What makes an MFA method phishing-resistant?

An MFA method is phishing-resistant when the authentication credential cannot be captured by an adversary-in-the-middle (AiTM) attack. For FIDO2/WebAuthn, the credential is cryptographically bound to the origin (domain name) — the browser will not authenticate on any domain other than the one where registration occurred, making it physically impossible for a phishing site to obtain a valid credential even if the user completes the login flow.

Why can TOTP codes be phished?

TOTP (time-based one-time passwords, as used by Google Authenticator, Authy, etc.) are 6-digit codes valid for 30 seconds. A real-time phishing attack uses a proxy site that forwards the user's credentials and TOTP code to the real site immediately — within the 30-second validity window. The real site receives a valid code and grants access. The attacker now has a session. TOTP provides no cryptographic binding to the domain — the code is the same regardless of which site requests it.

What is FIDO2/WebAuthn and how does it prevent phishing?

FIDO2 (Fast IDentity Online) uses public-key cryptography. During login, the server sends a challenge including the origin (website domain). Your hardware key signs this challenge with a private key that never leaves the device. The signature is valid only for the specific domain it includes. If a phishing site requests authentication, the signed challenge will include the phishing domain — the real server's verification will fail because the origin doesn't match. The user cannot complete authentication on a fake site even if they try.

Are passkeys phishing-resistant?

Yes. Passkeys (the FIDO2 credential stored by your device rather than a hardware key) share the same origin-binding property. The cryptographic challenge includes the domain, and passkeys will only sign for the domain where they were registered. Google, Apple, and Microsoft passkey implementations are all phishing-resistant. Passkeys are more user-friendly than hardware keys for most consumers.

What should I do if my organisation still uses TOTP?

Use TOTP rather than SMS — it is more resistant to SIM swap and remote interception. But also use unique, strong passwords (generated by a CSPRNG, stored in a password manager), be vigilant about URL verification before entering credentials, and advocate internally for FIDO2/WebAuthn adoption. CISA's Phishing-Resistant MFA guidance explicitly recommends FIDO2 as the standard for high-value accounts and critical systems.

Which MFA Methods Actually Resist Phishing?

Multi-factor authentication is widely recommended as the primary defence against account takeover. This is correct — but it comes with an important caveat: most commonly deployed MFA methods do not resist phishing. Understanding which methods are genuinely phishing-resistant, and why, is critical for anyone making security decisions about their accounts or organisation.

MFA Phishing Resistance: The Full Ranking

MFA Method	Phishing-resistant	Why / Why not	NIST AAL
FIDO2/WebAuthn hardware key	✓ Yes	Cryptographic origin binding — cannot authenticate on wrong domain	AAL3
Passkeys (device-bound)	✓ Yes	Same origin binding as hardware keys — platform-managed	AAL2–3
TOTP authenticator app	✗ No	Codes can be forwarded in real-time AiTM attacks	AAL2
Push notification (Duo, Microsoft)	✗ No	MFA fatigue attacks — attackers spam push until user approves	AAL2
SMS OTP	✗ No	Forwardable + SIM swap + SS7 interception	AAL1
Email OTP	✗ No	Forwardable + email account compromise	AAL1

The Real-Time Phishing Attack (AiTM)

An adversary-in-the-middle (AiTM) phishing attack works as follows: the attacker sets up a proxy site that presents a legitimate-looking login page. When you enter your credentials and TOTP code, the proxy immediately forwards them to the real site. The real site responds with a valid session — the proxy captures this and delivers it to the attacker. The entire process completes in seconds, within the 30-second validity window of a TOTP code.

This attack defeats: TOTP, push notifications, SMS OTP, and email OTP — all four common MFA methods. It does not defeat FIDO2/WebAuthn because the cryptographic challenge is origin-bound and the phishing proxy cannot forge the real domain in the signed challenge.

Why FIDO2 Is Categorically Different

CISA's Implementing Phishing-Resistant MFA guidance is explicit: "phishing-resistant MFA" means specifically FIDO2/WebAuthn and Smart Cards (PIV). All other MFA methods, while better than no MFA, are categorised as not phishing-resistant.

Practical recommendation: For any account with significant value — email, banking, work systems — use a FIDO2 hardware key (YubiKey, Google Titan) or passkeys where available. For accounts that only support TOTP, use TOTP with a unique generated password — the combination significantly raises the bar even without phishing resistance.

MFA FIDO2 WebAuthn phishing-resistant TOTP hardware key

For informational purposes only. Phishing threats evolve constantly — always consult current NCSC, CISA, and your organisation's security team guidance for your specific environment.

← How to Detect a Fake Login Page How to Inspect a URL Before Entering Your Passwo →