Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AI identity resilience and phishing resistance: are controls keeping up?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10965
Topic starter  

TL;DR: As GenAI-driven phishing, deepfake voice cloning, and AiTM attacks make suspicious and trustworthy communication harder to separate, Versasec’s analysis argues that MFA-era controls such as push and SMS no longer provide sufficient identity assurance. The real issue is architectural resilience, not user vigilance, because trust now has to be enforced through hardware-rooted identity and lifecycle orchestration.

NHIMG editorial — based on content published by Versasec: Stratégies de Résilience Identitaire face à l'IA: Analyse de l'Intégration Thales & Versasec

By the numbers:

  • 17 minutes, redentials are exposed publicly, attackers attempt access within an average of 17 minutes , and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should security teams implement phishing-resistant MFA for privileged access?

A: Start with privileged accounts, vendor access, and remote administration paths, then move to FIDO2 or PKI-based authenticators that bind the credential to the device.

Q: Why do AiTM phishing attacks still work when MFA is enabled?

A: AiTM attacks work because MFA can confirm that a user completed a legitimate step while the attacker relays the session and captures the result.

Q: What do organisations get wrong about hardware security keys?

A: They often treat the key as the end of the problem, when the real control boundary is the full lifecycle around enrolment, reset, replacement, and offboarding.

Practitioner guidance

  • Replace push and SMS for privileged access Move admin, vendor, and remote-access workflows to phishing-resistant authenticators such as FIDO2 or PKI where the credential is tied to the device and not to a relayed channel.
  • Redesign recovery and reset workflows Review helpdesk recovery, PIN reset, and device replacement steps so that no single support path can re-enable access without strong identity proofing and approval controls.
  • Audit out-of-band verification for high-risk transactions Use a secondary verification path for payment changes, privileged requests, and sensitive approvals so that a compromised communication channel cannot complete the transaction alone.

What's in the full article

Versasec's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step deployment considerations for FIDO2 and PKI in mixed on-premises and cloud environments
  • Practical orchestration details for credential issuance, renewal, reset, and lifecycle administration at scale
  • Hardware and policy features for enterprise FIDO controls, including reset restrictions and admin-managed recovery
  • Architecture guidance for combining physical identity assurance with helpdesk workflows and audit requirements

👉 Read Versasec's analysis of hardware-rooted identity resilience against AI-driven phishing →

AI identity resilience and phishing resistance: are controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10520
 

Human vigilance is no longer a durable control boundary when AI can manufacture convincing trust signals. The article’s core claim is correct: GenAI has collapsed the distinction between suspicious and reliable communication in a way that makes user training insufficient on its own. That means identity programmes have to assume the attacker can imitate trust, not just credential prompts. For practitioners, the implication is simple: controls must verify the authenticator and the transaction path, not the user’s ability to notice deception.

Phishing resistance is becoming a programme design issue, not a point control upgrade. Once synthetic voice and AiTM phishing can imitate legitimate trust signals, security teams need to think in terms of assurance paths, support workflows, and exception governance. The organisations that win here will be the ones that align identity proofing, device binding, and recovery design instead of treating MFA as a checkbox.

A question worth separating out:

Q: Who is accountable when phishing-resistant MFA fails operationally?

A: Accountability usually sits with the identity, IAM, or PAM owner because the failure is often in policy, recovery design, or exception handling rather than the authenticator itself. NIST SP 800-63 Digital Identity Guidelines and Zero Trust programmes both expect stronger assurance for high-risk access, but governance must make the control usable at scale.

👉 Read our full editorial: AI identity resilience depends on phishing-resistant control layers



   
ReplyQuote
Share: