Authentication trends in 2026: are your controls keeping up?

TL;DR: Traditional MFA is being bypassed through phishing, MFA fatigue and session hijacking, while 60% of phishing-related breaches now use bypass techniques that older controls cannot stop, according to CyberMaxx research. Static login checks are no longer enough; security teams need phishing-resistant methods and continuous verification.

NHIMG editorial — based on content published by 1Kosmos: Authentication trends in 2026 that go beyond traditional MFA

By the numbers:

• 60% of phishing-related breaches now use bypass techniques that traditional MFA cannot stop.
• 1% of users blindly accept the first push notification they receive.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: How should security teams reduce account takeover risk without creating more login friction?

A: Security teams should move from static MFA prompts to phishing-resistant authentication and risk-based session controls.

Q: Why do traditional MFA methods fail against phishing and push fatigue?

A: Traditional MFA often fails because it still depends on a user approving a prompt or entering a code that can be phished, replayed or coerced.

Q: How do organisations know if their authentication controls are actually working?

A: They should measure successful bypass attempts, repeated push approvals, abnormal session continuation after risk changes, and the share of privileged access protected by phishing-resistant methods.

Practitioner guidance

• Prioritise phishing-resistant authentication for high-risk users Start with administrators, finance users and other privileged populations where session compromise would have the largest blast radius.
• Reduce MFA fatigue exposure in approval workflows Limit repetitive push prompts, add number matching or contextual challenge logic, and flag users who repeatedly approve high-risk requests from unusual contexts.
• Add session-level risk signals to access policy Use device reputation, location drift, time-of-day anomalies and behaviour changes to trigger step-up checks or session termination when trust weakens after login.

What's in the full article

1Kosmos's full post covers the operational detail this post intentionally leaves for the source:

• Step-by-step guidance on implementing passkeys, adaptive authentication and liveness detection across workforce and customer environments.
• Product-specific explanations of how 1Kosmos combines passwordless login, biometric checks and decentralized identity in one flow.
• Implementation framing for phased rollouts, including where to start with privileged users and how to stage continuous verification.
• FAQ examples that translate the article’s trends into concrete authentication design choices for practitioners.

👉 Read 1Kosmos's analysis of modern authentication trends beyond traditional MFA →

Authentication trends in 2026: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →