Phishing-resistant MFA — what that actually means.
"Phishing-resistant" is a regulatory phrase (CISA, NIST AAL3, M-22-09). It has a precise technical meaning. This page is the engineering version: what makes WebAuthn phishing-resistant, what doesn't, and what compromises break the property.
The structural property
WebAuthn binds every credential to an origin. The browser, not the relying party, enforces this binding. When a user visits a phishing site, the browser computes SHA-256(origin), looks for a credential scoped to that origin, finds none (because the user only ever registered with the legitimate origin), and refuses to assert.
This is structurally different from TOTP, push, SMS, and even legacy U2F-via-cross-origin: the user cannot accidentally hand their second factor to an attacker, because the second factor refuses to act outside its registered origin. The protection is at the protocol layer, not at the user layer.
What "MFA" doesn't get you
| Method | Phishing-resistant? | Why / why not |
|---|---|---|
| SMS code | No | User reads code, types into phishing page, attacker forwards. SIM-swap and SS7 attacks for free. |
| TOTP (authenticator app) | No | User types 6-digit code into phishing page. Attacker has 30 seconds. |
| Push notification | No | User taps "approve" on phone while attacker is logging in elsewhere. Push fatigue is industrial-scale. |
| Magic link | No | Email is phishable. The magic link itself is a bearer token. |
| WebAuthn / passkey (BE=0) | YES | Origin binding enforced by browser; private key never leaves authenticator. |
| WebAuthn / synced passkey (BE=1) | YES (with caveats) | Same origin binding. But cloud-account compromise affects the credential. |
What can still go wrong
Phishing-resistance is a property of the cryptographic ceremony, not of the entire system. Things that can still go wrong:
- Account-recovery phishing — if losing your key drops you back to a password, the password is now the weak link. Fix: enrol two authenticators, IT-mediated recovery only.
- Session-token theft — once the user is signed in, a session cookie is bearer. Fix: token-binding equivalent (DPoP, signed JWTs); short session lifetimes; device posture re-checks.
- Consent-phishing inside an OAuth flow — the user authenticates legitimately, then approves an attacker-controlled scope. Fix: scope review, app-allow-listing.
- Backed-up passkeys + cloud account compromise — if the platform vendor's cloud is compromised, syncable passkeys can leak. Fix: enforce BE=0 for high-assurance use.
Regulatory mapping
AAL3
Phishing-resistant authenticator (hardware-bound multifactor crypto). FIDO2 with attestation-pinned hardware satisfies.
Zero Trust Maturity
Phishing-resistant MFA is "Advanced" tier. WebAuthn / FIDO2 explicitly cited.
US federal
"Agencies must require phishing-resistant MFA". WebAuthn is the canonical implementation.
EU payments
Strong Customer Authentication. WebAuthn satisfies inherence + possession when bound to certified hardware.