Notifications
Clear all
Topic starter
08/06/2026 4:08 pm
TL;DR: Legacy MFA is increasingly vulnerable to phishing and MFA fatigue, and Axiad argues organisations should adopt a pragmatic, grouped rollout that combines certificate-based authentication and FIDO for different user populations, while aligning with the White House OMB zero-trust memo and NIST AAL3 expectations. The practical issue is no longer whether phishing-resistant MFA is needed, but how to deploy it without creating new operational silos.
NHIMG editorial — based on content published by Axiad: Phishing-Resistant Authentication for Everyone
By the numbers:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
Questions worth separating out
Q: How should security teams implement phishing-resistant MFA across different user groups?
A: Start by segmenting users by role and access risk, then map each group to the strongest authentication method that still fits its workflow and platform constraints.
Q: Why do legacy MFA and password fallbacks keep creating risk?
A: Legacy MFA remains vulnerable because phishing, MFA fatigue, and recovery workflows often bypass the primary control.
Q: How do you know if phishing-resistant MFA is actually working?
A: Look for enrolment coverage by user group, renewal discipline, exception rates, and the absence of weak fallback methods.
Practitioner guidance
- Segment users by authentication risk and workflow Group users by role, application exposure, and device pattern before selecting the control.
- Use certificate-based authentication where device trust matters Deploy certificate-based authentication for environments where device binding and strong assurance are required, especially when desktop, cloud, and application access must coexist under one governance model.
- Reserve FIDO for the applications that benefit from it most Apply FIDO where the user experience and phishing resistance are both strong, then avoid forcing it into platforms or desktop flows that do not support it cleanly.
What's in the full article
Axiad's full blog covers the operational detail this post intentionally leaves for the source:
- The step-by-step rollout model for grouping users by risk and mapping authentication methods to each group
- The product-specific dashboard workflow for tracking enrolment, renewal, and credential expiry across the estate
- The practical implementation detail for combining certificate-based authentication with FIDO in the same environment
- The communication cadence guidance for preparing end users during a phishing-resistant MFA rollout
👉 Read Axiad's roadmap for phishing-resistant MFA and mixed authentication →
Phishing-resistant MFA for enterprises: what should teams do first?
Explore further
08/06/2026 5:36 pm
Phishing-resistant MFA fails when organisations treat authentication as a single control tier. The article makes clear that different roles need different combinations of certificate-based authentication, FIDO, and device trust. That is not a weakness in the control, but a failure of one-size-fits-all governance. Practitioners should recognise that assurance design has to be role-aware, application-aware, and operationally maintainable.
A few things that frame the scale:
- 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why identity programmes that rely on partial visibility routinely miss risk.
A question worth separating out:
Q: What is the difference between certificate-based authentication and FIDO in practice?
A: Certificate-based authentication is strongest where device-bound trust and managed issuance are needed, while FIDO is often better where supported applications and user experience matter most. Many enterprises need both. The decision is less about which method is better overall and more about which one fits the access path, platform, and assurance requirement.
👉 Read our full editorial: Phishing-resistant MFA needs a pragmatic rollout model now
