Notifications
Clear all
Topic starter
08/06/2026 4:35 pm
TL;DR: 93% of organisations still use passwords for business, even as 45% plan to adopt passwordless technology and 27% plan phishing-resistant MFA within the next year, signalling a slow shift away from credential-based risk, according to Axiad’s 2023 State of Authentication Survey. Passwords remain the weak link because AI-assisted phishing still outpaces governance and adoption friction, according to Axiad.
NHIMG editorial — based on content published by Axiad: The Path to Passwordless, Phishing-Resistant MFA: Emerging but Still a Long Road Ahead
By the numbers:
- 93% of respondents are still using passwords for business.
- 45% said they will use passwordless technology over the next year.
- 27% said they will use phishing-resistant multi-factor authentication (MFA) over the next year.
Questions worth separating out
Q: How should security teams phase in phishing-resistant MFA without disrupting users?
A: Start with the accounts that create the highest blast radius, such as administrators, remote access users, and employees handling sensitive data.
Q: Why do passwords still persist even when organisations know they are risky?
A: Passwords persist because migration is operationally hard, not because the risk is unclear.
Q: How do you know if phishing-resistant MFA is actually improving security?
A: Look for reduced reliance on reusable passwords, fewer successful phishing-based account takeovers, and fewer exception paths that fall back to weaker factors.
Practitioner guidance
- Inventory password-dependent login paths Map every human authentication flow that still accepts reusable passwords, including legacy IdPs, service portals, remote access, and exception accounts.
- Migrate high-risk users to phishing-resistant factors first Start with administrators, remote workers, and users handling sensitive data.
- Use Zero Trust as the migration frame Tie authentication changes to routine verification, conditional access, and session-level policy checks so the programme improves control rather than simply replacing one login method with another.
What's in the full article
Axiad's full research covers the survey detail this post intentionally leaves for the source:
- The full breakdown of survey responses by IT role and authentication maturity stage
- The article's commentary on why fear of change and rip-and-replace concerns slow adoption
- Additional context on how CISA, NIST, and White House guidance influenced the findings
- Axiad's product-oriented explanation of how passwordless orchestration fits existing identity providers
👉 Read Axiad's State of Authentication Survey findings on passwordless MFA →
Phishing-resistant MFA adoption is rising, but passwords still rule?
Explore further
08/06/2026 6:17 pm
Password dependence is still the most durable human identity risk because it preserves a reusable secret at the point of access. The survey shows that 93% of respondents still use passwords for business, even while phishing-resistant approaches are gaining attention. That means the core exposure is not theoretical. It is the continued acceptance of a control that attackers already know how to target at scale. Practitioners should treat password persistence as a governance failure, not just a technical debt issue.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means many identity teams are still operating with incomplete machine-identity inventories.
A question worth separating out:
Q: What is the difference between passwordless authentication and phishing-resistant MFA?
A: Passwordless authentication removes passwords from the login flow, while phishing-resistant MFA specifically ensures the authenticator cannot be easily intercepted or replayed. Some passwordless methods are also phishing-resistant, but the two terms are not identical. Security teams should assess whether the control prevents credential reuse in real phishing scenarios, not only whether it removes the password field.
👉 Read our full editorial: Phishing-resistant MFA is gaining ground, but passwords still dominate
