Notifications
Clear all
Topic starter
08/06/2026 4:01 pm
TL;DR: Phishing remains one of the most common and dangerous attack paths, and Axiad argues that phishing-resistant MFA is needed because passwords, device compromise, and credential reuse continue to give attackers a workable path into accounts and data. The control matters because authentication that can still be socially engineered is not yet resilient enough for modern identity risk.
NHIMG editorial — based on content published by Axiad: 7 Reasons Why Phishing-Resistant MFA Should Be Your Goal
By the numbers:
- In 2018, there were over 1.3 billion phishing attempts, and that number is expected to grow to over 10 billion by 2022.
Questions worth separating out
Q: How should security teams implement phishing-resistant MFA for employee access?
A: Start by requiring it for privileged accounts, remote access, and applications that expose sensitive data or administrative functions.
Q: Why do passwords still create identity risk even when MFA is in place?
A: Passwords remain risky because attackers can steal, guess, spray, or socially engineer them, and weaker MFA methods can still be replayed or intercepted.
Q: What breaks when authentication is not phishing-resistant?
A: The trust boundary between the user and the system becomes easy to impersonate.
Practitioner guidance
- Prioritise phishing-resistant MFA for high-risk access Start with privileged users, administrators, finance systems, remote access, and SaaS accounts that expose sensitive data or control paths.
- Reduce password dependence in critical workflows Replace password-only or password-plus-SMS flows with stronger factors that cannot be easily replayed from a fake login page.
- Pair MFA with session oversight Treat login success as the start of governance, not the end.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- The article's full explanation of password-spraying, credential theft, and why simple MFA is still vulnerable to phishing.
- Examples of how phishing-resistant MFA improves user experience without relying on repeated password prompts.
- The vendor's discussion of how MFA protects devices, IoT endpoints, and personal accounts that intersect with work access.
- The broader security strategy context, including related controls such as DLP and user activity monitoring.
👉 Read Axiad's analysis of why phishing-resistant MFA should be the goal →
Phishing-resistant MFA: is your identity stack still phishable?
Explore further
08/06/2026 5:24 pm
Phishing-resistant MFA should be treated as a human identity baseline, not an optional hardening layer. The article is right to frame password weakness as a persistent attack path because phishing, spraying, and credential theft remain reliable entry points. In human IAM, authentication is only trustworthy when the factor is difficult to duplicate in real time. Practitioners should treat weak MFA as a control gap that changes the account takeover risk profile immediately.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to Ultimate Guide to NHIs.
A question worth separating out:
Q: Should organisations prioritise phishing-resistant MFA over other identity projects?
A: For most enterprises, yes, when the goal is to reduce the most common account takeover path. It should be prioritised ahead of lower-value convenience changes because authentication weakness often becomes the first step in broader identity compromise and later governance failures.
👉 Read our full editorial: Phishing-resistant MFA is now a baseline identity control
