IDSync — identity software buyer platform
Run Stack Finder

MFA

Phishing-Resistant MFA

Phishing-resistant MFA is multi-factor authentication that cannot be intercepted, replayed, or socially engineered around — in practice today this means FIDO2/WebAuthn (security keys and passkeys) or PIV / CAC smart cards. SMS, TOTP, and push-approve MFA are *not* phishing-resistant.

Last reviewed 5/30/2026

Key points

  • CISA, NIST 800-63B, and Microsoft all recommend phishing-resistant MFA as the gold standard.
  • Phishing-resistant = origin-bound cryptographic proof: a fake site can't get a signature for the real site's domain.
  • SMS, TOTP, voice, and push notifications are bypassable via AiTM proxies (Evilginx), push bombing, SIM swap, and social engineering.
  • Implement at minimum for: admins, finance, executives, IT/security staff, and anyone with access to source code or production.
  • US Executive Order 14028 and OMB M-22-09 require phishing-resistant MFA for all federal employees and contractors.

What is phishing-resistant MFA?

Phishing-resistant MFA is the subset of multi-factor authentication that cannot be defeated by a convincing fake login page, an adversary-in-the-middle proxy, push fatigue, or social engineering. In practice today, this is:

  • FIDO2 / WebAuthn security keys (YubiKey, Titan, Feitian, SoloKey)
  • Passkeys (FIDO2 credentials, synced or device-bound)
  • PIV / CAC smart cards (mostly government)
  • Windows Hello for Business (certificate-backed)

What makes them phishing-resistant: the credential is cryptographically bound to the real site's origin. When a user lands on a phishing site at acrne.com, the browser refuses to sign anything for acme.com because the rp_id doesn't match. There is no human-decision step that can be fooled.

What is not phishing-resistant

  • SMS / voice OTP — interceptable, SIM-swap-vulnerable.
  • TOTP authenticator apps — phishable through AiTM proxies (Evilginx, Modlishka) that relay the OTP in real-time.
  • Push notifications — push-bombing (spam approvals until the user taps), social engineering ("IT needs you to approve"), and AiTM defeat these.
  • Email magic links — phishable; the link can be stolen at the inbox.
  • Knowledge-based questions — defeated by data breaches.

The reality is grim: every major MFA-bypass breach of the last three years (Uber, Twilio, Cisco, Cloudflare, Microsoft midnight blizzard) defeated push or TOTP-based MFA.

Who needs it first

CISA and most ITDR guidance recommend a tiered rollout:

  1. Privileged users — IT, security, domain admins, cloud admins, source code owners, finance executives.
  2. High-target roles — anyone in support / sales who handles customer data and gets phished daily.
  3. All employees, eventually.

Implementation reality

  • Most major IdPs (Entra ID, Okta, Google, Auth0, Duo, Ping) support FIDO2.
  • Hardware keys cost $25–70/user; passkeys cost nothing extra.
  • The harder problems are enrollment (getting keys to remote employees), recovery (lost keys), and coverage (legacy apps that don't support FIDO2).

Editorial note

If your security budget can fund only one initiative this year, replacing push/TOTP MFA with FIDO2 for privileged users is almost certainly the highest-ROI option.

Standards & references