Notifications
Clear all
Topic starter
12/06/2026 10:17 pm
TL;DR: Phishing resistance is becoming a board-level priority because identity-related breaches are common, phishing remains the dominant breach type, and fragmented IAM estates leave inconsistent MFA coverage, according to Axiad and cited industry research. The real issue is not whether MFA exists, but whether it is resistant to interception, replay, and bypass across every authentication path.
NHIMG editorial — based on content published by Axiad: Why phishing-resistant MFA is critical in 2023, and how CBA can help
By the numbers:
- 70% of organizations use 3 or more IAM systems across their organization, and more than half use 4 or more.
- 84% said their organization had experienced an identity-related breach in the past year.
- 80% of organizations had at least one individual who fell victim to a phishing attempt by CISA Assessment teams.
Questions worth separating out
Q: How should security teams implement phishing-resistant MFA across multiple IAM systems?
A: Start by mapping every authentication path, not just the primary login portal.
Q: Why do multiple IAM systems make phishing resistance harder to govern?
A: Multiple IAM systems often support different authentication methods, policies, and exceptions.
Q: What do security teams get wrong about MFA and phishing risk?
A: They often assume that any MFA meaningfully blocks phishing.
Practitioner guidance
- Map authentication methods by application and IAM system Create an inventory of every login path, then identify where SMS, push approvals, or other replayable factors remain in use.
- Replace interceptable factors with phishing-resistant options Where risk justifies it, move high-value access to certificate-based authentication or other cryptographically bound methods that do not rely on transmitted codes.
- Test for bypass paths in legacy and siloed IAM estates Review whether older platforms, federated apps, or administrative portals still accept weaker MFA than the rest of the estate.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- Survey references and cited evidence on phishing resistance priorities across security leaders
- Detailed explanations of SIM swapping and man-in-the-middle bypass techniques
- A more specific walkthrough of certificate-based authentication use cases across Windows, Apple OS, and Linux
- Product-oriented information on Axiad's CBA for IAM offering and deployment model
👉 Read Axiad's analysis of phishing-resistant MFA and certificate-based authentication →
Phishing-resistant MFA and IAM sprawl: are your controls aligned?
Explore further
13/06/2026 12:58 am
Phishing resistance is now a control consistency problem, not a point solution problem. The article’s central weakness is not that MFA exists, but that MFA is deployed unevenly across multiple IAM systems. Once authentication protections vary by stack, the attacker only needs one route that still accepts replayable or interceptable factors. The governance takeaway is that phishing resistance must be measured across the full authentication estate, not assumed from a single modern login path.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most teams still cannot see the identity estate they are trying to govern.
A question worth separating out:
Q: Who should own phishing-resistant authentication governance in an enterprise?
A: Ownership should sit with identity and security leadership jointly, because the control spans IAM architecture, user experience, device posture, lifecycle management, and privileged access. If ownership is scattered, gaps appear in exceptions, recovery flows, and legacy integrations. Accountability must cover the whole authentication estate, not a single project team.
👉 Read our full editorial: Phishing-resistant MFA remains a gap in fragmented IAM estates
