Phishing-Resistant MFA Has Become an Essential Cybersecurity Tool

Written by Technologent | May 2, 2025

Phishing attacks have reached epidemic levels and they’re costing organizations a fortune. According to Verizon’s 2024 Data Breach Investigations Report, phishing is involved in 31 percent of cyberattacks. IBM’s Cost of a Data Breach Report 2023 found that phishing attacks cost organizations $4.76 million on average.

Users are becoming more aware of phishing and better able to spot these attacks. However, the Verizon report notes that just 20 percent of users reported phishing in simulated attacks. Once users are hooked, it takes less than 60 seconds for them to click on a malicious link and give the attacker sensitive data, often their username and password.

Multifactor authentication (MFA) has long been used to thwart attacks that compromise credentials. However, security experts warn that legacy MFA solutions aren’t always effective against the latest attacks. Phishing-resistant MFA is needed.

Why Phishing Attacks Are Harder to Thwart

Generative AI has changed the game in phishing attacks. Traditionally, phishing emails were executed manually by foreign attackers with limited command of English. They’d write phishing emails in their native language and use an online tool to translate the text. The result was often riddled with grammar and syntax errors that made phishing relatively easy to spot.

With gen AI, attackers can generate well-written, personalized emails that accurately simulate the style of the alleged sender. Users have a much harder time detecting these phishing attacks, making the “human firewall” less effective. MFA serves as a second line of defense when users take the bait.

Now attackers are using various techniques to defeat legacy MFA solutions. With push-bombing, attackers start with stolen credentials and then bombard the user with push notifications of an MFA code. The goal is to wear down the user until they finally relent and approve the MFA request. In SIM swap attacks, cybercriminals trick the carrier into sending push notifications to a device they control.

What Is Phishing-Resistance MFA?

Phishing-resistant MFA provides an effective defense against these attacks. The best solutions use FIDO2, a passwordless authentication standard that combines multiple authentication methods, including passkeys, WebAuthn and biometric data. FIDO2 is an extension of the FIDO (Fast IDentity Online) open standard, which supports fingerprint scanners, voice and facial recognition, and other biometric technologies. It combines the best features of FIDO’s Universal Second-Factor Authentication (U2F) and Universal Authentication Framework (UAF).

U2F works with USB and near-field communication (NFC) tokens, while UAF works with a user’s mobile device to create a password-less experience. Upon registration with a service that uses FIDO2, the user’s device generates a cryptographic key pair, retains the private key and registers the public key with the service. Public key cryptography ensures that only the user’s device can be used for authentication.

To authenticate using the private key, the user unlocks it on the local device by entering a PIN, using a fingerprint reader or through some other simple method. Once the private key is unlocked, authentication proceeds automatically.

Overcoming Implementation Challenges

In an advisory issued on Aug. 29, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and other federal agencies encouraged organizations to require phishing-resistant MFA wherever possible. Version 4.01 of the Payment Card Industry Data Security Standard recommends phishing-resistance authentication factors. Phishing-resistant MFA also plays a key role in the zero-trust model.

However, organizations face several hurdles when implementing phishing-resistant MFA. It can be difficult to integrate legacy systems and applications with phishing-resistant MFA systems. Users will require additional training and may be resistant to change or reluctant to submit biometric factors.

If you’re looking to use phishing-resistant MFA to protect against ransomware, account takeover attacks and other cyber threats, Technologent can help. Our security experts will help you define your requirements, evaluate various solutions, and roll out the technology with minimal impact to systems and users.

Follow The Channel Company: X, LinkedIn, and Facebook.

Media Contacts

Lee Yates
Technologent
Sr. Digital Marketing Manager
lee.yates@technologent.com

View full post