Notifications
Clear all
Topic starter
08/06/2026 4:05 pm
TL;DR: Traditional MFA and 2FA are increasingly bypassed by phishing, credential stuffing, push bombing, and man-in-the-middle attacks, prompting CISA, NIST, and the White House to push phishing-resistant MFA, according to Axiad. The core issue is that many programmes still treat MFA as sufficient when the real control gap is whether the factor can withstand modern adversary tooling.
NHIMG editorial — based on content published by Axiad: Is Your MFA Broken?
By the numbers:
- PKI-based authentication typically accounts for 40% of use cases.
- FIDO accounts for approximately 60% of use cases.
Questions worth separating out
Q: How should security teams implement phishing-resistant MFA for high-risk access?
A: Security teams should reserve phishing-resistant MFA for privileged, remote, and externally exposed access first, then expand it to broader workforce use.
Q: Why do traditional MFA methods fail against phishing attacks?
A: Traditional MFA fails because many methods still depend on a code, prompt, or approval that an attacker can intercept, relay, or coerce in real time.
Q: What do teams get wrong about phishing-resistant authentication?
A: Teams often assume any MFA is enough if it uses more than one factor.
Practitioner guidance
- Separate phishing-resistant MFA from legacy MFA in policy Update assurance policies so replayable methods such as SMS, email OTP, and generic push approval are not treated as equivalent to certificate- or FIDO-backed authentication for sensitive access paths.
- Map authentication methods to specific access journeys Use PKI for workstation, server, mobile, and non-browser scenarios, and use FIDO for browser and SSO use cases where origin binding matters most.
- Re-score privileged access on replay resistance Require higher assurance for admin, remote desktop, federation, and VPN entry points, then block methods that can be proxied or socially engineered in real time.
What's in the full article
Axiad's full blog covers the operational detail this post intentionally leaves for the source:
- PKI delivery and management patterns for enterprise authentication environments
- Protocol-level coverage for SAML, OAuth, SCIM, and RADIUS integration
- Use-case mapping for browser and non-browser authentication journeys
- Hardware-backed authentication ecosystem details for implementation planning
👉 Read Axiad's analysis of phishing-resistant MFA and identity risk →
Phishing-resistant MFA and identity risk: are your controls keeping up?
Explore further
08/06/2026 5:30 pm
Phishing-resistant MFA is now an identity governance baseline, not an advanced option. The article’s core message is that conventional MFA no longer maps cleanly to attacker behaviour. When push prompts, codes, and replayable challenges can be bypassed, the control no longer deserves the same confidence as cryptographic authentication. Practitioners should treat authentication assurance as a governance decision, not a feature checkbox.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means identity assurance problems frequently persist below the authentication layer.
A question worth separating out:
Q: Should organisations use PKI or FIDO for passwordless access?
A: Most organisations need both, because PKI and FIDO solve different access patterns. FIDO is well suited to browser and SSO scenarios, while PKI is often better for non-browser and certificate-bound environments such as workstations, RDP, and server authentication. The right choice depends on where the credential must work.
👉 Read our full editorial: Phishing-resistant MFA is now the baseline for identity security
