Notifications
Clear all
Topic starter
08/06/2026 5:08 pm
TL;DR: Phishing remains the most likely attack for 49% of respondents, while 64% cite fear of change as the main reason they keep passwords and non-phishing-resistant MFA, according to Axiad’s 2023 State of Authentication Survey. Removing the human step is only part of the answer; authentication strategy still has to align with real IAM, rollout, and lifecycle constraints.
NHIMG editorial — based on content published by Axiad: How to Adopt Phishing-Resistant MFA
By the numbers:
- 49% of respondents said phishing is the most likely attack to happen.
- 64% of respondents said fear of change is the top reason for holding onto passwords and non-phishing-resistant MFA.
- Only 5.7% of organisations have full visibility into their service accounts.
Questions worth separating out
Q: How should security teams roll out phishing-resistant MFA without disrupting users?
A: Start with high-risk user groups, define assurance levels by role, and support the rollout with clear onboarding and recovery processes.
Q: Why do passwords and conventional MFA still create phishing risk?
A: Passwords can be stolen, and many MFA methods still rely on users approving prompts or entering codes that can be captured in real time.
Q: What do organisations get wrong when they treat phishing resistance as a technology project?
A: They focus on the authentication method and ignore the rollout model, support process, and fallback paths.
Practitioner guidance
- Prioritise high-risk user groups first Start with administrators, finance users, executives, and anyone who can approve money movement or sensitive access.
- Map assurance levels to user categories Define which employee groups need certificate-based authentication, which can use passkeys, and where exceptions are allowed.
- Plan for existing IAM interoperability Document where the new authentication layer will overlay current directories, SSO flows, and legacy applications.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- Practical comparison of certificate-based authentication and FIDO passkeys for real-world rollout decisions
- Guidance on mapping authentication levels to user categories without forcing a rip-and-replace IAM project
- Implementation considerations for organisations that already have PKI and want to extend it for stronger authentication
- Employee preparation and onboarding steps that reduce support friction during phishing-resistant MFA adoption
👉 Read Axiad's guide to adopting phishing-resistant MFA →
Phishing-resistant MFA and the governance gap teams still face?
Explore further
08/06/2026 7:09 pm
Phishing-resistant MFA is a human identity control, but its governance value extends beyond login hardening. The article is correct to frame phishing resistance as a way to remove the weak link created by human approval and password reuse. For identity teams, that means the issue is not only authentication assurance but whether the IAM programme can sustain a consistent assurance model across departments, devices, and exception paths. Practitioners should treat phishing resistance as an authentication governance decision, not a one-off deployment.
A few things that frame the scale:
- Only 5.7% of organisations have full visibility into their service accounts, according to Ultimate Guide to NHIs.
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time.
A question worth separating out:
Q: How can IAM teams tell whether phishing-resistant MFA is actually improving security?
A: Look for reduced reliance on reusable secrets, fewer successful credential phishing incidents, and consistent enforcement across all major sign-in paths. If the strongest control is limited to a small group or a single application, the programme is still partial, not mature.
👉 Read our full editorial: Phishing-resistant MFA adoption still hinges on identity design
