back arrowBack to Identipedia

Phishing-Resistant MFA Explained

Phishing resistant MFA thumbnail


Traditional login methods that use just a username and password are largely a thing of the past. By now, most end users are familiar with multi-factor authentication (MFA), which uses at least one second factor (if not more) to verify user identity. According to recent studies, 87% of employees use MFA, partly because 95% of companies now require it.

However, MFA is not a one-size-fits-all solution to privacy and security in authentication. Phishing attacks, with their ever-evolving sophistication, continue to prey on unsuspecting individuals, leaving a trail of compromised accounts and stolen information in their wake. 

Phishing-resistant MFA is an innovative approach that promises to reshape the security landscape. In this blog, we’ll cover phishing-resistant MFA and highlight why it should be an integral part of your security strategy. 

What is phishing?

Phishing is a form of social engineering. In a phishing attack, cybercriminals send fraudulent messages to their unsuspecting victims to solicit sensitive information, such as credit card information or account credentials. Users can put themselves at risk by directly responding to these messages, clicking on malicious links, or unintentionally downloading malware.

Phishing continues to be one of the most prevalent cyberattacks out there today. According to the FBI’s 2022 Internet Crime Report, 38% of all complaints received by the FBI IC3 were phishing-related. Phishing is one of the most common routes to broken authentication, in which attackers bypass the auth method for a given app or program and gain unauthorized access to a user’s account. From that position, they can steal or otherwise compromise sensitive data.

While MFA reduces the likelihood and impact of broken authentication, it can also be vulnerable to phishing. MFA fatigue can make users (and apps) susceptible to man-in-the-middle and other attacks, leading to MFA bypass. This is why phishing-resistant MFA is crucial.

What is phishing-resistant MFA?

Phishing-resistant MFA is an approach to MFA that accounts for its vulnerabilities, incorporating proactive safeguards to prevent attacks. Through strong authentication, risk-based analysis, and other mechanisms, phishing-resistant MFA is designed to prevent MFA bypass attempts.

Its main features include but are not limited to:

  • Strong authentication factors. The best MFA focuses on authentication factors that are hard for attackers to compromise and avoids factors prone to MFA bypass such as SMS authentication and push notifications.

  • Risk-based authentication. Secure MFA involves analyzing inputs like user activity and device details, stepping up authentication to align with perceived risk.

  • Behavioral analysis. MFA systems can also monitor user behaviors for typing or mouse activity anomalies, which could trigger additional authentication requirements.

  • Encryption and secure communication. Encrypting communication protocols between devices and the authentication server ensures information integrity across all logins.

  • Continuous monitoring and incident response. The safest MFA systems constantly scan system logs for signs of an attack, feeding intelligence into downstream security tools for incident response.

Developers can also add anti-phishing safeguards like URL validation and link filtering to MFA solutions, as well as build in mandatory training for MFA users.

How to implement phishing-resistant MFA

The first step in implementing phishing-resistant MFA should be identifying the resources you need to protect. 

  • For developers, this means thinking critically about the kinds of data and systems your app, website, or program will come into contact with. 

  • For organizations, this often means checking your MFA protocols against applicable compliance requirements.

Then, you’ll need to identify the likely avenues of phishing attacks and strategize ways to reduce their susceptibility. Once you have intelligence on what and whom to protect, you’ll need to develop protections and build them into or around your MFA system. Or, you could use a pre-configured phishing-resistant protocol.

FIDO / WebAuthn

The Fast IDentity Online (FIDO) Alliance oversees two widely used auth standards allowing for phishing-resistant MFA without using passwords. This is important because passwords and passphrases, no matter how strong, are among the weakest factors any auth system can use.

The FIDO2 standard allows users to log in to an app or program through hardware known as a FIDO authenticator. This authenticator can either be an external security key or a compatible device such as a smartphone or laptop. A registered device creates a keypair between a server and the hardware in question, which enables authentication.

Fig: How FIDO login works
Fig: How FIDO2 authentication works

FIDO2 has two critical parts: the Web Authentication API (WebAuthn) and the Client to Authenticator Protocol (CTAP). They enable authentication through possession/inherence factors and roaming authenticators, respectively.

FIDO2 and WebAuthn are ubiquitous, with supporting 95% of user devices. They’re effective at preventing phishing attacks by taking knowledge-based credentials out of the equation altogether.

PKI-based MFA

Although niche and targeted, one option for developers is MFA based on public key infrastructure (PKI). PKI mobilizes various software, hardware, and policies to create, manage, and use public keys to authenticate users’ identities.

PKI is complex and multifaceted, but the most critical components are:

  • Certificates, which grant access when a public-private keypair is validated

  • Certificate authorities (CA), which publish public keys used to authenticate users

  • Registration authorities (RA), who verify user identities (and may be the same as the CA)

You can apply variations of this method to all stages of your authentication process. Common examples include PKI-encrypted smart cards containing a user’s credentials that are held up to a physical scanner (typically in conjunction with one or more other factors, such as a PIN) to provide access.

Phishing-prone authentication methods to avoid

When selecting an auth method for your app, website, or program, it’s important to know that some are inherently more vulnerable to phishing. Here are some of the approaches you should avoid for that reason:

  • (Just) passwords: Password-based authentication is the most conventional and insecure auth method, especially when used on its own. It relies on a user memorizing and safeguarding a unique string of characters. Without additional factors required, a successful phishing attempt will immediately break authentication.

  • One-time password (OTP): OTP systems generate a password that a user can only use once, which prevents later unauthorized logins when a username-password pair is compromised. However, they remain vulnerable to phishing and interception through SIM swapping and MITM attacks.

  • Push notifications: This approach sends users a message to a second device or account, typically prompting an input to approve the access request. However, attackers can replicate these scripts, redirecting users and obtaining access to their accounts. Push notifications can also be a vector for MFA fatigue attacks, with adversaries sending repeated notifications to victims’ devices in an effort to bypass MFA.

Benefits of phishing-resistant MFA

Phishing-resistant MFA is a more intentional, proactive approach than traditional MFA. It takes phishing threats seriously by building measures that make attacks less likely to reach your users—and even less likely to compromise their accounts if they do. 

Phishing-resistant MFA: 

  • Reduces the attack surface of your auth system, removing easy targets like weak authentication factors.

  • Monitors for and adjusts according to patterns in your users’ behavior, removing attack vectors that cybercriminals could take advantage of.

  • Creates resilience with encryption by rendering stolen or leaked credentials unreadable.

In 2022, there were over 255 million phishing attacks, representing an 87% increase in attack volume (and a shocking 356% spike in advanced phishing) from 2021. Simply put, phishing isn’t going anywhere—and the most dangerous threats are growing fastest.

Luckily, there’s a way to keep phishing in check with simple, secure auth.

Implement secure MFA with Descope

MFA is significantly safer than individual authentication methods, but it’s not without its flaws. It can leave users open to phishing and social engineering attacks, allowing attackers to bypass MFA and break authentication. To stay safe, you should consider a phishing-resistant MFA solution.

Descope helps developers easily add MFA to their applications with a few lines of code. With support for strong authentication factors like passkeys and biometrics, risk-based authentication that identifies risky user signals, and secure session management, Descope enables secure MFA without increasing friction for legitimate users.

Sign up for a Free Forever account on Descope and start your MFA journey today.