All articles
TIP · 4 min read

Phishing-Resistant MFA in 10 Minutes

Adversary-in-the-middle kits like Evilginx and Tycoon eat TOTP and push MFA for breakfast. FIDO2 / WebAuthn is the only widely-deployed factor that breaks them. Here's the fast rollout.

Pick the right factor

Hardware security keys (YubiKey, Feitian) for admins; platform authenticators (Windows Hello, Touch ID, Android) for everyone else.

Block weak factors

Disable SMS and voice for privileged accounts. Conditional access: if factor != phishing-resistant, block.

  • Mark FIDO2 as preferred in Entra/Okta
  • Block legacy auth protocols
  • Require key re-registration on suspicious sign-in

Plan the recovery flow

Lost-key recovery is where most rollouts leak. Pre-enroll two keys per admin and ship a verified helpdesk script.

Tools mentioned

YubiKeyEntra IDOktaDuo1Password
⟩ takeaway

If your MFA can be relayed by a proxy, it isn't MFA. Phishing-resistant means cryptographic origin binding — pick factors that ship it.

⟩ keep reading

Related articles