Notifications
Clear all
Topic starter
12/06/2026 10:14 pm
TL;DR: Authentication threats in 2024 are shaped by generative AI, with phishing attacks becoming easier to craft and account recovery emerging as a weak point, according to Axiad and cited industry research from Verizon, the FIDO Alliance, CISA, and NIST. The security model breaks when recovery paths remain easier to socially engineer than primary authentication.
NHIMG editorial — based on content published by Axiad: Three Authentication Predictions for 2024
By the numbers:
- 80% of data breaches are caused by passwords, according to the FIDO Alliance.
Questions worth separating out
Q: What fails when passwordless authentication is adopted without stronger recovery controls?
A: Passwordless can remove shared secrets from the front door, but it does not stop attackers from using the recovery process to regain access.
Q: Why do generative AI phishing attacks create more risk for IAM programmes?
A: They lower the cost of producing believable, context-aware lures that are harder for users to spot.
Q: How can security teams tell whether recovery controls are too weak?
A: Look for repeated resets, frequent support escalation, and recovery methods that depend on information available in public sources.
Practitioner guidance
- Map every recovery path end to end Document how users regain access through help desk calls, knowledge questions, emailed links, out-of-band codes, and self-service reset flows.
- Harden recovery to match primary authentication Apply phishing-resistant verification to recovery steps wherever possible, including stronger identity proofing, step-up checks, and tighter support escalation rules.
- Review help desk authority and scripts Limit what support staff can reset, reveal, or override without stronger assurance.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- The article's full explanation of why passwordless recovery becomes the next attack surface after primary passwords are removed
- The vendor's examples of how generative AI changes phishing content, context, and attacker effort at scale
- The specific authentication and account recovery scenarios the article uses to illustrate real-world compromise paths
- The source discussion of 2024 authentication predictions and how the vendor expects enterprise behaviour to change
👉 Read Axiad's 2024 authentication predictions on phishing and recovery risk →
AI phishing and account recovery: what IAM teams need to rethink?
Explore further
13/06/2026 12:52 am
Generative AI has shifted phishing from content quality to identity pressure. The attacker advantage is no longer only better writing. It is the ability to generate context-rich lures at scale, which makes human verification cues less reliable and turns authentication into a constant judgement problem. That affects human identity programmes first, but it also weakens any access model that assumes users can reliably distinguish legitimate prompts from deception. The implication is that authentication design must be treated as adversarial interaction design, not just factor selection.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means recovery and authentication failures often sit inside an incomplete inventory, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Who should own account recovery risk in an identity programme?
A: Recovery risk should be owned jointly by IAM, service desk leadership, and security governance. Authentication is not complete until recovery is controlled, so the accountable team must cover the full identity journey, including fallback access, verification rules, and support approvals.
👉 Read our full editorial: Authentication risk in 2024 shifts toward AI phishing and recovery
