Phishing-Resistant MFA.

MFA methods that cryptographically bind authentication to the legitimate web origin — FIDO2/WebAuthn passkeys, smart cards, and Windows Hello — rendering AiTM proxy phishing, MFA fatigue, and OTP interception ineffective. Cette notion relève de la catégorie Identité et accès en cybersécurité.

MFA methods that cryptographically bind authentication to the legitimate web origin — FIDO2/WebAuthn passkeys, smart cards, and Windows Hello — rendering AiTM proxy phishing, MFA fatigue, and OTP interception ineffective.

Phishing-resistant MFA is the category of authentication methods that cannot be intercepted, replayed, or tricked into authorizing the wrong relying party. The canonical examples are FIDO2 / WebAuthn (security keys, platform passkeys on Apple, Android, and Windows), PIV smart cards, and Windows Hello for Business. All of them share the same security property: the authenticator only generates a signature for the specific RP-ID (origin) it is presented with, so a credential registered with `login.example.com` cannot be coerced into signing a challenge from `login-evil.example.com`, even via a transparent AiTM proxy. They also defeat the lesser-but-common attacks that still work against TOTP and push-based MFA — MFA fatigue, push bombing, OTP-relay phishing kits (EvilProxy, Tycoon, Evilginx) — because there is no human-typed or human-tapped artifact for an attacker to relay. Major U.S. and European regulators (CISA, OMB M-22-09, ENISA, U.K. NCSC) have moved from 'use MFA' to 'use phishing-resistant MFA' guidance, and many enterprises now require it for privileged accounts and for any user accessing federated cloud services.

Les défenses contre Phishing-Resistant MFA combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.

Noms alternatifs courants : FIDO2 MFA, Origin-bound MFA.