"Enable MFA" is the most-repeated security advice of the past decade, and it is correct, and it is also incomplete. The category of multi-factor authentication contains methods that are mathematically resistant to phishing and methods that are bypassed routinely by ordinary criminal phishing kits. Knowing the difference is one of the highest-leverage things a security team can do.
A taxonomy that matters
Five MFA categories, in order of increasing strength:
SMS one-time passcodes. The original second factor, still common, and demonstrably weak. SMS messages can be intercepted by SIM-swap attacks, which require nothing more than a social-engineered phone-carrier employee. The FBI has been warning about this since 2019; the IC3 received over 1,000 SIM-swap complaints in a single year. SMS MFA was formally deprecated by NIST for federal use in SP 800-63B; the current revision is at pages.nist.gov/800-63-3/sp800-63b.html.
Time-based one-time passcodes (TOTP) from authenticator apps. Google Authenticator, Authy, Microsoft Authenticator. Stronger than SMS because there is no carrier to social-engineer. Still phishable: a real-time phishing kit (modern AiTM proxies like Evilginx, EvilProxy, Tycoon 2FA) presents the user a clone of the legitimate login, captures the TOTP code, and replays it instantly to the real service. The user sees a successful login. The attacker has the session.
Push notifications. The "tap to approve" prompts pushed to a phone. Marginally better than TOTP because they include source IP and location context. Still phishable through MFA fatigue (bombing the user with prompts until they tap to make it stop), and through the same AiTM proxy attacks. Microsoft, Okta, and Duo have responded with number-matching, where the user must type a number from the login screen into the prompt, a real improvement, but not a complete defence.
WebAuthn / FIDO2 hardware keys (YubiKey, Titan Key, Feitian, etc.). Cryptographically resistant to phishing because the key authenticates the relying party (the website) before signing the challenge. A phishing site at login.tw0.com cannot make a YubiKey produce a valid signature for login.two.com. This is the floor of phishing resistance, and it has been since the FIDO Alliance specified U2F in 2014. Specification at fidoalliance.org/specs.
Passkeys. The same WebAuthn cryptography, with the private key stored in the operating system or a password manager rather than on a separate hardware token. Passkeys are syncable across devices via iCloud Keychain, Google Password Manager, 1Password, and others. Phishing resistance is identical to hardware keys. Convenience is dramatically higher. Passkeys are the most important authentication shift of the decade and they are why a large MFA rollout in 2026 should be planned around them.
What "phishing resistant" actually means
A phishing-resistant authenticator is one where a user cannot be tricked into authenticating to an attacker-controlled service. CISA defines phishing-resistant MFA in its 2022 fact sheet (cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf) as MFA that is "resistant to attempts to compromise the authentication process." The two methods that meet the bar are FIDO2/WebAuthn and PKI-based smart cards.
Everything else, SMS, TOTP, push, voice, is acceptable as a second factor against credential stuffing and basic password reuse, and inadequate against any modern phishing kit.
The 2024 evidence
The Microsoft Threat Intelligence Center publishes one of the most consistent data sets on this. Their Q3 2024 Digital Defense Report (microsoft.com/security/security-insider) showed:
Accounts with no MFA: compromise rate during a phishing campaign approximately 100% conditional on user falling for the email.
Accounts with SMS or TOTP: compromise rate approximately 70% conditional on AiTM phishing kit.
Accounts with number-matching push: approximately 35%.
Accounts with FIDO2 hardware keys or passkeys: approximately zero in observed campaigns.
The gap is the entire argument.
The deployment hurdles
The reasons phishing-resistant MFA has not taken over are operational, not technical:
Hardware-key cost. A YubiKey 5 is roughly $50, plus shipping, plus inventory management for an organisation with thousands of users. Two keys per person (a primary and a spare) is the standard, doubling cost.
Recovery. Lost-key recovery flows are the weak point. If your recovery channel is "we will send you an SMS code," you have re-introduced SMS as the security floor.
Application support. Most modern SaaS supports WebAuthn. A long tail of legacy applications, line-of-business software, and custom internal tooling does not. Those applications either get retrofitted with an SSO front-end or remain on weaker MFA.
User experience for shared devices. Hardware keys do not work well on call centres, manufacturing floors, or any context where multiple users share a workstation rapidly. Passkeys synced through OS-level password managers help; FIDO certificate-on-card models help more.
What to actually do
Three actions, in order:
Deploy passkeys first for all email, identity, and admin systems. The big platforms, Microsoft, Google, Apple, Okta, Ping, AWS, all support them, and the user experience for the average employee is strictly better than typing TOTP codes.
Issue hardware keys to administrators, executives, and anyone with privileged access. The cost is small; the protection against targeted phishing is the largest delta of any single security control.
Eliminate SMS MFA wherever you can, and where you cannot, treat it as no MFA for risk modelling purposes. CISA has been explicit on this; pretend they are right (they are) and plan accordingly.
Phishing was never going away. Phishing-resistant MFA is the single deployable defence that breaks the modern phishing economy. Use it.
