Why is regular MFA not phishing-resistant?

Most MFA mechanisms (SMS codes, app-based codes, push notifications) can be forwarded by an adversary-in-the-middle phishing kit in real time. The attacker captures the user's MFA input, forwards it to the real service, and steals the resulting session token. The MFA was completed correctly, but the attacker has the resulting access.

What is FIDO2 / WebAuthn?

FIDO2 is a standard for hardware-backed cryptographic authentication, with WebAuthn as the browser API. The mechanism: a hardware key generates a per-site key pair, stores the private key on the device, and signs challenges from the real site using a domain-bound algorithm. A phishing site cannot trick the key into signing for the real site because the domain binding is part of the cryptographic protocol.

Are passkeys the same as FIDO2?

Passkeys are a user-friendly implementation of FIDO2 / WebAuthn. They use the same underlying cryptographic protocol but are designed to be synced across the user's devices through Apple, Google, or Microsoft accounts rather than tied to a single hardware key. Both are phishing-resistant in the cryptographic sense.

What Is a Phishing-Resistant Identity?

Q: What is a phishing-resistant identity?

A phishing-resistant identity uses authentication mechanisms that cannot be successfully forwarded by a phishing site to the real service. The most common implementation is FIDO2 / WebAuthn with hardware security keys, where the cryptographic challenge is bound to the real login URL and a phishing proxy cannot complete the challenge.

Q: What does this have to do with email?

Email accounts are the highest-value targets for phishing, because email recovery flows unlock most other accounts. A phishing-resistant identity on the email account is the highest-impact single security move available to most users. Combined with structural inbox filtering, the result is a defense framework that addresses both the credential-theft path and the volume path of email-based attacks.

A phishing-resistant identity uses authentication that cannot be forwarded to a fake site. Here is what that means and why it matters.

The phrase “phishing-resistant identity” entered mainstream security guidance in 2022 when the US government issued executive orders requiring agencies to deploy phishing-resistant MFA on critical systems. CISA’s guidance, NIST’s updated standards, and major cloud providers’ product roadmaps converged on the same framework over the following two years. By 2026, phishing-resistant identity is the recommended standard for any account where compromise has serious consequences.

This post is the long answer to “what is a phishing-resistant identity?”, how it differs from regular MFA, and why it matters for email security specifically.

The Definition

A phishing-resistant identity is one that uses authentication mechanisms that cannot be successfully relayed by a phishing proxy to the real service. The defining property is that the authentication is bound to the real login URL in a way the attacker cannot replicate.

Two implementation paths qualify in 2026:

Hardware security keys with FIDO2 / WebAuthn. Physical devices (YubiKey, Google Titan, Feitian, and others) that store private keys and sign cryptographic challenges. The keys are bound to the domain in the cryptographic protocol; signing for bigbank.com cannot be tricked into producing a signature that works for phishing-site.com.

Passkeys. Software-based FIDO2 implementations stored on the user’s devices and often synced through Apple iCloud Keychain, Google Password Manager, or Microsoft account services. Same underlying cryptography as hardware keys, with different storage and sync model.

Both are phishing-resistant in the cryptographic sense. Both defeat adversary-in-the-middle phishing kits that successfully bypass app-based and SMS-based MFA.

Why Regular MFA Is Not Phishing-Resistant

Most MFA mechanisms in widespread use have a structural vulnerability: the second factor is something the user types, taps, or speaks, which can be forwarded by a phishing proxy in real time.

SMS codes. The user receives a six-digit code via text and types it into the login page. A phishing kit displays a fake login page, captures the user’s password and code as they are entered, and forwards both to the real site within seconds. The real site authenticates correctly. The attacker has the resulting session.

App-based codes (TOTP). Same vulnerability. The user opens Google Authenticator or Microsoft Authenticator, reads the rotating six-digit code, and types it into the login page. The phishing proxy captures and forwards it.

Push notifications. The user receives a push on their phone and taps “Approve” or “Deny.” The phishing kit triggers the real site’s push notification (because the kit is logging in as the user using the captured password). The user, expecting their own login attempt, taps Approve. The real site authenticates the kit’s session.

Number matching. A more recent push variant where the user must enter a number from the login screen into the push notification. Resistant to MFA fatigue but still vulnerable to AiTM if the user is careless about which number they are confirming.

The shared structural property: the second factor passes through the user’s keyboard, screen, or tap, which means the attacker’s proxy can capture it. The proxy completes the real authentication in real time using the captured input.

Industry data shows AiTM phishing kits are widely used and effective against app-based MFA. Microsoft, CISA, and the major cloud providers have all issued guidance pointing to FIDO2 / passkeys as the resilient alternative.

How FIDO2 / WebAuthn Defeats AiTM

The cryptographic mechanism is the key innovation. Simplified:

The user navigates to the real site (or, in a phishing scenario, to the phishing site that proxies to the real site).
The site sends a cryptographic challenge to the browser, including the site’s domain in the challenge data.
The browser passes the challenge to the FIDO2 device (hardware key or passkey provider).
The device produces a signature using the private key stored for the specific domain. The signature includes the domain as part of the signed data.
The browser sends the signature back to the site.
The site verifies the signature against the public key registered for the user.

The critical step is the domain binding. The signature produced for bigbank.com is cryptographically tied to bigbank.com. A phishing site at phishing-site.com cannot trick the device into producing a signature that the real bigbank.com would accept, because the device only signs for the domain it is asked to sign for, and the real site verifies the domain in the signature.

The phishing proxy can forward credentials and codes. It cannot forward FIDO2 signatures, because the signatures are bound to the wrong domain.

This is the property that makes FIDO2 phishing-resistant in a way SMS, TOTP, and push are not.

Where Phishing-Resistant Identity Matters Most

Three categories of account where phishing-resistant identity matters most.

Primary email account. Almost every other account uses email as the recovery method. Compromising an email account often unlocks the rest. A phishing-resistant identity on the email account is the highest-impact single security move available to most individuals. For Gmail and Microsoft accounts, hardware key enrollment takes about ten minutes.

Financial accounts. Bank, brokerage, payroll, payment platforms. The direct money-loss exposure justifies the friction of hardware-key MFA on these accounts. For high-value accounts (large brokerage balances, business banking), the hardware key is mandatory in any reasonable security posture.

Administrator accounts on critical systems. Cloud admin consoles, identity provider admin accounts, source code repositories with deployment access. These accounts typically have outsize blast radius if compromised. CISA, Microsoft, and Google all recommend hardware keys on admin accounts as a baseline.

For other accounts (social media, retail logins, low-value services), app-based MFA is acceptable. The hardware key requirement scales with the cost of compromise.

The Cost and Setup

Hardware keys cost $25 to $80 per device depending on form factor. Most users want at least two keys: one primary, one backup stored separately in case the primary is lost. Total cost for a fully provisioned individual is roughly $80 to $160.

Setup is straightforward on the major platforms:

Google account. Settings, Security, 2-Step Verification, Add Security Key. Plug the key in, follow the prompts, register. Repeat for the backup key. Set a recovery code as well.

Microsoft account. Security settings, Advanced security options, Add a new way to sign in, Use a security key. Same flow.

Apple ID. Settings, Apple ID, Sign-In and Security, Two-Factor Authentication, Add Security Keys. Apple supports FIDO2 keys as the second factor.

Most major SaaS platforms (Github, AWS, Salesforce, Slack, and others) support hardware keys through their MFA settings. Configuration is roughly the same flow at each provider.

Passkeys, as the software alternative, do not require hardware purchase but do require the user’s devices to be on Apple, Google, or Microsoft platforms with passkey sync enabled. The setup is shorter (often automatic during account creation on supported sites) but the user is dependent on the platform’s sync infrastructure.

How This Connects to Email Defense

The phishing defense stack discussed in how to defend your inbox from phishing in 2026 has phishing-resistant identity as one of its layers, specifically for the credential-theft attack vector.

The other layers handle other attack vectors:

Native spam filters: catch mass mechanical attacks at the inbox level.
Phishing awareness training: raise the floor on human recognition.
Verification protocols: catch financial-action attacks at the moment of execution.
Structural inbox filters: collapse the cost-structure of mass-volume reach.
Phishing-resistant identity: eliminate the credential-theft path even when the user falls for a phishing email.

The combination addresses different attack categories. Skipping phishing-resistant identity leaves the credential-theft path open, which is the path that produces account compromises and BEC attacks involving real account takeovers.

The Bottom Line

A phishing-resistant identity uses authentication that cannot be relayed by a phishing proxy to the real service. The most common implementation in 2026 is FIDO2 / WebAuthn with hardware security keys, with passkeys as the software alternative on supported platforms.

The cryptographic mechanism (domain-bound signatures) defeats adversary-in-the-middle attacks that bypass SMS, TOTP, and push-based MFA. For accounts where compromise has serious consequences (email, financial, administrator), phishing-resistant identity is the recommended baseline.

The cost is modest, the setup is straightforward, and the security gain is substantial. Combined with structural inbox filtering at the email layer, the result is a defense posture that handles both the credential-theft path and the volume path of email-based attacks. Rythm handles the structural-filtering layer for $1.65 per month per inbox; hardware keys handle the identity layer for $25 to $80 per device. Both are part of the modern defensive stack.