Phishing-Resistant MFA
A category of multi-factor authentication that cannot be stolen or relayed by a fake website, because verification is cryptographically bound to the real domain.
Also known as: FIDO MFA, hardware-key MFA
Last reviewed: 10 June 2026
Standard MFA methods — such as SMS codes or time-based one-time passwords — can be bypassed by an attacker who tricks a victim into entering the code on a fake site, then immediately replays it on the real site. Phishing-resistant MFA closes this gap by using public-key cryptography that ties authentication to the legitimate origin (website address). If the user lands on a spoofed domain, the authentication simply fails because the cryptographic binding does not match.
The two main standards are FIDO2/WebAuthn (used by passkeys and hardware security keys) and certificate-based authentication. Government cybersecurity agencies now recommend phishing-resistant MFA for all high-sensitivity accounts, and financial regulators are beginning to require it for certain transactions.
For consumers, the practical takeaway is that switching from SMS codes to a FIDO2-based method — such as a passkey saved to a password manager or a physical security key — removes the most common MFA bypass technique used in targeted phishing attacks.