Notifications
Clear all
Topic starter
12/06/2026 10:16 pm
TL;DR: Phishing, business email compromise, and ransomware remain enduring people-centric attack patterns, while password sharing and reuse remain common across organisations, according to Axiad. The security boundary has shifted from perimeter controls to authentication resilience and human behaviour management.
NHIMG editorial — based on content published by Axiad: Top Attack Frontier is People – Need for Phishing-Resistant Authentication
By the numbers:
- 69% of respondents shared passwords with colleagues and 51% reuse an average of five passwords across business and personal accounts.
Questions worth separating out
Q: How should security teams implement phishing-resistant MFA for human users?
A: Start with the accounts that would cause the most damage if compromised, especially administrators and finance users.
Q: Why do people-centric attacks still succeed even when MFA is in place?
A: Because many MFA schemes still depend on secrets that can be phished, intercepted, or socially engineered out of the user.
Q: What is the difference between human MFA and machine authentication?
A: Human MFA is designed for people who can respond to prompts, remember context, and use authenticators interactively.
Practitioner guidance
- Prioritise phishing-resistant MFA for privileged users first Move administrators, finance staff, and other high-value users to phishing-resistant methods before expanding coverage.
- Separate human, machine, and interaction authentication policies Use different trust models for people, workloads, and email or document authentication.
- Reduce password reuse pressure through friction-aware design Review sign-in paths, reset flows, and access exceptions that push users toward workarounds.
What's in the full article
Axiad's full blog covers the operational detail this post intentionally leaves for the source:
- Authentication method comparisons across people, machines, and interactions
- The product framing behind passwordless orchestration for different identity subjects
- Why certificate-based authentication is positioned as phishing-resistant in practice
- How the vendor describes use cases for email and attached document authentication
👉 Read Axiad's analysis of people-centric attacks and phishing-resistant authentication →
People-centric attack risk: are your authentication controls keeping up?
Explore further
13/06/2026 12:55 am
People risk is now an identity problem, not just a training problem. The article is right to treat phishing as a frontline attack pattern, but the deeper point is that human identity remains over-dependent on secrets that can be tricked, reused, or intercepted. When authentication still trusts passwords and second factors that behave like shared secrets, the control plane is already weakened. The implication is that human IAM cannot be separated from credential resilience.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who is accountable when phishing-resistant authentication is not broadly adopted?
A: Accountability sits with identity, security, and business leaders together because the gap is both technical and behavioural. IAM owns the control design, security owns risk reduction, and the business owns the workflows that force users into insecure shortcuts. Frameworks such as the NIST Cybersecurity Framework help assign those responsibilities clearly.
👉 Read our full editorial: Phishing-resistant authentication is the new frontline for people risk
