Notifications
Clear all
Topic starter
08/06/2026 4:10 pm
TL;DR: Phishing, stolen passwords, and account recovery abuse are converging with generative AI to make authentication attacks easier and more effective, according to Axiad and the cited Verizon and FIDO findings. Passwordless and phishing-resistant MFA help, but recovery workflows are now the softer target.
NHIMG editorial — based on content published by Axiad: Three Authentication Predictions for 2024
By the numbers:
- 80% of data breaches are rooted in passwords, according to the FIDO Alliance.
Questions worth separating out
Q: How should security teams reduce phishing risk without relying on user awareness alone?
A: Security teams should combine phishing-resistant MFA, device-bound authentication, and tighter identity proofing so the attacker cannot rely on reusable secrets or look-alike login pages.
Q: Why do account recovery workflows create authentication risk?
A: Account recovery creates risk because it often reintroduces weaker trust checks such as personal knowledge, help desk scripts, or socially discoverable information.
Q: How can organisations tell whether their passwordless programme is actually reducing risk?
A: They should look for lower password dependence, fewer recovery-triggered bypasses, and stronger assurance in reset and re-enrolment flows.
Practitioner guidance
- Map the full authentication path Document primary login, reset, recovery, help desk, and re-enrolment flows as one identity journey.
- Harden recovery assurance Replace knowledge-based recovery with stronger proofing, device-bound signals, or supervised escalation for high-risk resets.
- Prioritise phishing-resistant MFA Roll out phishing-resistant MFA for privileged and high-risk user populations first, then extend it to broader populations where application compatibility allows.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- The vendor's breakdown of why account recovery becomes the back door once passwordless adoption improves the front door.
- The cited industry context behind the move to passkeys and phishing-resistant authentication.
- The specific 2024 predictions from Axiad leadership on passwordless consolidation, generative AI phishing, and recovery attacks.
- The authentication guidance references to CISA, NIST, and the White House OMB that shape the article's market context.
👉 Read Axiad's analysis of three authentication predictions for 2024 →
Passwordless and account recovery risks: what IAM teams need to know?
Explore further
08/06/2026 5:40 pm
Passwordless adoption is necessary, but it does not solve the recovery trust problem. The article correctly points out that attackers move to the back door once the front door gets stronger. That means the programme's real control gap is not login alone, but the trust assumptions embedded in fallback recovery. Practitioners should treat recovery assurance as part of the authentication architecture, not a support workflow.
A few things that frame the scale:
- 80% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means many identity programmes cannot reliably see where recovery-like bypasses or excessive access are concentrated.
A question worth separating out:
Q: What should teams do when phishing-resistant MFA is in place but fraud still occurs?
A: Teams should inspect the identity journey around the MFA control, especially recovery, enrolment, help desk intervention, and account takeover escalation. Fraud after strong MFA often means the attacker bypassed the login control entirely. The right response is to treat the incident as a lifecycle failure, not just an MFA failure.
👉 Read our full editorial: Authentication is shifting from passwords to recovery attack paths
