MFA fragmentation and phishing resistance: what teams miss

TL;DR: Authentication complexity is overwhelming 70% of Security and IT professionals, almost 85% of organisations experienced a cyberattack in the last year, and nearly 9 in 10 say they plan to implement passwordless within 12 months, according to Axiad and IDSA. The real issue is not whether MFA exists, but whether it is phishing-resistant, usable, and consistent across silos.

NHIMG editorial — based on content published by Axiad: Navigating the Path to Enhanced Authentication

By the numbers:

• 70% of Security/IT Professionals say they are overwhelmed by the complexity of their authentication systems.
• 85% of organizations experienced a cyberattack in the, in the last year.
• 9 in 10 told us in a recent, recent survey that they are planning to implement a passwordless strategy in the next 12 months or have already done so.

Questions worth separating out

Q: How should security teams decide which authentication methods to prioritise?

A: Prioritise methods that resist phishing, replay, and prompt abuse, especially for privileged access and sensitive applications.

Q: Why do multiple MFA systems create more risk in an IAM programme?

A: Multiple MFA systems create risk when they enforce different assurance levels, recovery rules, and exception handling.

Q: How do you know if passwordless is actually improving security?

A: Passwordless is improving security when it reduces password reuse, removes phishing-prone flows, and applies the same assurance standard across all critical applications.

Practitioner guidance

• Audit every authentication path Inventory primary sign-in, step-up authentication, and account recovery paths across all major applications so you can see where weak methods still exist.
• Standardise phishing-resistant controls Set a baseline that prioritises phishing-resistant factors for high-risk access, privileged accounts, and administrative workflows instead of mixing equivalent and non-equivalent methods.
• Remove silos between IAM systems Align policy, recovery, and assurance rules across disconnected IAM ecosystems so that one permissive platform does not become the fallback route for attackers.

What's in the full article

Axiad's full blog covers the operational detail this post intentionally leaves for the source:

• A step-by-step comparison of authentication options and where each one fits in a real programme.
• The infographic-driven decision points Axiad uses to help teams weigh risk tolerance and usability trade-offs.
• The article’s full discussion of why fragmented MFA estates create gaps across IAM ecosystems and operating systems.
• The source’s discussion of how to present and defend an authentication roadmap to other decision makers.

👉 Read Axiad's analysis of enhanced authentication and MFA strategy →

MFA fragmentation and phishing resistance: what teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →