Notifications
Clear all
Topic starter
12/06/2026 10:22 pm
TL;DR: Credential stuffing, phishing, smishing, vishing, and stolen-session attacks continued to drive major breaches in 2023, with Axiad citing Apple, IBM, Norton LifeLock, 23andMe, and Okta as evidence that passwords and basic MFA no longer withstand modern attack chains. The security baseline has shifted to phishing-resistant authentication, not stronger password policy.
NHIMG editorial — based on content published by Axiad: Top Data Breaches in 2023 and Why Organizations Need Passwordless, Phishing-Resistant Authentication
By the numbers:
- Just 9 months into 2023, data breaches were up by 20% over 2022.
Questions worth separating out
Q: How should security teams implement phishing-resistant MFA for privileged access?
A: Start with the accounts that matter most: administrators, helpdesk operators, and service desks that can reset credentials or issue tokens.
Q: Why do passwords and basic MFA still fail in real breaches?
A: Because attackers do not need to defeat the system if they can reuse, relay, or socially engineer the factor.
Q: What do security teams get wrong about passwordless authentication?
A: They often assume passwordless automatically means phishing-resistant, when some products only hide the password from the user.
Practitioner guidance
- Classify authenticators by phishing resistance Inventory every login method and separate truly phishing-resistant options from weak MFA patterns such as SMS, OTP, and push approval.
- Remove reusable secrets from high-value access paths Eliminate passwords where certificate-based authentication or FIDO-backed login can replace them, especially for administrators and support staff.
- Harden support and recovery workflows Treat support portals, reset flows, and identity recovery as privileged pathways with strict step-up controls, logging, and approval separation.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- Vendor-by-vendor breakdown of passwordless and phishing-resistant authentication methods
- Detailed explanation of which MFA methods do not qualify as phishing resistant
- Product-oriented guidance on certificate-based authentication and PKI service options
- Implementation context for organisations moving from shared secrets to stronger authenticators
👉 Read Axiad's analysis of 2023 data breaches and phishing-resistant authentication →
Passwordless authentication in 2024: are your controls keeping up?
Explore further
13/06/2026 1:04 am
Passwords are a failed trust primitive, not a weak convenience feature. This article is really about the collapse of shared-secret authentication as a dependable control boundary. Credential stuffing succeeds because authentication still accepts a reusable secret as proof of identity, even after that secret has already been exposed elsewhere. The implication is that identity programmes need to stop treating password strength as the core defence and start treating the absence of reusable secrets as the baseline.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: Who is accountable when stolen credentials lead to session-token theft?
A: Accountability sits with the team that owns the affected identity workflow, including support, recovery, and token lifecycle controls. If a support system can expose session material, then identity governance has to cover that pathway as part of access design, logging, and revocation. NIST CSF and Zero Trust both point toward stronger control over trust boundaries.
👉 Read our full editorial: Why passwordless, phishing-resistant MFA is now the baseline
