Passwordless authentication and MFA resistance: are your controls ready?

TL;DR: Passwords and OTP-based MFA remain vulnerable to interception, replay, and fake login portals, while phishing-resistant methods bind authentication to device or origin and remove shared secrets, according to RSA Security and Gartner. The real shift is not convenience, but reducing credential theft by changing what the authenticator trusts.

NHIMG editorial — based on content published by RSA Security: Passwordless Phishing-Resistant Passwordless Best Practices

By the numbers:

• 87% of companies are either deploying or plan to deploy passkeys to enhance security and UX.
• more than 175 million Amazon customers now using passkeys to log in.

Questions worth separating out

Q: How should security teams implement phishing-resistant MFA in existing IAM environments?

A: Start with the most exposed and highest-value access paths, then phase in device-bound methods such as passkeys, FIDO2 keys, or smart cards.

Q: Why do passwords and OTP-based MFA still create phishing risk?

A: Because they remain transferable secrets.

Q: What should IAM teams measure when moving to passwordless authentication?

A: Measure how much access still depends on replayable credentials, how many high-risk flows remain on OTPs, and whether the enrolled devices can be revoked and recovered cleanly.

Practitioner guidance

• Inventory every password-dependent access path Map workforce, customer, admin, and API-facing flows that still depend on passwords or OTPs, then rank them by business criticality and phishing exposure.
• Classify OTP-based MFA as transitional only Treat SMS, email, and app-based one-time codes as interim controls, not phishing-resistant authentication, and document which applications still rely on them for high-risk access.
• Stand up device-bound options for high-risk users Prioritise passkeys, FIDO2 keys, smart cards, or equivalent device-bound factors for administrators, finance users, and remote staff accessing sensitive systems.

What's in the full article

RSA Security's full article covers the operational detail this post intentionally leaves for the source:

• Specific product methods for passkeys, push approvals, biometrics, and hardware authenticators.
• The phased adoption steps and user-flow decisions behind passwordless rollout.
• Examples of where RSA positions device-bound authentication for regulated and constrained environments.
• The source article's FAQ section on phishing-resistant MFA, FIDO2, and compliance drivers.

👉 Read RSA Security's analysis of phishing-resistant passwordless authentication →

Passwordless authentication and MFA resistance: are your controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →