Notifications
Clear all
Topic starter
12/06/2026 10:08 pm
TL;DR: Gartner IAM Summit takeaways argue that MFA is now baseline hygiene, but the real risk sits in phishing-resistant implementation, hybrid authenticator choice, and credential enrollment and account recovery paths that attackers can exploit, according to Axiad. The governance issue is no longer whether to add MFA, but whether identity recovery and enrolment processes weaken the control you think you have.
NHIMG editorial — based on content published by Axiad: Fresh Take: Our Five Key Takeaways from the 2023 Gartner IAM Summit in Texas
By the numbers:
- Passwords remain vulnerable because 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
Questions worth separating out
Q: How should security teams implement phishing-resistant MFA without breaking user workflows?
A: Start with the highest-risk access paths, such as admin accounts, workstation sign-in, and cloud applications.
Q: When does MFA fail even if it is widely deployed?
A: MFA fails when attackers can bypass it through weak recovery, insecure enrolment, SIM swapping, push fatigue, or help desk reset paths.
Q: What do organisations get wrong about passwordless authentication?
A: They often assume passwordless is a user experience project rather than an assurance and lifecycle problem.
Practitioner guidance
- Map recovery paths before expanding MFA Inventory every enrolment and reset path, including help desk, self-service, device replacement, and admin override flows.
- Prioritise phishing-resistant methods for high-impact access Roll out FIDO2 passkeys, certificate-based authentication, or PKI first where phishing risk and privilege are highest.
- Redesign account recovery as an assurance control Remove temporary passwords and weak knowledge-based checks from recovery workflows.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- Gartner session context and the specific argument behind passwordless-first IAM design
- Practical examples of hybrid authentication choices across passkeys, CBA, PKI, and device form factors
- The recovery and enrolment pitfalls that can undermine phishing-resistant MFA in real deployments
- Axiad's interpretation of where MFA implementation should focus for broadest impact
👉 Read Axiad's takeaways on passwordless MFA, phishing resistance, and recovery →
Passwordless MFA and account recovery: what teams should fix first?
Explore further
13/06/2026 12:41 am
Passwordless MFA is only as strong as the recovery path behind it. Organisations often evaluate MFA at the login screen and miss the fact that enrolment and account recovery define the real assurance boundary. If a weak recovery flow can reissue trust, the authentication control becomes a thin front end over a compromised lifecycle. Practitioners should treat recovery as part of authentication policy, not an operational afterthought.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who should own MFA recovery governance in an IAM programme?
A: IAM and security governance should own it jointly with operations, because recovery settings define assurance levels across identity journeys. If the service desk can restore access without strong proofing, the identity programme has effectively delegated control of authentication strength.
👉 Read our full editorial: Passwordless MFA and recovery controls reduce identity risk
