---
url: 'https://www.corbado.com/glossary/phishing-resistant-mfa'
title: 'Phishing-Resistant MFA'
description: 'Phishing-resistant MFA prevents any kind of phishing attacks on a system by using non-phishable authentication factors & thereby boosting seucrity posture.'
lang: 'en'
keywords: 'phishing-resistant mfa'
---

# Phishing-Resistant MFA

## What is Phishing-Resistant MFA?

**Phishing-resistant multi-factor authentication (MFA)** is an advanced authentication
strategy designed to protect against [phishing attacks](https://www.corbado.com/blog/3ds-authentication-failed),
making it impossible for attackers to compromise or deceive users into revealing sensitive
access information. Unlike conventional MFA methods that may include passwords, SMS or
OTPs, [phishing](https://www.corbado.com/glossary/phishing)-resistant MFA utilizes mechanisms like FIDO
[authenticators](https://www.corbado.com/glossary/authenticator) that are immune to
[phishing](https://www.corbado.com/glossary/phishing), man-in-the-middle and various other cyber threats.

With around 80% of data breaches involving compromised credentials,
[phishing](https://www.corbado.com/glossary/phishing)-resistant MFA is increasingly recognized as essential for
improving cybersecurity defenses.

> - **Phishing-resistant MFA** prevents phishing by requiring authentication factors that
>   cannot technically be phished.
> - Techniques like FIDO [authenticators](https://www.corbado.com/glossary/authenticator) offer robust protection
>   against a range of phishing and cyber attacks, as they bind credentials to a
>   [relying party](https://www.corbado.com/glossary/relying-party) ID.
> - It's essential for securing access to sensitive data and critical systems, significantly
>   reducing the risk of data breaches.

---

### Key Characteristics

- **Strong Authenticator and User Identity Binding:** a secure, cryptographically proven
  relationship between the user and the [authenticator](https://www.corbado.com/glossary/authenticator) - be it a
  hardware [security key](https://www.corbado.com/glossary/security-key) (e.g. [YubiKey](https://www.corbado.com/glossary/yubikey)) or a
  device with a hardware security module (e.g. TPM or
  [Secure Enclave](https://www.corbado.com/glossary/secure-enclave)).
- **No Shared Secrets:** unique public and private key pairs for authentication
  (asymmetric cryptography) prevent replay and man-in-the-middle attacks.
- **Trusted Parties Only:** credentials are bound to known parties (e.g. the
  [relying party](https://www.corbado.com/glossary/relying-party) ID in WebAuthn / passkey authentication),
  protecting against impersonation.
- **User Intent:** active user participation is required, ensuring users are aware of and
  consent to the login attempt.

### Comparison of Authentication Methods

| **Authentication method**        | **Phishing-Resistant** | **Explanation**                                                                |
| -------------------------------- | ---------------------- | ------------------------------------------------------------------------------ |
| Password                         | ❌                     | Can be easily phished through fake websites and social engineering.            |
| SMS OTP                          | ❌                     | Can be intercepted or phished through fake websites and SIM swapping.          |
| Email OTP                        | ❌                     | Can be phished by tricking users into entering codes on malicious sites.       |
| TOTP (e.g. Google Authenticator) | ❌                     | Can be phished if the attacker tricks the user into providing the code.        |
| Push Notification (e.g. Duo)     | ❌                     | Can be phished through fake prompts or social engineering.                     |
| Passkey                          | ✅                     | Uses public-key cryptography and is bound to the origin, preventing phishing.  |
| FIDO2 Security Key               | ✅                     | Uses origin-bound keys and challenge-response, making them phishing-resistant. |
| Smart Card                       | ✅                     | Uses secure elements and is resistant to phishing.                             |

For a comprehensive comparison of passkeys,
[passwordless authentication](https://www.corbado.com/glossary/passwordless-authentication) and
phishing-resistant MFA, see our detailed blog post on Passkeys vs. Passwordless vs.
Phishing-Resistant MFA. To understand how passkeys relate to traditional
[2FA](https://www.corbado.com/blog/passkeys-vs-2fa-security), see Are Passkeys
[Two-Factor Authentication](https://www.corbado.com/blog/passkeys-vs-2fa-security)?.

---

## Phishing-Resistant MFA FAQs

### How does phishing-resistant MFA differ from traditional MFA?

Phishing-resistant MFA uses advanced security protocols like [FIDO2](https://www.corbado.com/glossary/fido2) /
WebAuthn, specifically designed to prevent
[phishing attacks](https://www.corbado.com/blog/3ds-authentication-failed). Authentication is bound to the
legitimate website and involves cryptographic keys that cannot be intercepted or spoofed.

### What are examples of phishing-resistant MFA technologies?

Examples include [FIDO2](https://www.corbado.com/glossary/fido2) /
[WebAuthn security keys](https://www.corbado.com/blog/best-fido2-hardware-security-keys), passkeys and PIV smart
cards, which use public-key cryptography and credential scoping to ensure secure,
phishing-resistant authentication.

### What do regulators say about phishing-resistant MFA?

[CISA](https://www.corbado.com/blog/cisa-passkeys-authentication) strongly recommends phishing-resistant MFA and
specifically endorses [FIDO2](https://www.corbado.com/glossary/fido2)-based passkeys. The Essential Eight
framework in Australia requires it for critical systems. The EU's
[PSD2](https://www.corbado.com/blog/psd2-passkeys) encourages strong authentication practices aligned with
phishing-resistant MFA principles.