Notifications
Clear all
Topic starter
08/06/2026 4:10 pm
TL;DR: The SANS 2022 Managing Human Risk report puts people at the centre of the current attack frontier, with phishing, business email compromise, and ransomware all driven by credential theft or weak passwords, according to Axiad’s analysis. Passwordless, phishing-resistant MFA is now a baseline control, but it still needs to be paired with ongoing user training and coverage across people, machines, and interactions.
NHIMG editorial — based on content published by Axiad: Top Attack Frontier is People - Need for Phishing-Resistant Authentication
By the numbers:
- 69% of respondents shared passwords with colleagues
- 51% reuse an average of five passwords across business and personal accounts
Questions worth separating out
Q: How should security teams reduce phishing risk without frustrating users?
A: Focus first on removing replayable factors from high-value accounts, then simplify the remaining sign-in journey so users do not create workarounds.
Q: Why do passwords remain such a problem for enterprise identity security?
A: Passwords remain problematic because they are reusable, phishable, and easy to share or reuse across contexts.
Q: How do organisations decide where phishing-resistant MFA is most urgent?
A: Prioritise accounts that can approve money movement, change security settings, administer infrastructure, or access sensitive data.
Practitioner guidance
- Prioritise phishing-resistant MFA for privileged accounts first Start with administrators, finance users, and any account that can change access, payment, or security settings.
- Extend authentication design to machines and documents Use PKI for device and workload identity, and authenticate email or attached documents where trust decisions depend on message integrity.
- Reduce user friction where it drives bypass behaviour Measure where users abandon controls, create workarounds, or request exemptions.
What's in the full article
Axiad's full blog post covers the practical authentication patterns this analysis intentionally leaves at a higher level:
- Certificate-based authentication design for users and admins
- PKI authentication patterns for devices, virtual workloads, email, and attached documents
- How Passwordless Orchestration supports people, machine, and interaction authentication
- The specific trade-offs between phishing resistance and user friction
👉 Read Axiad's analysis of phishing-resistant authentication for people and machines →
Phishing-resistant authentication for people, machines, and email?
Explore further
08/06/2026 5:39 pm
People-centric attack defence is now an identity architecture problem, not just a training problem. The article is right that phishing, BEC, and ransomware all converge on human trust and credential weakness. That means IAM teams cannot keep treating user awareness as the primary control while leaving authentication patterns fragile. Practitioners should read this as a prompt to redesign identity controls around how attackers actually enter, not how policies assume they behave.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: What should IAM teams do when users keep bypassing security controls?
A: Treat bypass behaviour as a design signal, not just a compliance issue. Review whether the control is too frequent, too brittle, or too disconnected from how people actually work. Then adjust the control path, reinforce training on current threats, and keep stronger authentication in place for high-risk actions.
👉 Read our full editorial: People-centric attacks and phishing-resistant MFA for IAM teams
