AntiPhishers MFA Guide: Phishing-Resistant Authentication
MFA Guide: Phishing-Resistant Authentication
Multi-factor authentication (MFA) is the single most effective control against credential-based attacks. CISA recommends MFA as a baseline security measure, and Microsoft reports that MFA blocks 99.9% of automated credential attacks. But not all MFA is equal — SMS codes and authenticator app TOTP codes can be phished through real-time proxy attacks, while FIDO2 security keys and passkeys are cryptographically resistant to phishing.
Understanding the MFA spectrum is critical as AI-generated phishing campaigns increasingly target MFA workflows.
The MFA Phishing Resistance Spectrum
| MFA Method | Phishing Resistant? | How It Can Be Compromised |
|---|---|---|
| SMS codes | No | SIM swapping, real-time phishing proxies, smishing |
| Email codes | No | Email compromise, real-time phishing proxies |
| TOTP apps (Google Authenticator) | No | Real-time phishing proxies (Evilginx, Modlishka) |
| Push notifications | Partially | MFA fatigue (repeated push bombing) |
| Number matching push | Partially | Social engineering during active phishing session |
| FIDO2 security keys | Yes | Physical theft only (requires proximity) |
| Passkeys (device-bound) | Yes | Device compromise only |
| Passkeys (synced) | Mostly | Platform account compromise |
CISA and NIST explicitly recommend phishing-resistant MFA (FIDO2/WebAuthn) for privileged users and high-value systems.
How Phishing Defeats Traditional MFA
Real-Time Proxy Attacks
Tools like Evilginx2 and Modlishka set up a transparent proxy between the victim and the legitimate login page. The victim enters their username, password, and MFA code on what appears to be the real site. The proxy captures everything in real time and uses it to authenticate as the victim before the code expires.
This attack defeats SMS codes, email codes, and TOTP codes because all of these methods produce a value that the attacker can capture and replay within the validity window (typically 30-60 seconds).
MFA Fatigue / Push Bombing
Attackers who have stolen a password trigger repeated push notification prompts on the victim’s phone. Eventually, the victim approves a prompt to stop the notifications — or accidentally taps “approve” while trying to dismiss them. Number-matching push (requiring the user to enter a displayed number) partially mitigates this but remains vulnerable during active social engineering.
SIM Swapping
Attackers convince a mobile carrier to port the victim’s phone number to a new SIM, intercepting all SMS codes. This has been used in high-profile account takeovers including cryptocurrency thefts.
Why FIDO2 and Passkeys Are Phishing-Resistant
FIDO2 (Fast Identity Online 2) uses public key cryptography bound to the specific website origin. When you register a security key with bank.com, the key creates a unique cryptographic key pair for that exact domain. If an attacker sends you to bank-login.evil.com, your security key refuses to authenticate because the domain does not match.
This is a fundamental architectural defense, not a user behavior defense. The user does not need to notice the fake domain — the key handles it cryptographically.
Security Keys (Hardware FIDO2)
Physical USB or NFC devices (YubiKey, Google Titan, Feitian) that store cryptographic keys. Strongest protection, requiring both possession of the physical key and user interaction (touch/tap).
Passkeys (Software FIDO2)
Passkeys use the same cryptographic protocol as hardware security keys but store the credential on your device (phone, laptop) and authenticate via biometrics (fingerprint, face) or device PIN. Synced passkeys can be backed up to platform accounts (Apple iCloud Keychain, Google Password Manager).
Implementation Guide
For Individuals
- Enable the strongest MFA available on every account — FIDO2 > passkeys > authenticator app > SMS (in order of preference)
- Register at least two security keys (one primary, one backup stored securely)
- Migrate away from SMS-based MFA wherever possible
- Set up passkeys for services that support them (Google, Apple, Microsoft, many banks)
- Store backup codes in a secure location (password manager or physical safe)
For Organizations
Priority 1 — Critical accounts:
- Mandate FIDO2 security keys for IT administrators, executives, and finance staff
- Disable SMS/TOTP as fallback methods for privileged accounts
- Require phishing-resistant MFA for VPN, email, and cloud admin access
Priority 2 — All employees:
- Deploy passkeys or authenticator apps as minimum MFA for all accounts
- Enable number-matching push notifications (eliminates fatigue attacks)
- Distribute security keys to all employees in high-risk roles (healthcare, financial)
Priority 3 — Customer-facing:
- Offer FIDO2/passkey options to customers
- Implement risk-based authentication that increases verification for unusual activity
- Phase out SMS-based 2FA for customer accounts
Integration with Other Defenses
MFA works best as part of a layered defense:
- DMARC/SPF/DKIM prevents domain spoofing that leads to credential harvesting
- Email filtering blocks phishing before it reaches users
- Zero trust architecture ensures MFA is one of multiple verification factors
- Security awareness training teaches users to recognize phishing before entering credentials
MFA Recovery Planning
Strong MFA creates a recovery challenge. Plan for:
- Lost security keys: Require registration of at least two keys, with one stored off-site
- Lost devices: Maintain backup authentication methods for passkey recovery
- Account lockout: Establish verified identity recovery procedures that do not rely on phishable methods
- Employee offboarding: Revoke MFA registrations when employees leave
Key Takeaways
- MFA blocks 99.9% of automated credential attacks, but not all MFA methods resist phishing
- SMS codes, email codes, and TOTP can all be captured by real-time phishing proxies
- FIDO2 security keys and passkeys are cryptographically phishing-resistant — the key refuses to authenticate on fake domains
- Mandate FIDO2 for privileged accounts; deploy passkeys or authenticator apps for all users
- Register at least two security keys per account to avoid lockout
- MFA is most effective when combined with email authentication, filtering, and training
For the complete phishing defense framework, see our phishing recognition and reporting guide.
Sources
- CISA Phishing Guidance: Stopping the Attack Cycle at Phase One
- NIST SP 800-63B: Digital Identity Guidelines — Authentication and Lifecycle Management
- FBI IC3 2024 Internet Crime Report
Security education disclaimer: This article discusses authentication vulnerabilities for educational purposes only. Understanding how MFA can be bypassed helps organizations choose phishing-resistant methods. Do not use this information for unauthorized access.