls around them. The weakness in many programmes is not the absence of a modern method, but the failure to align assurance level, device context, and application type.
Practical implication: align authentication strength with application context and user population.
NHI Mgmt Group analysis
Traditional MFA is now an insufficient assurance model, not just a weaker implementation. The article shows that phishing, push bombing, credential stuffing, and man-in-the-middle attacks can all bypass legacy MFA patterns. That means the security problem is no longer whether a second factor exists, but whether the factor resists adversary-in-the-middle techniques and user coercion. Practitioners should treat MFA strength as an assurance property, not a feature checklist.
Phishing-resistant MFA is the control boundary that matters for human identity programmes. The shift to PKI and FIDO reflects a broader change in identity governance: authentication must prove intent and possession in ways attackers cannot cheaply replay. That aligns with NIST and CISA guidance and with zero trust expectations. Organisations that still accept SMS, email, or push-only MFA are accepting a control that is increasingly predictable to attackers.
Authentication method selection should follow use-case fit, not product simplicity. PKI and FIDO cover different parts of the enterprise, and the article’s 40% and 60% split illustrates why a single-method strategy is too narrow. Browser access, workstation login, server authentication, and federation all place different demands on the identity stack. The practitioner implication is clear: authentication architecture must be segment-aware.
Identity attack surface shrinks only when assurance is paired with lifecycle discipline. Strong MFA reduces compromise opportunities, but it does not solve provisioning mistakes, dormant accounts, or overbroad access. The same programme discipline that governs human authentication also applies to machine and service identities, where persistent credentials create their own exposure window. Teams that focus only on login strength miss the larger identity attack surface.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most identity teams cannot reliably see the credentials already in circulation.
- For the lifecycle angle, read Ultimate Guide to NHIs , Key Challenges and Risks for the broader pattern of over-privilege, rotation gaps, and unmanaged exposure.
What this signals
Phishing-resistant MFA is becoming a governance expectation, not an advanced option. As attacker techniques evolve, identity programmes that still depend on codes, prompts, and shared secrets will keep creating avoidable exposure. The practical shift is toward stronger methods for high-risk journeys first, then broader coverage as policy and platform support mature.
The stronger architectural lesson is that authentication, provisioning, and credential lifecycle cannot be managed as separate problems. If MFA is hardened but account lifecycle remains weak, the organisation still carries unnecessary identity risk across the same trust boundary.
For practitioners
- Inventory every authentication method in use Classify which applications still rely on SMS, email, OTP, or push-only MFA, then map them to user populations and business criticality. Replace the weakest methods first where phishing exposure is highest.
- Prioritise phishing-resistant MFA for privileged and remote access Use FIDO or certificate-based authentication for admin access, sensitive applications, and remote workflows where real-time relay attacks are most likely to succeed.
- Match PKI and FIDO to the right authentication flows Use PKI where you need workstation, server, or non-browser support, and use FIDO where browser-based login and user presence are the dominant requirements.
- Review MFA policy against current threat tactics Test whether your controls still hold against phishing kits, push bombing, and man-in-the-middle relays, then update standards where the attack path remains viable.
Key takeaways
- Traditional MFA no longer provides reliable assurance against phishing-driven identity compromise when attackers can relay or manipulate the login flow.
- PKI and FIDO matter because they bind authentication more tightly to legitimate possession and device context, which makes replay and interception harder.
- IAM teams should treat phishing-resistant MFA as a risk-tiered control decision and pair it with lifecycle governance, not as a standalone fix.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Authentication assurance is central to protecting access in this article. |
| NIST Zero Trust (SP 800-207) | AC-7 | The post aligns with continuous verification and reduced trust in login events. |
| NIST SP 800-63 | AAL2 | The article references assurance levels and phishing-resistant MFA expectations. |
Use stronger authentication methods where access risk is highest and verify they resist phishing.
Key terms
- Phishing-resistant MFA: A multi-factor authentication method that is designed to resist credential theft, replay, and real-time relay attacks. It relies on cryptographic binding, device possession, or certificate-backed identity rather than codes that can be captured and reused.
- Public key cryptography: An authentication approach that uses a paired public and private key to prove identity without exposing the secret itself. In identity systems, it underpins PKI and FIDO-style login flows that are far harder to phish than shared secrets or one-time codes.
- Authenticator assurance level: A measure of how much confidence an organisation has in the strength of an authentication method. Higher assurance levels require stronger proof of identity and are typically used for more sensitive access paths, especially where phishing resistance is required.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by Axiad: Is Your MFA Broken? Read the original.
Published by the NHIMG editorial team on 2025-09-16.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
