TIP · 4 min read
Phishing-Resistant MFA in 10 Minutes
Adversary-in-the-middle kits like Evilginx and Tycoon eat TOTP and push MFA for breakfast. FIDO2 / WebAuthn is the only widely-deployed factor that breaks them. Here's the fast rollout.
Pick the right factor
Hardware security keys (YubiKey, Feitian) for admins; platform authenticators (Windows Hello, Touch ID, Android) for everyone else.
Block weak factors
Disable SMS and voice for privileged accounts. Conditional access: if factor != phishing-resistant, block.
- Mark FIDO2 as preferred in Entra/Okta
- Block legacy auth protocols
- Require key re-registration on suspicious sign-in
Plan the recovery flow
Lost-key recovery is where most rollouts leak. Pre-enroll two keys per admin and ship a verified helpdesk script.
Tools mentioned
YubiKeyEntra IDOktaDuo1Password
⟩ takeaway
If your MFA can be relayed by a proxy, it isn't MFA. Phishing-resistant means cryptographic origin binding — pick factors that ship it.
⟩ keep reading
Related articles
Hardening Your Cloud in 5 Steps
A practical checklist to lock down AWS, Azure and GCP workloads before attackers find the gaps.
Prompt Injection: The OWASP LLM #1 Risk
How indirect prompt injection turns helpful AI into an attacker tool — and how to defend against it.
Inside a Real SOC: A Day in the Life
From the first SIEM alert to incident closure — what L1/L2/L3 actually looks like in practice.