Notifications
Clear all
Topic starter
08/06/2026 4:02 pm
TL;DR: Phishing still drives ransomware paths, yet many MFA methods remain vulnerable, and CISA says 84% of employees interacted with a phishing email, highlighting why certificate-based authentication and Zero Trust-aligned verification are gaining attention, according to Axiad and CISA. Identity programmes that stop at MFA labels miss the underlying trust model problem.
NHIMG editorial — based on content published by Axiad: Fresh Take on the National Cybersecurity Strategy and phishing-resistant authentication
By the numbers:
Questions worth separating out
Q: How should security teams reduce phishing risk in high-value access paths?
A: They should replace phishable MFA methods on privileged and remote access routes with phishing-resistant authentication that binds the factor to the device or certificate chain.
Q: Why do conventional MFA methods still leave identity risk on the table?
A: Because SMS, OTP, and push approvals can still be intercepted, relayed, or pressured through social engineering.
Q: What should organisations look for when evaluating phishing-resistant authentication?
A: They should look for device-bound proof of possession, strong certificate validation, and revocation processes that match the value of the access being protected.
Practitioner guidance
- Replace phishable MFA on high-risk access paths Prioritise administrative, remote, and privileged user journeys where SMS, OTP, and push approvals still create a replayable trust event.
- Map Zero Trust dependencies to authentication strength Review every policy that claims continuous verification and check whether the sign-in method can actually survive phishing, relay, or approval fatigue.
- Use certificate-based authentication for identity assurance Apply certificate-based authentication where the business impact of compromise is highest, especially for employee access that reaches sensitive systems.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- Specific guidance on certificate-based authentication as a phishing-resistant control for enterprise IAM
- The article's explanation of asymmetric cryptography and certificate chain validation in practical identity terms
- A closer look at how passwordless authentication fits hybrid, remote, and in-office access patterns
- The source's framing of Zero Trust adoption through contemporary authentication controls
👉 Read Axiad's analysis of phishing-resistant certificate authentication →
Certificate-based authentication and phishing resistance: what IAM teams need?
Explore further
08/06/2026 5:26 pm
Phishing-resistant authentication is not a feature preference, it is a trust model decision. Once attackers can convert a user prompt, OTP, or push notification into access, the issue is not merely authentication usability but identity assurance. That is why certificate-based authentication matters in a different way from conventional MFA: it reduces the chance that a captured interaction becomes reusable access. Practitioners should treat phishing resistance as a control boundary, not a product category.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: How does phishing resistance support Zero Trust architecture?
A: Zero Trust depends on continuous verification, so the initial authentication event must be strong enough to support later policy decisions. Phishing-resistant methods reduce the chance that an attacker can enter through a weak factor and then exploit trust downstream. Without that stronger start, segmentation and monitoring are compensating controls rather than true trust enforcement.
👉 Read our full editorial: Phishing resistance and certificate authentication reduce identity attack surface
