Notifications
Clear all
Topic starter
08/06/2026 4:29 pm
TL;DR: Repeated breaches tied to MFA fatigue, phishing, and social engineering show why mobile push is an easy-to-bypass lock and why phishing-resistant MFA based on asymmetric cryptography better fits cloud identity, according to Axiad. The decisive shift is from user-persuasion controls to authentication methods that remove approval abuse from the attack path.
NHIMG editorial — based on content published by Axiad: Identity is the Key to SaaS Security, and You Need a Better Lock
Questions worth separating out
Q: How should security teams reduce account takeover risk from MFA fatigue and phishing?
A: Prioritise phishing-resistant MFA for privileged users, remote access, and any workflow that would be expensive to compromise.
Q: Why do push-based MFA methods fail in real-world attacks?
A: Push methods fail because the attacker targets the person, not the system.
Q: How do organisations know whether their MFA is actually phishing resistant?
A: Look for methods that use cryptographic proof bound to the legitimate site and device, rather than codes or simple approve or deny prompts.
Practitioner guidance
- Replace push approvals for privileged access Move privileged administrators and sensitive SaaS users to phishing-resistant authenticators that cannot be satisfied through notification fatigue or social engineering.
- Classify MFA methods by attack resistance Map every authentication method to the failure mode it can withstand, including relay, prompt bombing, and help desk impersonation.
- Unify identity controls across devices and apps Review whether the same authentication assurance applies across email, ERP, collaboration, and remote access.
What's in the full article
Axiad's full blog covers the implementation detail this post intentionally leaves at the strategy level:
- The article walks through why mobile push is easy to install but easy to bypass in real user environments.
- It explains how asymmetric cryptography changes the authentication ceremony for phishing-resistant MFA.
- It outlines how the vendor connects authentication, identity proofing, and lifecycle management in its updated platform.
- It describes the FedRAMP Moderate ATO context for federal deployment planning.
👉 Read Axiad's analysis of phishing-resistant MFA and identity attack surface →
Phishing-resistant MFA and identity attack surface: are your controls keeping up?
Explore further
08/06/2026 6:09 pm
Phishing-resistant MFA is a control model, not a product category. The post is really about whether authentication can survive an attacker who targets the human rather than the cryptographic mechanism. Mobile push fails because it relies on user response under stress, while phishing-resistant MFA changes the trust boundary by binding the ceremony to device-held key material. Practitioners should read this as a shift from prompt-driven access to cryptographically anchored access.
A few things that frame the scale:
- The average organisation believes more than 1 in 5 of their non-human identities are insufficiently secured, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks.
A question worth separating out:
Q: Who is accountable when weak MFA leads to account compromise?
A: Accountability sits with the identity governance team, application owners, and security leadership together, because authentication design is an enterprise control decision. Frameworks such as NIST CSF and zero trust emphasise continuous verification and access risk reduction, not just user convenience.
👉 Read our full editorial: Phishing-resistant MFA is the lock identity security now needs
