Notifications
Clear all
Topic starter
08/06/2026 4:10 pm
TL;DR: Basic MFA methods like SMS, OTPs, and push approvals remain vulnerable to phishing, SIM swapping, and man-in-the-middle attacks, while a survey cited by Axiad found 93% of organisations still use passwords for business. The practical shift is to treat phishing-resistant MFA as the baseline for human identity, not an optional hardening step.
NHIMG editorial — based on content published by Axiad: Today’s “Good Enough MFA” Should Be Phishing-Resistant
By the numbers:
- 93% of organizations are still using passwords at work for business.
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.
Questions worth separating out
Q: How should security teams implement phishing-resistant MFA for privileged users?
A: Start with the identities that can do the most harm if compromised, then move outward in waves.
Q: Why do basic MFA methods still leave account takeover risk in place?
A: Because the second factor can still be phished, relayed, swapped, or approved under pressure.
Q: What signals show that MFA is not actually phishing-resistant?
A: Look for SMS, OTP, push approvals, and broad exception use on high-value accounts.
Practitioner guidance
- Prioritise phishing-resistant MFA for high-risk accounts Start with administrators, finance users, remote workers, and any account that can reach sensitive systems.
- Map applications that block cryptographic authenticators Inventory legacy apps, federated login paths, and exception workflows that cannot yet support FIDO2 or PKI-based authentication.
- Retire weak second factors before expanding access Do not widen remote access, privileged access, or self-service enrolment while vulnerable factors remain in place.
What's in the full article
Axiad's full blog post covers the implementation detail this post intentionally leaves for the source:
- Vendor discussion of FIDO2 and PKI deployment considerations for teams replacing SMS and OTP methods
- Practical framing for organizations deciding which user populations should migrate first
- Operational caveats around integrating phishing-resistant MFA into existing identity stacks
- The source article's own explanation of why “good enough” MFA remains attractive despite its weaknesses
👉 Read Axiad's analysis of why phishing-resistant MFA is replacing good enough MFA →
Good enough MFA is failing. What should IAM teams do now?
Explore further
08/06/2026 5:39 pm
Good enough MFA is a control label, not an assurance model: A one-time code or push prompt can satisfy a policy checkbox while still leaving the identity susceptible to phishing, relay, and approval abuse. The deeper problem is that many programmes measure deployment presence instead of resistance to the actual attack path. Practitioners should treat factor strength as a governance question, not a feature checklist.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Who should be first in line for phishing-resistant authentication?
A: Privileged users, remote access populations, and any identity that reaches sensitive business systems should go first. These accounts offer the highest payoff for attackers and the fastest containment benefit for defenders. Once those paths are protected, teams can tackle broader workforce rollout with less operational pressure.
👉 Read our full editorial: Phishing-resistant MFA is now the baseline for identity security
