What is Phishing-Resistant MFA?
Multi-factor authentication methods that cannot be intercepted or replayed by phishing attacks, specifically FIDO2/WebAuthn hardware keys and passkeys.
Most MFA can be phished. Phishing-resistant MFA is the only authentication that can't.
What CAN Be Phished
- SMS codes: Man-in-the-middle proxies relay the code in real-time
- TOTP codes: Same man-in-the-middle technique
- Push notifications: User may approve the wrong request (MFA fatigue)
- Email codes: Intercepted alongside phished passwords
What CANNOT Be Phished
- FIDO2/WebAuthn (hardware keys, passkeys): Credentials are cryptographically bound to the legitimate website's origin. A phishing site can't request them.
Why It's Phishing-Proof
- The browser checks the website's origin before using the credential
- Even a perfect visual clone of a login page has a different domain
- The cryptographic response is invalid for any domain other than the legitimate one
Recommendation
If you protect one account with a hardware security key, make it your primary email. All password resets flow through email — it's the master key to everything.
Related Terms
FIDO2
An open authentication standard that combines WebAuthn and CTAP protocols to enable passwordless and phishing-resistant login.
Multi-Factor Authentication
A security method that requires two or more different types of verification: something you know, something you have, or something you are.
Passkey
A passwordless authentication method using public-key cryptography, typically stored on your device and protected by biometrics or device PIN. Passkeys are phishing-resistant and designed to replace passwords entirely.
WebAuthn
A web standard that enables passwordless authentication using hardware security keys, biometrics, or platform authenticators.
Have more questions?
Use our guided flow to get the right next privacy step for Phishing-Resistant MFA.
Open Guided Flow