Close Menu
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) Instagram Threads
Ransomnews
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • About Us
Facebook X (Twitter) LinkedIn
Ransomnews
Security

Phishing-Resistant MFA: Which Authentication Methods Actually Work in 2026

Jesse William McGrawBy Jesse William McGrawApril 26, 2026No Comments5 Mins Read19 Views
Share Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Hardware security key deflecting a phishing hook representing phishing-resistant MFA
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

"Enable MFA" is the most-repeated security advice of the past decade, and it is correct, and it is also incomplete. The category of multi-factor authentication contains methods that are mathematically resistant to phishing and methods that are bypassed routinely by ordinary criminal phishing kits. Knowing the difference is one of the highest-leverage things a security team can do.

A taxonomy that matters

Five MFA categories, in order of increasing strength:

SMS one-time passcodes. The original second factor, still common, and demonstrably weak. SMS messages can be intercepted by SIM-swap attacks, which require nothing more than a social-engineered phone-carrier employee. The FBI has been warning about this since 2019; the IC3 received over 1,000 SIM-swap complaints in a single year. SMS MFA was formally deprecated by NIST for federal use in SP 800-63B; the current revision is at pages.nist.gov/800-63-3/sp800-63b.html.

Time-based one-time passcodes (TOTP) from authenticator apps. Google Authenticator, Authy, Microsoft Authenticator. Stronger than SMS because there is no carrier to social-engineer. Still phishable: a real-time phishing kit (modern AiTM proxies like Evilginx, EvilProxy, Tycoon 2FA) presents the user a clone of the legitimate login, captures the TOTP code, and replays it instantly to the real service. The user sees a successful login. The attacker has the session.

Push notifications. The "tap to approve" prompts pushed to a phone. Marginally better than TOTP because they include source IP and location context. Still phishable through MFA fatigue (bombing the user with prompts until they tap to make it stop), and through the same AiTM proxy attacks. Microsoft, Okta, and Duo have responded with number-matching, where the user must type a number from the login screen into the prompt, a real improvement, but not a complete defence.

WebAuthn / FIDO2 hardware keys (YubiKey, Titan Key, Feitian, etc.). Cryptographically resistant to phishing because the key authenticates the relying party (the website) before signing the challenge. A phishing site at login.tw0.com cannot make a YubiKey produce a valid signature for login.two.com. This is the floor of phishing resistance, and it has been since the FIDO Alliance specified U2F in 2014. Specification at fidoalliance.org/specs.

Passkeys. The same WebAuthn cryptography, with the private key stored in the operating system or a password manager rather than on a separate hardware token. Passkeys are syncable across devices via iCloud Keychain, Google Password Manager, 1Password, and others. Phishing resistance is identical to hardware keys. Convenience is dramatically higher. Passkeys are the most important authentication shift of the decade and they are why a large MFA rollout in 2026 should be planned around them.

What "phishing resistant" actually means

A phishing-resistant authenticator is one where a user cannot be tricked into authenticating to an attacker-controlled service. CISA defines phishing-resistant MFA in its 2022 fact sheet (cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf) as MFA that is "resistant to attempts to compromise the authentication process." The two methods that meet the bar are FIDO2/WebAuthn and PKI-based smart cards.

Everything else, SMS, TOTP, push, voice, is acceptable as a second factor against credential stuffing and basic password reuse, and inadequate against any modern phishing kit.

The 2024 evidence

The Microsoft Threat Intelligence Center publishes one of the most consistent data sets on this. Their Q3 2024 Digital Defense Report (microsoft.com/security/security-insider) showed:

Accounts with no MFA: compromise rate during a phishing campaign approximately 100% conditional on user falling for the email.

Accounts with SMS or TOTP: compromise rate approximately 70% conditional on AiTM phishing kit.

Accounts with number-matching push: approximately 35%.

Accounts with FIDO2 hardware keys or passkeys: approximately zero in observed campaigns.

The gap is the entire argument.

The deployment hurdles

The reasons phishing-resistant MFA has not taken over are operational, not technical:

Hardware-key cost. A YubiKey 5 is roughly $50, plus shipping, plus inventory management for an organisation with thousands of users. Two keys per person (a primary and a spare) is the standard, doubling cost.

Recovery. Lost-key recovery flows are the weak point. If your recovery channel is "we will send you an SMS code," you have re-introduced SMS as the security floor.

Application support. Most modern SaaS supports WebAuthn. A long tail of legacy applications, line-of-business software, and custom internal tooling does not. Those applications either get retrofitted with an SSO front-end or remain on weaker MFA.

User experience for shared devices. Hardware keys do not work well on call centres, manufacturing floors, or any context where multiple users share a workstation rapidly. Passkeys synced through OS-level password managers help; FIDO certificate-on-card models help more.

What to actually do

Three actions, in order:

Deploy passkeys first for all email, identity, and admin systems. The big platforms, Microsoft, Google, Apple, Okta, Ping, AWS, all support them, and the user experience for the average employee is strictly better than typing TOTP codes.

Issue hardware keys to administrators, executives, and anyone with privileged access. The cost is small; the protection against targeted phishing is the largest delta of any single security control.

Eliminate SMS MFA wherever you can, and where you cannot, treat it as no MFA for risk modelling purposes. CISA has been explicit on this; pretend they are right (they are) and plan accordingly.

Phishing was never going away. Phishing-resistant MFA is the single deployable defence that breaks the modern phishing economy. Use it.

Share. Facebook Twitter Pinterest LinkedIn Tumblr Telegram Email Copy Link
Previous ArticleZero Trust Architecture: Beyond the Buzzword
Next Article Anatomy of a Modern Phishing Campaign
Jesse William McGraw

Jesse William McGraw, also known as GhostExodus, is a former insider threat and threat actor. He became the first person in recent U.S. history to be convicted of corrupting industrial control systems. Today he focuses on threat intelligence, OSINT, and public speaking, using his knowledge to bring awareness to the security risks that organisations and individuals face.

Related Posts

FortiBleed: 75,000 cracked Fortinet firewalls, no zero-day needed

June 18, 2026

Top infostealer families in 2026: Lumma, RedLine, Vidar, StealC, and the new entrants

June 8, 2026

Stealer logs explained: what they hold, how they leak, and how to check yours

June 8, 2026

Comments are closed.

Facebook X (Twitter) LinkedIn
© 2026 Ransomnews.com

Type above and press Enter to search. Press Esc to cancel.

Cookies on Ransomnews

We use strictly-necessary cookies to run the site and may use first-party analytics to understand which articles are read. Some pages contain affiliate links — when you click one, the affiliate network sets cookies on the merchant's domain to attribute the referral. See the Cookie Policy and Affiliate Disclosure for detail.

RANSOMNEWS.COM

Tracking the criminal infrastructure of the internet.

Independent coverage of ransomware, breach economics, threat actors, privacy, AI security, and the open-source investigation toolkit.

// Topics

  • News
  • Security
  • Privacy
  • Cybercrime
  • AI
  • OSINT
  • Threat Groups
  • Stealer Logs
  • Ransomtracker
  • Stealercheck
  • FortiBleed Checker

// Site

  • About Us
  • Editorial Team
  • Contact
  • Tip Line
  • Editorial

// Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Funding & Independence
  • RSS Feed
© 2026 Ransomnews.com · Tracking the criminal infrastructure of the internet.