Notifications
Clear all
Topic starter
08/06/2026 4:03 pm
TL;DR: Passwordless MFA is becoming the default hygiene baseline, but its security value depends on phishing-resistant methods such as passkeys, CBA, and PKI, plus secure credential enrollment and account recovery, according to Axiad’s summary of Gartner summit takeaways. The real governance problem is not whether to adopt MFA, but whether identity programmes can remove password dependence without creating recovery and enrolment failure points.
NHIMG editorial — based on content published by Axiad: Fresh Take: Our Five Key Takeaways from the 2023 Gartner Identity & Access Management Summit in Texas
By the numbers:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.
Questions worth separating out
Q: How should security teams implement phishing-resistant MFA without breaking user access?
A: Start by protecting the highest-risk journeys, such as workstation login, cloud app access, and privileged access.
Q: When does passwordless MFA create more risk than it reduces?
A: It creates more risk when organisations treat the login factor as the only control and leave enrollment or account recovery weak.
Q: What do organisations get wrong about MFA recovery?
A: Many teams assume recovery is a support workflow, not a security boundary.
Practitioner guidance
- Prioritise phishing-resistant MFA on critical access paths Start with workstation login, cloud application access, and privileged user journeys.
- Redesign credential enrollment and recovery as security controls Map every enrollment and reset path to its proofing strength, fallback method, and approval chain.
- Adopt a hybrid authenticator strategy by use case Allow different authenticators for different environments, such as hardware keys, phone-based factors, or embedded platform authenticators, but keep one policy model for assurance and recovery.
What's in the full article
Axiad's full blog post covers the implementation detail this post intentionally leaves for the source:
- The summit-specific framing behind Gartner VP Ant Allan’s passwordless guidance and how it maps to real authentication decisions.
- The article’s discussion of passkeys, certificate-based authentication, PKI, and authenticator choice across different use cases.
- The credential enrollment and account recovery examples that show where MFA programmes fail in practice.
- The pragmatic prioritisation logic for broadest-impact MFA rollout across workstations, cloud apps, and shared environments.
👉 Read Axiad's take on passwordless MFA, phishing-resistant controls, and recovery →
Passwordless MFA and phishing-resistant identity: are controls keeping up?
Explore further
08/06/2026 5:27 pm
Phishing-resistant MFA is now the baseline, but recovery is where assurance usually fails. The article is right to shift attention away from whether MFA exists and toward how it is implemented. Once phishing-resistant methods become the target state, the weakest point is often credential enrollment and account recovery, because that is where attackers look for lower-friction bypasses. The practitioner conclusion is simple: the recovery path must be governed as tightly as primary authentication.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means authentication and lifecycle controls are often being built on incomplete inventory data.
A question worth separating out:
Q: How do phishing-resistant MFA, passkeys, and PKI fit together?
A: They are complementary rather than interchangeable. Passkeys and PKI both provide phishing-resistant authentication, but different environments may need different authenticators and recovery methods. Organisations should compare them by assurance strength, device compatibility, and recovery model, then standardise the policy layer while allowing multiple approved authenticators.
👉 Read our full editorial: Passwordless MFA and phishing-resistant identity: what matters now
