What is phishing-resistant MFA?

By Identra · Updated

Phishing-resistant MFA is multi-factor authentication that cannot be defeated by tricking the user, because the authenticator cryptographically verifies the site it is signing in to. FIDO2/WebAuthn passkeys and PKI smart cards qualify; SMS codes, OTP apps, and push approvals do not, since attackers can relay them through fake login pages in real time.

Key numbers

How phishing-resistant MFA works

The defining property is origin binding. A FIDO2/WebAuthn authenticator (a passkey on a phone or laptop, or a hardware security key) holds a private key that is never disclosed to the site being signed in to, or to a phishing page; synced passkeys replicate it only between the user's own devices. At login, the browser passes the site's origin into the signing ceremony, and the authenticator signs a challenge that is valid only for the domain the credential was registered on. A fake login page at a lookalike domain receives a signature that fails, or no signature at all, because the credential simply does not exist for that origin.

The user cannot be talked out of this protection. There is no code to read over the phone, nothing to type into the wrong page, and no approval prompt to fat-finger. CISA's 2022 guidance names FIDO/WebAuthn authentication the gold standard of MFA, alongside PKI-based methods such as smart cards, which achieve the same property through certificate-based mutual authentication.

Why OTP and push approvals are phishable

Any factor a user can read, type, or approve can be relayed. Modern phishing kits run as reverse proxies: the victim lands on a pixel-perfect clone that forwards every keystroke to the real site, so the real site sends a real OTP challenge, the victim enters the real code, and the proxy passes it through. Push approval fares no better; the attacker's relayed login triggers a genuine push, and the victim, who believes they are signing in, taps approve. Microsoft's telemetry recorded 146% year-over-year growth in these adversary-in-the-middle attacks in its 2024 Digital Defense Report, with phishing-as-a-service platforms selling the capability by subscription.

MethodPhishable?Why
SMS or voice OTPYesCode can be relayed in real time; also exposed to SIM swap
Authenticator app OTP (TOTP)YesCode can be relayed through a proxy within its validity window
Push approvalYesAttacker's relayed login triggers a real prompt the victim approves
Number matching pushMostlyRaises friction, but AitM proxies can display the matching number
FIDO2/WebAuthn passkeysNoSignature is bound to the registered origin; wrong domain fails
PKI smart cardsNoCertificate-based authentication with no user-relayable secret

What AitM defeats, and what it cannot

An AitM proxy defeats every factor that travels through the user: passwords, OTP codes, push approvals, and number matching. Its real prize is not the login but the session cookie the real site sets after authentication succeeds; the proxy captures that cookie and replays it, giving the attacker a fully authenticated session with MFA already satisfied.

What AitM cannot do is forge a WebAuthn signature. The proxy sits on the wrong domain, so the origin check fails before any secret changes hands. This is why phishing-resistant MFA is not an incremental improvement over OTP but a categorical one: it removes the human from the verification path rather than asking the human to be more careful.

The residual gap: sessions outlive the login

Phishing-resistant MFA protects one moment, the authentication ceremony. Everything after that moment rides on a bearer artifact, typically a session cookie or access token, that any holder can replay. Infostealer malware lifts these tokens from browser storage on compromised endpoints, skipping the login page entirely, and no MFA method of any strength is consulted when a stolen token is presented. Microsoft reported 147,000 detected token replay attacks in 2023, up 111% year over year.

Token binding and device-bound session credentials aim to close this gap, but deployment remains partial across browsers and identity providers. Until sessions are verified continuously rather than only at issuance, a phished session token buys the same access as a phished password once did.

The second residual gap: non-human identities have no MFA

MFA of any kind assumes there is a person available to present a second factor. Service accounts, CI/CD pipelines, workloads, and AI agents authenticate with static keys, tokens, or certificates, and none of them can tap a push prompt or touch a security key. CyberArk's 2025 Identity Security Landscape puts machine identities at 82 times the human population in the average enterprise, which means the strongest MFA program on earth covers a shrinking minority of the identities that actually hold access.

For these actors, the equivalents of phishing resistance are workload-issued short-lived credentials, mutual TLS, and continuous verification of what each identity does after it authenticates. The pattern behind the human control still applies: remove replayable secrets from the path. The essay The Non-Human Majority covers why this population, not the human one, now defines the identity attack surface.

How do you deploy phishing-resistant MFA?

CISA recommends a phased rollout rather than waiting for universal coverage:

  • Start with high-value targets: admins, executives, help desk, and identity infrastructure operators
  • Move hosted email and SSO first, since most major providers already support FIDO2
  • Disable weaker fallback methods for enrolled users, or attackers will simply request the downgrade
  • Prefer passkeys for workforce scale and hardware keys for the highest-privilege roles
  • Pair login-time strength with session monitoring, because token theft bypasses the login entirely

How Identra thinks about it

Phishing-resistant MFA is necessary and worth deploying everywhere it fits. Our caveat: it hardens exactly one moment for exactly one population: the human login. Attackers have already moved to the two places it does not reach, the session that lives on after authentication and the non-human majority that never sees a login prompt at all. AI agents sharpen both gaps at once, since an agent holds tokens, acts continuously, and has no second factor to present. The durable control is runtime identity verification: treating every live session, human or not, as something to be observed and constrained while it runs, not something proven once at the front door.

Go deeper: The Non-Human Majority

Frequently asked questions

What makes MFA phishing resistant?

Origin binding. A FIDO2/WebAuthn authenticator signs a challenge that is valid only for the domain the credential was registered on, so a lookalike phishing site gets a failed signature or none at all. There is no code to read or approval to tap, which removes the human from the verification path entirely. PKI smart cards achieve the same property.

Which MFA methods count as phishing resistant?

FIDO2/WebAuthn passkeys, hardware security keys, and PKI-based methods such as smart cards qualify; CISA calls FIDO authentication the gold standard. SMS and voice codes, authenticator app OTPs, and push approvals do not, because a reverse-proxy phishing kit can relay each of them to the real site in real time while the victim believes they are logging in.

Are passkeys the same as phishing-resistant MFA?

Passkeys are the most common implementation of it. A passkey is a FIDO2/WebAuthn credential whose private key is never disclosed to the relying party or a phisher (synced passkeys replicate it only across the user's own devices) and whose signature is bound to the registered origin, so it cannot be relayed through a fake page. Phishing-resistant MFA is the broader category, which also includes hardware security keys and PKI smart cards.

What attacks does phishing-resistant MFA not stop?

It hardens one moment, the login ceremony, for one population, humans. It does not protect the session token minted after authentication, which infostealers steal from browser storage and replay without any MFA check. And it cannot cover machine identities, which outnumber humans 82 to 1 and authenticate with static keys rather than second factors.

Related terms