Notifications
Clear all
Topic starter
08/06/2026 4:09 pm
TL;DR: Phishing remains a dominant attack path, with 83% of organisations reporting attacks in 2021 and many traditional MFA schemes still vulnerable to SIM swapping and man-in-the-middle interception, according to Axiad. Phishing-resistant MFA changes the control assumption by removing easily phished one-time codes and pushing authentication toward cryptographic proof instead of reusable secrets.
NHIMG editorial — based on content published by Axiad: The Importance of Phishing-resistant MFA
By the numbers:
Questions worth separating out
Q: How should security teams roll out phishing-resistant MFA without disrupting access?
A: Start with the highest-risk identities first, especially administrators, support staff, and remote users with access to sensitive systems.
Q: Why do SMS and email one-time passwords remain risky for enterprise access?
A: They are vulnerable because attackers can intercept or redirect the delivery channel through SIM swapping, mailbox compromise, or live proxy phishing.
Q: What breaks when organisations treat all MFA methods as equivalent?
A: They lose the ability to distinguish between basic two-factor convenience and true phishing resistance.
Practitioner guidance
- Replace OTP-based MFA on critical access paths Move privileged users, administrators, and sensitive business functions off SMS and email one-time passwords.
- Prioritise phishing resistance for privileged workflows Apply the strongest authenticators first to admin consoles, remote access, and approval paths that can lead to account takeover or lateral movement.
What's in the full article
Axiad's full blog post covers the implementation detail this post intentionally leaves for the source:
- The article's step-by-step explanation of how SMS interception and man-in-the-middle phishing bypass traditional MFA.
- The description of FIDO2 WebAuthn and PIV smart cards as phishing-resistant approaches for enterprise deployment.
- The discussion of passwordless adoption trade-offs, including user experience and operational rollout considerations.
- The vendor's specific guidance on where its platform fits across people, machines, and digital interactions.
👉 Read Axiad's analysis of phishing-resistant MFA and passwordless access →
Phishing-resistant MFA: are your controls keeping up?
Explore further
08/06/2026 5:38 pm
Phishing-resistant MFA is a trust-channel problem, not just a login upgrade. The article shows that the vulnerability is not the absence of MFA but the presence of interception-friendly factors such as SMS, email, and replayable codes. When authentication can be proxied or socially engineered in real time, the control no longer proves identity with enough confidence for modern access decisions. Practitioners should treat factor choice as an assurance boundary, not a user-preference exercise.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
A question worth separating out:
Q: Who should own phishing-resistant MFA governance across the identity programme?
A: IAM, PAM, and security architecture should own it together, because the control affects authentication policy, device trust, recovery, and privileged access. Governance should also include lifecycle events such as enrollment, reassignment, revocation, and lost-device handling. If those steps are fragmented, the programme will be secure on paper but inconsistent in practice.
👉 Read our full editorial: Phishing-resistant MFA is the real control against credential theft
