Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Authentication trends in 2026: are your controls keeping up?


(@lalit)
Member Admin
Joined: 1 year ago
Posts: 257
Topic starter  

TL;DR: Traditional MFA is being bypassed through phishing, MFA fatigue and session hijacking, while 60% of phishing-related breaches now use bypass techniques that older controls cannot stop, according to CyberMaxx research. Static login checks are no longer enough; security teams need phishing-resistant methods and continuous verification.

NHIMG editorial — based on content published by 1Kosmos: Authentication trends in 2026 that go beyond traditional MFA

By the numbers:

Questions worth separating out

Q: How should security teams reduce account takeover risk without creating more login friction?

A: Security teams should move from static MFA prompts to phishing-resistant authentication and risk-based session controls.

Q: Why do traditional MFA methods fail against phishing and push fatigue?

A: Traditional MFA often fails because it still depends on a user approving a prompt or entering a code that can be phished, replayed or coerced.

Q: How do organisations know if their authentication controls are actually working?

A: They should measure successful bypass attempts, repeated push approvals, abnormal session continuation after risk changes, and the share of privileged access protected by phishing-resistant methods.

Practitioner guidance

  • Prioritise phishing-resistant authentication for high-risk users Start with administrators, finance users and other privileged populations where session compromise would have the largest blast radius.
  • Reduce MFA fatigue exposure in approval workflows Limit repetitive push prompts, add number matching or contextual challenge logic, and flag users who repeatedly approve high-risk requests from unusual contexts.
  • Add session-level risk signals to access policy Use device reputation, location drift, time-of-day anomalies and behaviour changes to trigger step-up checks or session termination when trust weakens after login.

What's in the full article

1Kosmos's full post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step guidance on implementing passkeys, adaptive authentication and liveness detection across workforce and customer environments.
  • Product-specific explanations of how 1Kosmos combines passwordless login, biometric checks and decentralized identity in one flow.
  • Implementation framing for phased rollouts, including where to start with privileged users and how to stage continuous verification.
  • FAQ examples that translate the article’s trends into concrete authentication design choices for practitioners.

👉 Read 1Kosmos's analysis of modern authentication trends beyond traditional MFA →

Authentication trends in 2026: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Traditional MFA is a login control, not a session trust model. The article makes clear that attackers are now targeting the approval step, the token, and the session itself rather than only the password. That means identity governance can no longer treat authentication as a single event with a binary pass or fail outcome. Practitioners should read this as a signal to separate initial sign-in from ongoing trust decisions.

A few things that frame the scale:

  • 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation, according to Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.

A question worth separating out:

Q: Who is accountable when an MFA bypass leads to account compromise?

A: Accountability should sit with the identity and access owner for the affected population, plus the security team responsible for authentication policy and monitoring. Governance frameworks such as Zero Trust and enterprise IAM controls require that sign-in, session trust and privileged access are designed and reviewed together, not separately.

👉 Read our full editorial: Traditional MFA is giving way to phishing-resistant authentication



   
ReplyQuote
Share: