Notifications
Clear all
Topic starter
22/06/2026 5:00 pm
TL;DR: Passwordless authentication removes the password, MFA requires two or more factors, and only the overlap is phishing-resistant passwordless MFA, according to Scramble ID. Treating the terms as interchangeable leaves gaps in assurance, channel coverage, and policy design that IAM teams still need to close.
NHIMG editorial — based on content published by Scramble ID: Passwordless Authentication vs MFA
Questions worth separating out
Q: How should security teams choose between passwordless and MFA for workforce login?
A: They should not choose between them as if they were the same thing.
Q: Why do some passwordless methods still leave organisations exposed?
A: Because passwordless only means the password is gone.
Q: How can organisations tell whether their MFA is actually phishing-resistant?
A: Look for cryptographic binding to the legitimate origin, device-bound credentials, and no shared secret crossing the network.
Practitioner guidance
- Define authentication objectives separately Write policy so factor count, password removal, and phishing resistance are distinct requirements.
- Prioritise phishing-resistant methods for primary login Use FIDO2 or WebAuthn passkeys with user verification as the preferred pattern for employees and privileged users.
- Review all channels, not just the browser Map where the same identity is still using SMS, email links, push approvals, or other weaker methods in desktop, voice, and service workflows.
What's in the full article
Scramble ID's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step explanation of how WebAuthn origin binding prevents relay attacks in browser authentication.
- Comparison of common login ceremonies across password, OTP, push, magic link, and passkey methods.
- Standards references to NIST SP 800-63B and CISA guidance for phishing-resistant MFA.
- Practical examples of where passwordless controls still leave browser-only or channel-specific gaps.
👉 Read Scramble ID's analysis of passwordless authentication vs MFA →
Passwordless MFA vs MFA: where teams still get it wrong?
Explore further
22/06/2026 5:13 pm
Passwordless authentication is a control change, not an assurance upgrade by default. Removing the password changes the shape of the attack surface, but it does not automatically add second-factor assurance or phishing resistance. The enterprise mistake is to treat a single design choice as if it solved several different problems at once. Practitioners should separate user friction reduction from authentication strength when setting policy.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: What should IAM teams do when a programme has mixed authentication methods?
A: They should classify methods by assurance, not by marketing label, then retire the weakest exceptions first. A programme with passkeys, OTP, and email links is not one control family. It is a portfolio of different risks that should be governed, measured, and phased down by channel.
👉 Read our full editorial: Passwordless MFA is not the same as password removal
