What is Phishing-Resistant MFA?

Last updated on February 19, 2025

Phishing-Resistant Multi-Factor Authentication (MFA) is a type of authentication that is immune to every kind of social engineering, including but not limited to phishing attacks, Man-in-the-Middle (MiTM) attacks, and credential stuffing attacks. Phishing-Resistant Multi-Factor Authentication achieves phishing resistance by preventing the disclosure of shared secrets.

Why Companies Need Phishing-Resistant MFA

Phishing is one of the most common cybersecurity threats. Phishing attacks involve various malicious scams that steal user data, credit card numbers, and passwords. While you can employ tips to prevent phishing attacks, the best recommendation is to enable phishing-resistant MFA for your user logins.

Phishing attacks are no trifling matter. The FBI Internet Crime Report 2021 shows that out of all internet crime types, phishing and its subtypes, such as vishing, smishing, and pharming, claimed more victims than the following eight top-scoring crime types combined. The victim count of phishing attacks in 2021 was 323,972. To put this number into perspective, the second-highest non-payment/non-delivery crime scored 82,478 victims. That’s almost four times less!

Thankfully, the Internet Crime Reports for the last three years show increased phishing awareness and the emerging popularity of phishing countermeasures manifested through a slight decrease in the losses that phishing attacks cause, from $57,836,379 in 2019 to $54,241,075 in 2020 to $44,213,707 in 2021.

Government and Private Companies Take Steps to Prevent Phishing

Many private companies and government bodies recognize the need for phishing-resistant technologies in the contemporary world. As a leading example, the U.S. Government has mandated federal agencies to enforce Phishing-Resistant MFA by the end of Fiscal Year 2024. Also, NIST SP 800-63 Digital Identity Guidelines describes Phishing-Resistant MFA as verifier impersonation resistance. Verifier impersonation resistance is one of the requirements for achieving the highest Authenticator Assurance Level (AAL3) that some regulatory requirements might require.

The government is not the only place where Phishing-Resistant MFA finds use and stops cybercrimes. Security Key MFA is a type of phishing-resistant Multi-Factor Authentication that saved Cloudflare from getting hacked. Although the attack on Cloudflare was a sophisticated targeted phishing attack, security keys successfully thwarted it, saving the company from getting hacked.

Phishing-Resistant MFA is a powerful defense mechanism against even the most malicious phishing attacks. But what makes traditional MFA methods phishable?

How Can the Most Common Traditional MFA Methods Be Phished

Traditional Multi-Factor Authentication (MFA) can be phished through social engineering, vishing, smishing, pharming, and Man-in-the-Middle (MiTM) attacks. Let’s look at the most common traditional authentication methods and how hackers can compromise them through phishing.

Authentication methods that are not phishing-resistant include:

• SMS OTP
• Authenticator App OTP
• Push Notification
• Magic Link
• Password

SMS OTP

One-Time Passwords (OTPs) sent to the user’s SIM card are susceptible to many SIM attacks, including SIM swapping. OTPs can also be intercepted using interception bots and out-of-the-box attack software. This makes SMS 2FA phishable.

Authenticator App OTP

It does not matter if OTPs are sent via text message or generated by an authenticator app. Hackers can use social engineering to get to know the value of the current OTP from the user. They can use a fake website that asks the user to enter the code or even call the user and ask them for the code.

Push Notification

Push notifications are convenient, fast, and user-friendly. On the flip side, push notifications are susceptible to phishing. One popular phishing scam is forcing the victim to tap approve on their authenticator app by pestering the victim with continuous push requests. The victim might finally accept the request out of annoyance.

Magic Link

A Magic Link is a link that allows you to log in to your account. There is no way to check who opens the link. So, whoever opens the Magic Link gets access to the account. As a result, a hacker can trick you into sending them your link and then use the link to log in to your account.

Password

Last but not least, passwords are also a phishable MFA method. Many MFA solutions use the password as the first step of authentication. Unfortunately, hackers can intercept a password similarly to OTP codes. The most common trick is to send a link to a fake website that asks the user to enter their password. The user enters the password on the fake site, and the fake site transfers the password to the hacker. Then, the hacker can use the password on a legitimate site to access the user’s account.

How Does Phishing-Resistant MFA Improve on Traditional MFA

Phishing-Resistant MFA trumps traditional MFA by preventing even the most sophisticated social engineering scams and targeted phishing attacks. Airtight phishing resistance is possible thanks to multiple aspects of Phishing-Resistant Multi-Factor Authentication.

Phishing-Resistant MFA prevents phishing by:

1. Establishing strong binding
2. Using Asymmetric Cryptography
3. Responding only to trusted parties
4. Requiring authentication intent

Phishing-Resistant MFA Establishes Strong Binding

Unphishable MFA establishes a strong binding between the parties. The binding is achievable using cryptographic registration that may include identity proofing. In the case of phishing-resistant security keys (e.g., Yubico), each user receives a key explicitly issued for that user. Then, during the registration process, the private key residing inside the security key is inextricably connected to the relying party and never leaves the hardware key.

Phishing-Resistant MFA Uses Asymmetric Cryptography

Strong binding established between two parties, also known as a trust relationship, allows for using asymmetric cryptography. Asymmetric cryptography (also known as public-key cryptography) uses a keypair consisting of a public and private key. Each authentication requires both keys. So, nobody can perform authentication without the private key that is safely stored inside a tamper-proof hardware security key. Long story short, without taking physical possession of the security key, the hacker cannot perform authentication.

Phishing-Resistant MFA Only Responds to Trusted Parties

Phishing scams often involve attackers creating a fake website that looks exactly like a legitimate site or spamming the victim with push notifications to elicit a response. Through such kinds of attacks, hackers try to impersonate legitimate users. Phishing-Resistant MFA must prevent all verifier impersonation attacks and respond only to valid authentication requests from trusted parties. Unphishable MFA does that by verifying the validity of both parties.

Phishing-Resistant MFA Requires Authentication Intent

Phishing-Resistant MFA must demonstrate authentication intent from at least one authenticator as defined in NIST SP 800-63. It must establish authentication intent by prompting the user to take action that confirms the user’s active involvement in the authentication process. For example, FIDO2-compliant security keys establish intent by asking the user to touch the key during authentication.

Types of Phishing-Resistant MFA

The OMB M-22-09 Zero Trust Cybersecurity Principles Strategy describes two phishing-resistant technologies: the World Wide Web Consortium (W3C)’s open “Web Authentication” (WebAuthn) standard and the Federal Government’s Personal Identity Verification (PIV) standard.

WebAuthn Security Keys

The WebAuthn Security Keys are FIDO2-compliant phishing-resistant hardware keys you can use during authentication to online services. FIDO2-compliant security keys use the WebAuthn standard to enable FIDO Authentication using a standard web API.

PIV Smart Cards

Personal Identity Verification (PIV) is a standard described in NIST FIPS 201-3. PIV allows secure phishing-resistant authentication using smart cards.

Does Rublon Support Phishing-Resistant MFA?

Yes. Rublon supports WebAuthn/U2F security keys, such as the Yubico YubiKey series, including YubiKey Bio and other biometric security keys. Rublon also supports hardware and software FIDO2 passkeys.

Phishing-resistant security keys provide maximum protection and top security posture while being easy to use, which makes them the perfect choice for strong phishing-resistant MFA.

Get Rublon MFA and test our robust Multi-Factor Authentication: