Many organisations believe they've addressed identity risk with SMS codes, push notifications or one-time codes. It's better than nothing, absolutely. But it's not the same as phishing-resistant identity protection. CISA clearly states that some forms of multifactor authentication can be bypassed through phishing, push bombing and SIM swapping, and therefore recommends phishing-resistant MFA as a stronger defence (CISA, 2023).
This matters. Not as technical nitpicking, but as a business issue.
NIST defines phishing resistance as the authentication protocol itself preventing secrets or valid authentication responses from being given to a fake verifier, without relying on user vigilance (NIST, 2025). In plain English: people shouldn't have to spot the scam alone. The system should make the scam technically useless. That's where FIDO2, WebAuthn and passkeys become relevant. Not because they sound modern, but because they change the game. Properly implemented, the login is tied to the right service and domain. A fake login page can't simply steal a password or code and reuse it.
This doesn't mean all risk disappears. It never does. Recovery flows, device management, support, lifecycle and access control still need to work. But the baseline is raised. And that baseline is often the difference between an incident and a crisis.
The Verizon Data Breach Investigations Report 2025 shows stolen or misused credentials remain a key entry point for intrusions, while exploitation of vulnerabilities has risen sharply (Verizon, 2025). ENISA describes a European threat landscape where public sector, digital services, transport, finance and industry face more complex attack pressure (ENISA, 2025).
In Sweden we see the same trend. The Security Service describes a deteriorating security situation involving cyber attacks, data breaches and influence attempts as part of a broader threat environment (Security Service, 2025). MSB also reports many incidents still have unknown causes, followed by errors or system faults (MSB, 2026). The last point is almost the most uncomfortable. Many know something has happened, but not why, how or how far it went. This is not just a technical problem. It's a management problem.
So my point isn't that phishing-resistant identity is a silver bullet. Silver bullets belong in fairy tales and poor sales pitches. My point is that phishing-resistant identity and access control is one of the most underestimated core capabilities we have. But it must be combined with three things: exposure control, privilege management and tested recovery. Identity often determines how an attacker gets in. Exposure determines where they can go. Privileges determine how much damage they can do. Recovery determines whether the organisation survives.
This is where we need to stop talking about cybersecurity as if it only lives in the server room.
An accounts department doesn't think about WebAuthn. It thinks about invoices, salaries, suppliers and liquidity. A municipality thinks about schools, care, water and public services. An industrial company thinks about production, delivery precision and customer requirements. So ask the real questions. What happens if you can't log in? What happens if the wrong person gets admin rights? What happens if payroll, case management or production IT stops? What happens if a supplier with remote access is attacked? NIS2 and the Swedish cybersecurity law are basically about this: risk management, incident handling, continuity and control over dependencies. Not binder management. Not another checklist to survive audit but fail in practice. Security must be part of contracts, procurement, cloud services, system integration and external access.
NIST Cybersecurity Framework 2.0 describes cybersecurity as a cycle of governance, identification, protection, detection, response and recovery (NIST, 2024). It's sensible, as it makes the issue understandable for management. What's important? How do we protect it? How do we spot anomalies? How do we respond? How do we recover?
You can start simply.
· Start with accounts where takeover would cause the most damage: administrators, leadership, finance, HR, IT, remote access, external consultants and systems with sensitive data. Implement phishing-resistant authentication there first.
· Then close the exceptions. Old protocols, shared accounts, external accounts without owners, service accounts with excessive rights and cloud apps outside central identity aren't "special cases". They're side doors.
· Link access to context. Who logs in? From which device? From where? To which application? With what role? At what risk level? Conditional access isn't magic. It's common sense with governance.
· Make privileges temporary. Admin rights shouldn't be a permanent convenience. They should be time-limited, need-based and logged.
· And test recovery. Backup isn't a file. Backup is a capability. It only exists when protected, isolated, restorable and rehearsed.
This isn't just about costs. Done right, it's an investment in delivery capability, trust, brand and competitiveness. Organisations that can demonstrate real security capability in procurement, audits and supplier dialogues become more selectable. Period.
We also need to stop blaming people. A stressed employee facing a convincing email or fake login page isn't stupid. They're human. Modern security should be designed so it's easy to do the right thing and hard to make mistakes. Awareness is needed. But awareness must never be the organisation's excuse for weak technology and poor governance. The better question isn't why the user clicked. The better question is why a human error could be so damaging.
My conclusion is simple. The most underestimated protection mechanism isn't a firewall, EDR or awareness. It's phishing-resistant identity and access control by default, combined with exposure control, strict privilege management and tested recovery capabilities. Phishing-resistant identity is the toothbrush of cyber hygiene. Exposure control is the floss. Recovery testing is the dentist visit no one looks forward to, but everyone regrets postponing.
And just like real hygiene, the point isn't to impress anyone. The point is to avoid problems that hurt, cost money and take a long time to fix.
References
CISA (2023).Implementing Phishing-Resistant MFA. Cybersecurity and Infrastructure Security Agency.
ENISA (2025).ENISA Threat Landscape 2025. European Union Agency for Cybersecurity.
MSB (2026).Cyber Attack Trends 2023–2025: Annual Report. Swedish Civil Contingencies Agency.
NIST (2024).Cybersecurity Framework 2.0. National Institute of Standards and Technology.
NIST (2025).Special Publication 800-63B: Digital Identity Guidelines, Authentication and Authenticator Management. National Institute of Standards and Technology.
Security Service (2025).Situation Report 2024–2025. Security Service.
Verizon (2025).2025 Data Breach Investigations Report. Verizon Business.
