Phishing-Resistant MFA
Phishing-Resistant MFA is authentication that is resistant to phishing attacks by design — typically cryptographic methods like FIDO2 that are scoped to the legitimate domain and cannot be tricked into using credentials on a fake site. It moves away from knowledge and SMS factors that users can be socially engineered to share.
# WHAT TEAMS RUN INTO
- —
Phishing-resistant authentication still fails if the legitimate site is compromised. An attacker who breaches the real website and modifies its code can trick users into delegating legitimate authentication to an attacker.
- —
User adoption of phishing-resistant MFA is slow. FIDO2 and other cryptographic methods require compatible devices or hardware keys that not all users have immediately available.
- —
Emergency access bypass mechanisms can weaken phishing resistance. If admins implement a way to bypass FIDO2 requirements for emergencies, attackers find and exploit those bypass paths.
# WHY IT MATTERS
Phishing is the #1 attack vector for account takeover. Phishing-resistant MFA removes the human from the equation — instead of asking 'is this the real site,' the authenticator cryptographically verifies it. Organizations that deploy phishing-resistant MFA dramatically reduce account takeover risk. But phishing resistance is not a property of the technology alone — it is a property of the entire authentication flow, and any manual override or fallback can reintroduce phishing risk.