Having MFA isn’t the same as being phishing resistant. SMS codes, authenticator-app codes, and push notifications can be phished. That’s why CISA draws a clear line between the MFA that stops phishing and the MFA that doesn’t. This article will cover various forms of MFA and how resistant to phishing they may be so you know what you should be doing to keep yourself safe!

OTP and Push

A One-Time Password (OTP) is typically a short code delivered over SMS or email. These are usually time based so they expire quickly and can’t be reused.

But against adversary-in-the-middle (AITM) phishing attacks, it isn’t enough. An AITM is typically a fake web page that sits between you and the real service. It takes your password and your MFA response (OTP code), passes them through to the real service, and keeps the session token the service issues. The attacker can then log in as you with that session token. Microsoft has continually documented this pattern, from AITM campaigns against banking and financial service organizations to AITM campaigns in the energy sector. Phishing kits that enable this technique, such as Tycoon2FA, are sold as a service to hundreds of customers.

U2F, FIDO2, and WebAuthn

Universal 2nd Factor (U2F) was the FIDO Alliance’s first answer to phishing-resistant authentication, released in 2014. A USB hardware key such as a YubiKey acts as a second factor using public-key cryptography that is bound to the website it was registered to. The key refuses to sign a challenge for the wrong domain, so an AITM proxy has nothing it can forward.

FIDO2 extends that model in two ways. Where U2F was always a second factor after a password, FIDO2 can replace the password entirely. Where U2F requires a separate hardware key, FIDO2 also works with phones and laptops that have a secure enclave.

WebAuthn is the API the website uses to authenticate a user. The private key never leaves the authenticator, and every challenge is tied to the real domain. U2F keys still work under FIDO2, and CISA treats FIDO/WebAuthn as the baseline for phishing-resistant authentication.

Passkeys

A passkey is a FIDO2 credential designed for end users, and it comes in two practical forms. Hardware security keys like a YubiKey are a dedicated device that holds the passkey. The user plugs it in or uses NFC to authenticate. Platform passkeys live inside a phone or laptop’s secure enclave, usually unlocked by Face ID, Touch ID, or Windows Hello. Platform passkeys can usually also be synced across a user’s devices through cloud services or a password manager.

Hardware keys offer the highest assurance while platform passkeys are more convenient for day-to-day use. Either one puts you on the right side of CISA’s line.

Where the frameworks point

The FFIEC Cybersecurity Assessment Tool was sunset in 2025. Banks moving to NIST CSF 2.0 or the CRI Profile will find that phishing-resistant authentication is the direction both frameworks point, and NIST’s own identity guidance (SP 800-63B-4) named FIDO2/WebAuthn as an example of phishing-resistant authentication and requires a phishing-resistant authenticator at the top assurance level AAL3.