Notifications
Clear all
Topic starter
12/06/2026 10:13 pm
TL;DR: Legacy MFA is increasingly vulnerable to phishing and MFA fatigue, and Axiad argues that government mandates and modern use cases now justify a pragmatic phishing-resistant approach built around certificate-based authentication and FIDO support. The real issue is not whether stronger MFA exists, but whether identity programmes can support mixed authenticator paths without creating new operational silos.
NHIMG editorial — based on content published by Axiad: Phishing-Resistant Authentication for Everyone
Questions worth separating out
Q: How should organisations roll out phishing-resistant MFA without disrupting users?
A: Start by grouping users by role risk and application context, then phase in the strongest practical method for each cohort.
Q: When does phishing-resistant MFA matter most for identity programmes?
A: It matters most when legacy MFA is still exposed to phishing, MFA fatigue, or token theft, and when the workforce includes high-risk roles with access to sensitive systems or regulated data.
Q: What do security teams get wrong about passwordless authentication?
A: The most common mistake is treating passwordless as a single technology choice instead of a lifecycle programme.
Practitioner guidance
- Map authentication strength by role risk Group users by exposure level, then assign phishing-resistant authentication requirements according to business function, system access, and regulatory burden rather than applying a single standard everywhere.
- Support both certificate-based authentication and FIDO Maintain a control model that can support desktop login, cloud access, and application access without forcing one authenticator to fit every environment.
- Track rollout and expiry as operational controls Monitor enrolment progress, credential renewal status, and graceful expiry handling so passwordless migration does not create unmanaged authentication exceptions.
What's in the full article
Axiad's full blog covers the operational detail this post intentionally leaves for the source:
- Detailed step-by-step rollout guidance for certificate-based authentication across user groups
- Specific examples of how Axiad maps authenticator choices to MacOS and Microsoft 365 use cases
- Operational guidance for credential dashboard enrolment, renewal, and expiry handling
- The vendor's full explanation of how CBA and FIDO coexist in a single SaaS platform
👉 Read Axiad's blog on phishing-resistant MFA and practical rollout guidance →
Phishing-resistant MFA: what it means for IAM programmes now?
Explore further
13/06/2026 12:51 am
Phishing-resistant MFA is now an identity governance requirement, not an enhancement. The article reflects a point the market has already reached: legacy MFA is no longer resilient enough against fatigue attacks and modern credential theft patterns. Once authentication can be bypassed through user interaction rather than cryptographic compromise, the programme question changes from convenience to control integrity. Practitioners should treat phishing-resistant MFA as a baseline control decision for high-risk identity populations.
A few things that frame the scale:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why authentication governance and lifecycle oversight so often fail together.
A question worth separating out:
Q: Who should own phishing-resistant MFA governance in an enterprise?
A: Ownership should sit with IAM and security leadership together, because authentication policy, rollout sequencing, device support, and user communications all cross operational boundaries. If those responsibilities are fragmented, the programme usually stalls or creates inconsistent exceptions across business groups.
👉 Read our full editorial: Phishing-resistant MFA is becoming the baseline for identity
