Phishing-Resistant MFA - Unphishable Authentication
About 2 min read
Phishing-Resistant MFA refers to a multi-factor authentication method that cannot be defeated even if credentials are stolen through a phishing attack. Specifically, this includes authentication based on FIDO2/WebAuthn and PKI (public key infrastructure). The U.S. Cybersecurity and Infrastructure Security Agency (CISA) positions phishing-resistant MFA as the "gold standard for MFA" and recommends that every organization adopt it.
CISA Recommendation and the U.S. Government Mandate
In January 2022, the Biden administration issued Office of Management and Budget (OMB) memorandum M-22-09, mandating that federal agencies adopt phishing-resistant MFA. This memorandum is part of the migration to a zero-trust architecture and clearly distinguishes that "SMS OTP and TOTP are not phishing-resistant." The backdrop is the rise of sophisticated attacks that traditional MFA could not prevent, such as the 2020 SolarWinds incident and the 2021 Colonial Pipeline attack.
Phishing-Resistant Methods vs. Non-Resistant Methods
| Authentication method | Phishing resistance | AiTM resistance | MFA fatigue resistance |
|---|---|---|---|
| FIDO2 (passkey / security key) | ◎ | ◎ | ◎ |
| PKI / smart card | ◎ | ◎ | ◎ |
| TOTP (authenticator app) | ✕ | ✕ | ○ |
| SMS OTP | ✕ | ✕ | ○ |
| Push notification (no number matching) | ✕ | ✕ | ✕ |
Resistance to AiTM (Adversary-in-the-Middle) Attacks
An AiTM (Adversary-in-the-Middle) attack is a sophisticated technique in which the attacker places a reverse proxy between the user and the legitimate site, relaying and stealing credentials and session cookies in real time. When the user enters their password and OTP on the fake site, the attacker forwards them directly to the legitimate site to complete the login and seizes the issued session cookie. TOTP and SMS OTP are powerless against this attack.
FIDO2-based authentication cryptographically embeds origin (domain) information in the signature, so a signature intended for the legitimate site is never generated on the attacker's proxy domain. This makes AiTM attacks structurally impossible. The basics of two-factor authentication explains the differences between each method in detail.
Resistance to MFA Fatigue Attacks
An MFA fatigue attack (also called MFA bombing) is a technique in which the attacker repeatedly attempts to log in with a stolen password and floods the user with push notifications, hoping the user will mistakenly tap "Approve." In the 2022 Uber breach, the attacker used this technique to gain access to internal systems. FIDO2 authentication does not use push notifications and requires an active user action (a touch or biometric authentication), so fatigue attacks do not work. The article on MFA fatigue attacks explains real-world attack cases and countermeasures in detail.
Practical Considerations for Deployment
Deploying phishing-resistant MFA can technically be achieved by rolling out passkeys and security keys, but organization-wide deployment requires a phased approach. A realistic path is to start with privileged accounts (administrators and executives) and then expand to general employees. When migrating from an existing multi-factor authentication environment, rather than retiring TOTP immediately, set FIDO2 as the preferred method and keep TOTP as a fallback during a parallel-operation period.MFA security books on Amazon are also a useful reference for your deployment plan.
Real-World Use Cases
"Following CISA guidance, we switched all administrator accounts to require a YubiKey. Phishing-related incidents, which used to number two or three per month before the migration, have stayed at zero for the 18 months since. We are currently rolling out passkeys to general employees."
See also the security key deployment guide.
Was this article helpful?