Phishing-resistant MFA: where traditional authentication breaks down

TL;DR: Traditional MFA remains vulnerable to phishing, credential stuffing, push bombing, and man-in-the-middle attacks, even as CISA, NIST, and the White House push organisations toward phishing-resistant authentication, according to Axiad. The real issue is not whether MFA exists, but whether it resists modern identity attack paths.

NHIMG editorial — based on content published by Axiad: Is Your MFA Broken?

By the numbers:

• PKI-based authentication typically accounts for 40% of use cases and can be leveraged for non-browser uses across workstations, mobile, Microsoft AD, and server authentication.
• FIDO accounts for approximately 60% of use cases, covering browser-based authentication use cases such as single-sign on applications and Windows workstations.
• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.

Questions worth separating out

Q: How should security teams decide which MFA methods to keep?

A: Keep the MFA methods that can withstand modern phishing and relay attacks, not just the ones that are easiest to deploy.

Q: Why do traditional MFA methods still fail in real attacks?

A: Traditional MFA often fails because attackers do not need to break the factor itself.

Q: How do organisations know if their MFA is strong enough?

A: A useful test is whether the method resists phishing, replay, and man-in-the-middle attacks without relying on user judgment at the last moment.

Practitioner guidance

• Inventory every authentication method in use Classify which applications still rely on SMS, email, OTP, or push-only MFA, then map them to user populations and business criticality.
• Prioritise phishing-resistant MFA for privileged and remote access Use FIDO or certificate-based authentication for admin access, sensitive applications, and remote workflows where real-time relay attacks are most likely to succeed.
• Match PKI and FIDO to the right authentication flows Use PKI where you need workstation, server, or non-browser support, and use FIDO where browser-based login and user presence are the dominant requirements.

What's in the full article

Axiad's full blog covers the operational detail this post intentionally leaves for the source:

• The authentication-method walkthrough for SMS, OTP, push, PKI, and FIDO use cases
• The product-specific explanation of how Axiad Cloud combines credential management, enterprise PKI, and web authentication services
• The integration list covering SAML, Oauth, SCIM, RADIUS, and hardware partners such as Yubico and Thales
• The deployment discussion for non-browser authentication across workstations, servers, and federation paths

👉 Read Axiad's analysis of why traditional MFA fails against phishing →

Phishing-resistant MFA: where traditional authentication breaks down?

Explore further

View Full Forum →  |  NHI Foundation Course →