Phishing-Resistant MFA.

MFA methods that cryptographically bind authentication to the legitimate web origin — FIDO2/WebAuthn passkeys, smart cards, and Windows Hello — rendering AiTM proxy phishing, MFA fatigue, and OTP interception ineffective. It belongs to the Identity & Access category of cybersecurity.

MFA methods that cryptographically bind authentication to the legitimate web origin — FIDO2/WebAuthn passkeys, smart cards, and Windows Hello — rendering AiTM proxy phishing, MFA fatigue, and OTP interception ineffective.

Phishing-resistant MFA is the category of authentication methods that cannot be intercepted, replayed, or tricked into authorizing the wrong relying party. The canonical examples are FIDO2 / WebAuthn (security keys, platform passkeys on Apple, Android, and Windows), PIV smart cards, and Windows Hello for Business. All of them share the same security property: the authenticator only generates a signature for the specific RP-ID (origin) it is presented with, so a credential registered with `login.example.com` cannot be coerced into signing a challenge from `login-evil.example.com`, even via a transparent AiTM proxy. They also defeat the lesser-but-common attacks that still work against TOTP and push-based MFA — MFA fatigue, push bombing, OTP-relay phishing kits (EvilProxy, Tycoon, Evilginx) — because there is no human-typed or human-tapped artifact for an attacker to relay. Major U.S. and European regulators (CISA, OMB M-22-09, ENISA, U.K. NCSC) have moved from 'use MFA' to 'use phishing-resistant MFA' guidance, and many enterprises now require it for privileged accounts and for any user accessing federated cloud services.

Defences for Phishing-Resistant MFA typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: FIDO2 MFA, Origin-bound MFA.