Notifications
Clear all
Topic starter
08/06/2026 4:34 pm
TL;DR: 2023 breach patterns kept converging on stolen credentials, password reuse, and MFA bypass, while the average cost of a breach reached $4.5 million, according to IBM and Apple cited by Axiad. Passwordless, phishing-resistant authentication is no longer an edge case; it is the baseline control families now need to close.
NHIMG editorial — based on content published by Axiad: Top data breaches in 2023 and why organizations need passwordless, phishing-resistant authentication
By the numbers:
- In 2023, data breaches were up by 20% over 2022, according to a study from Apple cited by Axiad.
Questions worth separating out
Q: How should security teams reduce account takeover risk from reused credentials?
A: They should remove reusable secrets from high-risk access paths and replace them with phishing-resistant authentication.
Q: When does basic MFA create a false sense of protection?
A: Basic MFA becomes misleading when the second factor can be phished, relayed, intercepted, or socially engineered.
Q: What do organisations get wrong about passwordless authentication?
A: The most common mistake is assuming passwordless means hidden passwords or a user experience change.
Practitioner guidance
- Inventory every password-dependent access path Map where reusable secrets still gate access across employees, admins, vendors, and high-value applications.
- Replace replayable MFA with phishing-resistant authenticators Move high-risk users and privileged roles to certificate-based authentication or FIDO-backed authenticators, then phase out SMS, voice, OTP, and push methods that can be relayed or socially engineered.
- Separate authentication strength by risk tier Apply stronger login controls to support desks, identity admins, finance users, and any account that can reset credentials or reach sensitive data.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- Axiom-by-axiom breakdown of which authentication methods Axiad considers phishing-resistant and which it explicitly excludes.
- The product-level explanation of how its passwordless orchestration and PKI as a service are positioned for deployment.
- The full description of the three named breach examples and how the vendor connects each one to authentication choices.
- The specific guidance on certificate-based authentication versus token, push, SMS, and OTP-based approaches.
👉 Read Axiad's analysis of top 2023 data breaches and passwordless authentication →
Passwordless authentication and phishing resistance: are your controls keeping up?
Explore further
08/06/2026 6:16 pm
Password reuse is still an enterprise identity failure, not a user habit. The article’s examples show that attackers continue to convert previously exposed secrets into live access because many programmes still rely on reusable passwords as an authentication root of trust. That is a governance problem because the trust model assumes secrets stay private after first use. Practitioners should treat password reuse as a standing identity exposure condition, not a training issue.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Who is accountable when credential stuffing leads to a breach?
A: Accountability usually sits with the organisation that allowed reusable secrets, weak second factors, and insufficient authentication governance to persist in a high-risk environment. Standards bodies and public guidance increasingly expect phishing-resistant authentication for sensitive access, so the burden is on the operator to justify weaker methods.
👉 Read our full editorial: Passwordless authentication is the real control gap in 2023 breaches
