Notifications
Clear all
Topic starter
12/06/2026 10:15 pm
TL;DR: Phishing remains a dominant entry path, with 83% of organisations reporting attacks in 2021 and traditional MFA still bypassed through SIM swapping and man-in-the-middle techniques, according to Axiad. Phishing-resistant MFA shifts authentication away from reusable secrets and OTP interception, but it also exposes how much of modern IAM still depends on phishable trust steps.
NHIMG editorial — based on content published by Axiad: The Importance of Phishing-resistant MFA
By the numbers:
- 83% of organizations reported phishing attacks in 2021.
Questions worth separating out
Q: What breaks when organisations rely on SMS or email MFA for sensitive access?
A: The control breaks when the second factor can be intercepted, relayed, or socially engineered.
Q: Why do phishing-resistant methods matter more for privileged users?
A: Privileged users create the highest blast radius if their accounts are taken over, so a phishable factor is a bigger governance problem there.
Q: What do security teams get wrong about saying MFA is already in place?
A: They often treat MFA as a binary control when the real question is which MFA method is deployed and whether the channel can be phished.
Practitioner guidance
- Replace OTP-based MFA on high-risk accounts Move privileged users, remote administrators, and sensitive business roles to phishing-resistant methods first.
- Review authentication channels for interception risk Map every place where the organisation still relies on SMS, email, or push approvals that can be relayed through a phishing page.
- Reduce password reuse pressure Pair MFA upgrades with passwordless rollout and stronger credential hygiene so users are not forced to remember and recycle passwords across systems.
What's in the full article
Axiad's full blog covers the operational detail this post intentionally leaves for the source:
- Specific explanation of how FIDO2 WebAuthn and PIV smart cards authenticate users without SMS or email codes
- Practical discussion of the White House and OMB phishing-resistant MFA direction for federal and partner environments
- Axiad Cloud credential coverage details across FIDO, PKI, Windows Hello for Business, Yubikeys, smart cards, TPM, and biometrics
👉 Read Axiad’s analysis of phishing-resistant MFA and passwordless identity →
Phishing-resistant MFA: are your controls keeping up?
Explore further
13/06/2026 12:54 am
Phishing-resistant MFA is now the point where human IAM either closes the loop or keeps reintroducing the same attack path. Traditional MFA reduces risk, but it still accepts phishable channels as part of the authentication model. That means the control can be bypassed without breaking the account itself, which is why the problem remains structural rather than purely operational. The practitioner conclusion is simple: if the second factor can be replayed or intercepted, it is not the end state for identity assurance.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months.
A question worth separating out:
Q: Who should own the move to phishing-resistant authentication?
A: Identity, security architecture, and access governance teams should own it together because the decision affects assurance, user experience, and privileged access policy. The strongest methods should be mandated where compromise would be costly, and access reviews should confirm that the required method is actually enforced. That makes authentication a governance control, not just a deployment choice.
👉 Read our full editorial: Phishing-resistant MFA is the baseline for modern identity defence
