Notifications
Clear all
Topic starter
22/06/2026 5:01 pm
TL;DR: Procurement checklists for omnichannel authentication now need to test phishing resistance, voice-channel verification, machine identity proof-of-possession, and correlated telemetry rather than accept broad MFA claims, according to Scramble ID. The decisive issue is whether controls are bound to the session and action, because fallback paths and long-lived secrets still create replay and recovery abuse windows.
NHIMG editorial — based on content published by Scramble ID: Evaluation Checklist + RFP
Questions worth separating out
Q: How should security teams evaluate phishing-resistant authentication across web and voice channels?
A: They should test whether the same assurance primitive survives both channels and whether high-risk actions can be forced onto weaker fallbacks.
Q: Why do fallback authentication methods create governance risk?
A: Fallbacks often become the easiest path to recovery, admin changes, or payout approvals, which means attackers target them when primary login is strong.
Q: What breaks when machine identities rely on bearer secrets?
A: Bearer secrets can be replayed once exposed, so possession of the token becomes enough to act.
Practitioner guidance
- Require origin-bound web login evidence Ask vendors to demonstrate how they stop adversary-in-the-middle relay attacks and to show which fallback methods can be disabled for high-risk actions.
- Replace KBA in voice recovery flows Test inbound call verification with a live session identifier, explicit failure states, and a recorded audit event that your SIEM can correlate.
- Insist on proof-of-possession for machine tokens Require sender-constrained tokens, documented key rotation, and revocation runbooks for service accounts and automated agents.
What's in the full article
Scramble ID's full article covers the operational detail this post intentionally leaves for the source:
- Detailed vendor scoring rubric with the full 0 to 5 weighting model for procurement.
- RFP question bank covering web authentication, voice verification, machine identities, and step-up approvals.
- Evidence checklist for architecture diagrams, sequence diagrams, event schemas, and live demos.
- Red-flag response patterns that should fail evaluation in procurement reviews.
👉 Read Scramble ID's checklist for evaluating omnichannel authentication vendors →
Omnichannel authentication: what practitioners should demand from vendors?
Explore further
22/06/2026 5:15 pm
Phishing resistance is no longer a web-login requirement alone. The checklist correctly treats the browser, phone, and machine token as one assurance problem because attackers do not respect channel boundaries. A control that is strong in one channel but weak in another simply moves the attack surface. Practitioners should evaluate the identity programme as a shared trust fabric, not as separate authentication products.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them.
A question worth separating out:
Q: How do you know whether omnichannel authentication is actually working?
A: You know it is working when the vendor can show correlated events across channels, documented failure states, and verified SLAs for delivery and revocation. If the evidence only shows a happy-path demo, the control may exist in presentation but not in operations.
👉 Read our full editorial: Omnichannel authentication vendors need proof, not broad MFA claims
