Phishing-resistant MFA and CBA: what IAM teams need to fix

TL;DR: Phishing remains the dominant identity attack path, with IDSA reporting that 84% of organisations experienced an identity-related breach in the past year and 59% of those were phishing attacks, while CISA found 80% of organisations had at least one person fall for a phishing attempt. Legacy MFA and siloed IAM do not close that gap reliably.

NHIMG editorial — based on content published by Axiad: Why phishing-resistant MFA is critical in 2023, and how CBA can help

By the numbers:

• 84% said their organization had experienced an identity-related breach in the past year.
• 80% of organizations had at least one individual who fell victim to a phishing attempt by CISA Assessment teams.
• 70% of organizations use 3 or more IAM systems across their organization, and more than half use 4 or more.

Questions worth separating out

Q: How should security teams implement phishing-resistant MFA across multiple IAM systems?

A: Start by identifying every authentication path that still accepts weaker factors, then apply a consistent phishing-resistant method to the highest-risk use cases first.

Q: Why do legacy MFA methods still leave organisations exposed to phishing?

A: Legacy MFA often depends on transferable factors such as SMS codes or push approvals, which attackers can intercept through SIM swapping or man-in-the-middle techniques.

Q: How can IAM teams know whether phishing resistance is actually working?

A: Look for consistency across systems, low dependence on fallback methods, and reduced use of transferable factors in sensitive access paths.

Practitioner guidance

• Inventory weak authentication paths across all IAM systems Map every place where SMS, push, or other transferable factors are still accepted, then rank those flows by business criticality and exposure to phishing.
• Standardise phishing-resistant controls for high-risk access Use certificate-based authentication or equivalent strong possession factors for privileged users, remote access, and sensitive applications where replay and interception are realistic threats.
• Remove authentication inconsistencies between platforms Compare login policy across Windows, Apple, Linux, and federated applications to find where users get different assurance levels for the same access outcome.

What's in the full article

Axiad's full blog covers the operational detail this post intentionally leaves for the source:

• Specific certificate-based authentication rollout considerations for mixed Windows, Apple, and Linux estates
• The practical differences between legacy MFA bypass paths and phishing-resistant assurance models
• Implementation context for overlaying strong authentication across multiple IAM systems without a full rip-and-replace
• Background links on CBA adoption, Microsoft support, and related authentication resources

👉 Read Axiad's analysis of phishing-resistant MFA and certificate-based authentication →

Phishing-resistant MFA and CBA: what IAM teams need to fix?

Explore further

View Full Forum →  |  NHI Foundation Course →