Blog

Cybersecurity has entered a new era where identity is the primary attack surface. While organizations have made major strides adopting multi-factor authentication (MFA), attackers have adapted just as quickly—finding ways to bypass traditional methods with alarming success.

The reality?
Not all MFA is created equal.

To truly protect modern environments, businesses must move beyond legacy MFA and adopt phishing-resistant authentication.

The Problem with Traditional MFA

Standard MFA methods—such as:

• SMS-based codes
• Authenticator app OTPs
• Push notifications

Today’s attackers exploit this weakness through:

• Phishing sites that capture login credentials and MFA codes in real time
• MFA fatigue attacks (push bombing) that trick users into approving access
• Man-in-the-middle attacks that replay valid authentication sessions

Because the credentials being used are technically legitimate, traditional MFA cannot distinguish between a real user and a compromised session.

What Is Phishing-Resistant MFA?

Phishing-resistant MFA is designed to eliminate the human factor and shared secrets entirely.  Instead of relying on codes or approvals, it uses:

• Public/private key cryptography
• Device-bound credentials
• Domain (origin) validation

This means authentication is cryptographically tied to the legitimate website or application. If a user is tricked into visiting a fake login page, the authentication simply fails—nothing is transmitted, and nothing can be stolen.

Key Technologies Behind Phishing-Resistant MFA

1. FIDO2 Security Keys

Hardware-based keys (e.g., YubiKey) that:

• Store private keys securely on the device
• Require physical interaction (touch or PIN)
• Prevent credential theft entirely

2. Passkeys (FIDO2)

Modern, user-friendly authentication that:

• Uses cryptographic key pairs
• Eliminates passwords entirely
• Works across devices and platforms

Passkeys are inherently phishing-resistant because they only respond to legitimate domains and never transmit reusable credentials.  

3. Windows Hello for Business

A built-in Microsoft solution that:

• Uses biometrics or PIN tied to device hardware (TPM)
• Stores credentials locally (not in the cloud)
• Enables passwordless, phishing-resistant sign-in

4. Certificate-Based Authentication (Smart Cards / PKI)

Common in regulated industries:

• Uses digital certificates and cryptographic validation
• Provides strong identity assurance
• Meets compliance requirements like CJIS and federal standards

Why This Matters: The Data

• Credential abuse is involved in a significant portion of breaches, often starting with phishing attacks
• Traditional MFA can still be bypassed using social engineering or token interception
• Phishing-resistant MFA eliminates entire categories of attacks, not just reduces risk

Keep in Mind:
-If credentials can be reused, they can be stolen.
-If credentials are cryptographic and bound to a device, they cannot.

The Shift Away from Passwords

The move to phishing-resistant MFA aligns with a broader industry trend:

• Microsoft now recommends eliminating password expiration policies because they often lead to weaker user behavior
• Legacy MFA methods (SMS, voice, basic push) are being deprecated in favor of modern authentication approaches
• Identity security is shifting toward:
  • Passwordless authentication
  • Risk-based access
  • Conditional Access policies

Aligning with Zero Trust

Phishing-resistant MFA is a cornerstone of Zero Trust security models, which assume:

• No user or device is inherently trusted
• Every authentication must be verified continuously
• Identity must be cryptographically proven—not assumed

By implementing phishing-resistant methods, organizations:

• Reduce reliance on human decision-making
• Eliminate credential replay attacks
• Strengthen compliance and cyber insurance posture

What BVA is Recommending

For your clients, the roadmap is clear:

Minimum Baseline

• Enforce MFA across all users
• Eliminate SMS-based authentication

Next Phase

• Deploy Microsoft Authenticator with number matching
• Implement Conditional Access policies

Modern Security Stack

• Roll out Windows Hello for Business
• Deploy FIDO2 security keys for admins and high-risk users
• Enable passkeys across Microsoft 365 and business applications

Phishing attacks are no longer just opportunistic—they are automated, AI-driven, and highly targeted.

Traditional defenses are no longer enough.

Phishing-resistant MFA represents a fundamental shift in identity security, moving from:

• Reactive → Preventative
• User-dependent → Cryptographically enforced
• Password-based → Passwordless

For organizations serious about reducing risk, this isn’t just an upgrade—it’s a necessity.