Notifications
Clear all
Topic starter
12/06/2026 10:05 pm
TL;DR: Phishing-resistant MFA is presented as a practical response to rising phishing volume, password weakness, and credential reuse, with Axiad arguing that stronger authentication reduces breach likelihood, protects revenue, and improves user experience. The deeper point is that identity programmes can no longer treat passwords as a tolerable control plane for access.
NHIMG editorial — based on content published by Axiad: 7 Reasons Why Phishing-Resistant MFA Should Be Your Goal
By the numbers:
- In 2018, there were over 1.3 billion phishing attempts.
- That number is expected to grow to over 10 billion by 2022.
Questions worth separating out
Q: How should security teams implement phishing-resistant MFA for high-risk access?
A: Start with the accounts that can cause the most damage if compromised, especially administrators, finance users, and remote workers.
Q: Why does phishing-resistant MFA matter more than password strength alone?
A: Password strength helps, but it does not stop real-time phishing, credential sharing, or session replay.
Q: What do organisations get wrong when they think standard MFA is enough?
A: They assume any second factor stops phishing, when many factors can still be relayed or stolen during the login flow.
Practitioner guidance
- Replace replayable login methods on high-risk paths Move privileged users, remote access, and sensitive application access to phishing-resistant authenticators that cannot be copied from a prompt or message.
- Map every remaining password dependency Inventory applications, VPNs, portals, and service desks that still accept passwords or OTP flows as the primary trust check.
- Reduce credential sharing pressure Remove workflow friction that causes employees to hand out passwords or reuse accounts.
What's in the full article
Axiad's full blog post covers the operational detail this post intentionally leaves for the source:
- Detailed discussion of the user experience trade-offs between different MFA options
- Expanded explanation of how phishing-resistant MFA can support device and account protection
- Axiad's full reasoning on why passwordless approaches reduce user friction while improving control
- Additional context on combining MFA with DLP and user activity monitoring
👉 Read Axiad's analysis of why phishing-resistant MFA should be the goal →
Phishing-resistant MFA: what it means for IAM teams now?
Explore further
13/06/2026 12:36 am
Phishing-resistant MFA is a control integrity issue, not just an authentication upgrade. The article is right to frame password theft as the starting point, but the governance problem is deeper: if an access method can be replayed, it is not a stable trust boundary. Identity teams should read this as a warning that authentication controls still built around user-entered secrets remain structurally exposed. The practitioner conclusion is that replay resistance, not just factor count, is what determines whether MFA actually reduces risk.
A few things that frame the scale:
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means most identity programmes still cannot see the full attack surface they are trying to govern.
A question worth separating out:
Q: Who should own phishing-resistant MFA decisions in an identity programme?
A: IAM, security architecture, and risk leaders should own the policy, while application and endpoint teams handle rollout details. The right owner is the group that can set authentication standards across systems, define fallback rules, and measure whether high-risk access paths still depend on replayable credentials. That keeps the decision tied to risk, not convenience.
👉 Read our full editorial: Phishing-resistant MFA is now the baseline for identity security
