Phishing-Resistant MFA: The Key to Blocking Account Takeover Attacks
Believe it or not, traditional MFA is no longer enough to block phishing attacks. Criminals are defeating this cybersecurity control in real time.
This is why companies turn to phishing-resistant MFA.
In fact, this MFA method is so effective, Corsica Technologies clients typically see fewer than 5 business email compromise incidents per year after they implement the control.
Here’s everything you need to know about this powerful MFA method.
Key takeaways:
- Traditional MFA is vulnerable to phishing attacks because it’s based on possession of a key, not on verified identity.
- Phishing-resistant MFA solves this problem by enforcing origin-bound authentication.
- Phishing-resistant MFA is much easier and cheaper to implement than you may expect.
- Phishing-resistant MFA is the first cybersecurity control that a company should implement if they don’t have it in place already.
💡 EXCLUSIVE Guide:
Phishing Email Examples
What is phishing-resistant MFA?
Phishing‑resistant MFA (multi‑factor authentication) is a class of authentication methods that are designed to provide immunity to phishing attacks, even when a user is tricked into interacting with a fake login page or malicious prompt. Proper phishing-resistant MFA is based on the FIDO2/WebAuthn standard. The credential cannot be replayed, forwarded, or reused by an attacker, which is exactly what modern phishing kits rely on.
What does NOT count as phishing-resistant MFA
This is one of the most common points of confusion. These methods do not count as phishing-resistant MFA.
- Number matching. This approach reduces MFA fatigue/push-spam attacks, but it doesn’t verify the requester’s origin. It can be defeated by AiTM.
- Authenticator app push approvals. This approach has the same core vulnerability as number matching, regardless of the vendor.
- TOTP / time-based one-time passwords. These can be defeated by relay attacks.
- SMS OTP. This approach is phishable and vulnerable to SIM-swapping.
- Rolling 6-digit authenticator codes. This approach is not phishing-resistant.
If an MFA method doesn’t enforce origin-bound authentication based on the FIDO2/WebAuthn standard, it’s not phishing-resistant.
How does phishing-resistant MFA work?
Phishing-resistant MFA is built on an open standard called FIDO2 (Fast Identity Online 2). It solves the core flaw of traditional MFA by enforcing origin-bound authentication. While traditional MFA is like a physical key that anyone can copy and use, phishing-resistant MFA is more like a biometric key. It only works in the hand it belongs to.
Phishing‑resistant MFA prevents attacks by enforcing three core properties.
- Cryptographic binding to the real service. The authentication secret is cryptographically bound to the legitimate domain and the specific user account. If the user is tricked into logging into a fake site, the authentication simply won’t work.
- No shared secrets. In phishing-resistant MFA, there are no one-time codes to steal and no approval prompts to trick a user into clicking. The private key never leaves the user’s device or hardware key.
- Origin verification. The authenticator verifies that the browser or app is communicating with the real site, not a phishing proxy or lookalike domain.
Why is traditional MFA vulnerable to phishing attacks?
Traditional MFA (multi‑factor authentication) is vulnerable to phishing because most legacy MFA methods still rely on shared, reusable secrets that attackers can trick users into giving away or approving in real time.
Traditional MFA (SMS codes, app codes, push approvals) can still be defeated by:
- Real‑time phishing proxies (Adversary‑in‑the‑Middle attacks)
- MFA fatigue / push bombing
- Stolen session cookies or tokens
What is the core flaw of traditional MFA methods?
Traditional MFA methods don’t verify who is asking for the authentication. They only verify that someone has the right code. Any intermediary who can relay that code in real time can steal the session.
Today’s attackers are also far stealthier than they were even two years ago. They used to set up forwarding rules, change passwords, add new authentication methods—noisy moves that detection tools flagged quickly. Now they simply operate on the stolen session token, stay quiet, and wait for the right moment to strike. With short-lived token configurations, they often move fast—which is exactly why the financial impact from a BEC happens so quickly once an account is compromised.
How does an adversary-in-the-middle attack work?
An adversary-in-the-middle (AitM) attack, also known as a reverse proxy attack, is one of the most common phishing strategies that can bypass traditional MFA. Here’s how it works.
- The attacker sends a convincing phishing email. This message may come from a compromised business partner’s account. It may also contain an embedded link to a legitimate file-sharing platform like OneDrive or Dropbox. The email passes most filters because the link itself isn’t malicious.
- The user clicks through, ending up on a fake login page that looks exactly like their real Microsoft login. Attackers will even scrape custom background images to make the page convincing.
- The user enters their credentials. Meanwhile, the attacker is proxying everything the user types directly to the real Microsoft authentication system. When Microsoft sends the MFA prompt, the attacker relays it to the user, and the user completes it.
- Microsoft sees a valid authentication and issues a session token. The attacker captures that token. Now they’re in.
What happens after a phishing attacker defeats MFA?
Once an attacker has bypassed traditional MFA and gained access to a mailbox, they typically don’t do anything immediately visible. They watch.
They look for financial transactions such as invoices, wire instructions, and payment confirmations. When they see one in flight, they strike.
The pattern is fairly common. A legitimate invoice is sent to a customer or vendor, and moments later a spoofed follow-up goes out with ‘corrected’ payment details. By the time anyone realizes the money went to the wrong place, it’s gone. Wired funds are extraordinarily difficult to recover.
What types of accounts are targeted in phishing attacks?
Any account is vulnerable to phishing attacks. However, criminals typically target the highest-value accounts, such as executives, finance personnel, accounts payable and receivable staff, and IT administrators. These accounts can cause the most damage when compromised. But threat actors are opportunistic—anyone whose account can serve as a launching pad for impersonation is a target.
Can the impact of a phishing attack reach beyond our organization?
Yes. The blast radius of a successful account takeover can easily extend beyond your internal systems and operations. A successful attack can damage relationships with customers, suppliers, and partners. For regulated businesses, an attack can be especially devastating, as the company may owe regulatory fines in addition to the direct financial and reputational damage of the attack.
For community banks, healthcare organizations, manufacturers, and professional services firms serving their local communities, a breach requiring client disclosure can threaten the organization’s continuing existence. A large enterprise can weather the storm. A smaller organization built on trust may not survive.
What are the methods for establishing phishing-resistant MFA?
There are three primary methods for establishing phishing-resistant MFA.
- Passkeys – The most common and easiest to implement for most environments. A passkey stores a cryptographic credential on the user’s device and uses biometrics (fingerprint, face ID) or a PIN to authenticate. It works across platforms, and it’s typically recommended for the majority of users.
- Windows Hello for Business – Microsoft’s native phishing-resistant method for Windows devices. Uses a PIN or biometrics tied to the device’s TPM chip. The most convenient option for Windows laptops and desktops in Microsoft 365 environments.
- Certificate-Based Authentication (CBA) – The organization controls its own PKI and issues certificates to devices. This method is the most complex to implement; it’s typically reserved for organizations with specific compliance architecture requirements. Applies to roughly 2% of mid-market customers.
In most deployments, the right answer is Windows Hello for Business on Windows devices + passkeys everywhere else.
How do we deploy phishing-resistant MFA?
Phishing-resistant MFA is easier to deploy than you might think. Here’s what it takes to do it properly.
Licensing: You Probably Already Have It
Good news for Microsoft 365 customers: you almost certainly already have everything you need.
Phishing-resistant MFA enforcement requires Microsoft Entra ID Plan 1 (formerly Azure AD P1), which is included with Microsoft 365 Business Premium and M365 E3. If you’re on either of those plans, the cost to deploy is primarily labor, not new licensing.
One important note: the operating level of an Entra tenant is determined by the highest license tier enabled in the tenant. Microsoft requires that every user who benefits from a Plan 2 feature must be separately licensed for it. Don’t use Plan 2 features on unlicensed users—it’s an EULA violation even when it works technically.
Technical Components
- Conditional Access policies – Enforce FIDO2-compliant authentication methods as the only accepted methods.
- Registration campaigns – Guide users to enroll in the new method before enforcement goes live. Rushing enforcement without first completing registration creates a flood of support tickets.
- Exception scoping – Identify every place where legacy authentication must remain. For example, service accounts, legacy application integrations, VPN configurations, printers, scanners, and third-party apps integrated via SAML may not support FIDO2. This scoping work is critical to ensuring a smooth rollout.
Technically, the core policy configuration takes an experienced engineer under an hour. The actual time investment is in the scoping: mapping authentication dependencies, designing exceptions, and staging a rollout that doesn’t break production systems the moment enforcement goes live.
User Enrollment and Rollout Planning
- Start with high-value users – executives, finance, IT admins – before expanding to the full organization.
- Plan for 10–20% of users to need hands-on enrollment assistance. Common issues include Bluetooth module gaps on older laptops, users who prefer not to install an authenticator app on a personal device, or hardware compatibility problems.
- For users who can’t use mobile devices, FIDO2 hardware tokens (like YubiKeys) are a solid alternative. They’re straightforward to support long-term, though each user must initialize their own device – they can’t be pre-configured in bulk.
The most important variable in a rollout isn’t technical. It’s executive alignment. When a CEO or CIO establishes a clear deadline and communicates that this is happening, it’s easier to align every department around a rollout. When leadership is ambivalent, the project can stall. This is a people-and-process project as much as a technology one.
What are some common objections to phishing-resistant MFA?
Phishing-resistant MFA is a powerful method for blocking account compromise attacks, but not everyone is ready to use it. Here are some common objections as well as explanations of why phishing-resistant MFA is the answer.
“We do number matching. Isn’t that phishing-resistant MFA?”
No. Number matching reduces MFA push-spam attacks, which is valuable. But it does not enforce origin-bound authentication. A reverse proxy attack defeats number matching just as easily as a simple push approval.
“We have Duo. Doesn’t that cover us from account compromise attacks?”
Duo may support phishing-resistant methods in certain configurations, but the majority of Duo deployments we see are using traditional MFA methods. More importantly, your Microsoft 365 environment can deliver equivalent or better capability natively, without additional licensing cost. Unless a specific Duo configuration is explicitly FIDO2-compliant, it doesn’t protect you from AiTM attacks.
“It hasn’t happened to us.”
The absence of a known incident isn’t evidence of protection—it’s evidence of current luck. With reverse proxy attack kits now commoditized and available in criminal marketplaces, the question isn’t whether your users will be targeted. It’s whether your controls will hold when they are.
“Our users will complain.”
Some will, temporarily. A phased rollout, clear communication from leadership, and a plan for the users who need enrollment help will smooth most of the friction. Compared to the disruption of a BEC incident—financial loss, legal exposure, client notification, reputational damage—the onboarding inconvenience is minor.
“We’re too small to matter.”
Threat actors aren’t selective. Automated phishing kits cast wide nets. Organizations in regulated industries—banking, healthcare, manufacturing, professional services—are increasingly attractive targets precisely because they handle sensitive data and financial transactions, often with less mature security controls than enterprise peers.
“We’re already working on other security initiatives.”
Unless phishing-resistant MFA is already in place, those other initiatives are less important than this one. The cybersecurity ROI comparison isn’t even close. Phishing-resistant MFA addresses the most active, high-frequency attack vector in today’s threat landscape with a relatively modest investment. If your team has bandwidth for one cybersecurity initiative right now, this is it.
What we see across the Corsica Technologies customer base
The pattern we observe here at Corsica mirrors what’s happening industry-wide. Customers who have completed phishing-resistant MFA deployments, even partial ones covering their highest-risk users, see a dramatic reduction in account compromise events. Those without it are managing BEC incidents at a frequency that has quietly become normalized, creating ongoing, compounding risk.
The normalization is the problem. “Yeah, someone clicked on something” shouldn’t be a shrug moment. It’s a signal that your controls have a gap attackers are actively exploiting.
We’re also seeing this topic surface in compliance audits and cybersecurity insurance renewals across regulated industries. Phishing-resistant MFA hasn’t broadly appeared on insurance application forms yet—but based on how quickly audit requirements are evolving, that’s a matter of time. Auditors are already testing social engineering tactics on service desk teams; MFA modernization is a natural companion requirement. Getting ahead of it now means a smoother path when the mandate becomes explicit.
The takeaway: Implement phishing-resistant MFA
Phishing-resistant MFA isn’t a nice-to-have. The threat it addresses—adversary-in-the-middle account takeover—is active, widespread, and growing. The investment required to deploy it is significantly smaller than most organizations expect. And the alternative is continuing to operate with controls that sophisticated attackers already know how to beat.
If you’re not sure where your organization stands—what your current MFA configuration actually protects against, where your gaps are, and what a phishing-resistant rollout would look like for your specific environment—that’s exactly the kind of assessment we help with.
Related posts
As Vice President of Security Operations, Clayton Mach brings 15+ years of experience, a strong leadership perspective, and deep technical expertise to the everyday security operations of Corsica’s clients. His wide range of expertise—from ERP systems to network support, infrastructure deployment, and process auditing—equips him to apply a practical perspective to rapidly evolving threat landscape faced by Corsica clients. He holds the professional development and success of his team members as his most satisfying accomplishments.
Ready to take your next step?
Contact us today to get the outside perspective you need for the next step on your journey.
