Phishing-Resistant MFA

What is phishing-resistant MFA? 

Phishing-resistant Multi-Factor Authentication (MFA) is an authentication method that prevents malicious activity typically brought about through phishing scams. It doesn’t use shared codes or secrets at any point in the authentication process. Phishing-resistant MFA relies on public key cryptography, eliminating more vulnerable mechanisms such as passwords, security questions, OTPs, SMS, links, or push notifications.

There are four critical components of phishing-resistant MFA: 

  • Good connections between the authenticator and user identity;
  • Elimination of shared secrets;
  • Only responding to trusted parties; and,
  • Understanding user intent.

Types of phishing-resistant MFA

There are two types of phishing-resistant MFA you should be aware of. 


Major browsers, operating systems, and smartphones support the most widely available phishing-resistant MFA, FIDO, or WebAuthn authentication. Unlike traditional MFA, FIDO authentication does not use shared secrets, instead leveraging one of the following authenticators:

  • Separate physical tokens (roaming authenticators) connected to a device via USB or Near-Field Communication (NFC).
  • Platform authenticators embedded into laptops or mobile devices.

PKI-based MFA 

While less widely available than FIDO authentication, Public Key Infrastructure (PKI) MFA provides strong security, especially for large or complex organizations. A well-known example of PKI-based MFA is the smart cards US government staff use to access their computers. 

Only organizations with highly mature identity management practices should use PKI-based authentication. Many standard services and infrastructures don’t support this method, especially when Single Sign-On (SSO) technology isn’t available. Most PKI-based authentication methods use a security chip, usually embedded in a Personal Identity Verification (PIV) or Certificate-Based Authentication (CBA) card, in conjunction with a password or pin. 

Implementing phishing-resistant MFA 

Organizations looking to implement phishing-resistant MFA should ask themselves the following questions to ensure a smooth and logical migration: 

  • What resources do we need to protect? Attackers typically target remote access, email systems, and file servers to infiltrate an organization’s data, so decision-makers should prioritize those systems. Similarly, organizations should protect Active Directory (AD) servers, key servers, and domain controllers, since, if compromised, attackers could create or take control of accounts.
  • Who are our high-value targets? User accounts with elevated access privileges should be prioritized for phishing-resistant MFA implementation. For example, organizations should protect system administrator accounts, as a compromise could grant attackers access to any system or data. 

The future of phishing-resistant MFA 

While it is still a relatively new concept, phishing-resistant MFA is becoming increasingly common. Considering the Cybersecurity and Infrastructure Security Agency (CISA) “strongly urges all organizations implement phishing-resistant MFA to protect against phishing and other known cyber threats,” it’s exceedingly likely that most organizations will implement phishing-resistant MFA in coming years.

For more essential cybersecurity definitions, check out our other blogs below:  

21 Essential Cybersecurity Terms You Should Know

40+ Cybersecurity Acronyms & Definitions


Return to Cybersecurity Glossary

Phishing-Resistant MFA
Scroll to top