Phishing-resistant MFA refers to authentication methods that cryptographically bind the authentication to the legitimate service, making it impossible for attackers to intercept or replay.
The problem with traditional MFA:
1. SMS/Voice - Can be intercepted via SIM swapping
2. Push notifications - Vulnerable to MFA fatigue attacks
3. TOTP codes - Can be phished via adversary-in-the-middle
4. Email codes - Account compromise exposes codes
How phishing-resistant MFA works:
The authenticator (FIDO2 key or Windows Hello) performs cryptographic verification:
1. Creates public/private key pair during registration
2. Private key never leaves the device
3. Authentication proves possession of private key
4. Origin checking ensures you're on the real site
5. Cannot be replayed or intercepted
Phishing-resistant methods in Entra ID:
1. FIDO2 security keys (YubiKey, Google Titan, etc.)
2. Windows Hello for Business
3. Passkeys (platform authenticators)
4. Certificate-based authentication (smart cards)
- *Why it matters:
- 99.9% of account compromises are prevented by any MFA
- But sophisticated attacks (AiTM) can bypass traditional MFA
- Phishing-resistant MFA blocks even these advanced attacks
- Required for high-security scenarios and compliance
- *Microsoft's recommendations:
- Phishing-resistant MFA for admin accounts (mandatory)
- Phishing-resistant MFA for all users (best practice)
- At minimum, enable number matching for Authenticator app
TrueConfig control ID-04 monitors your phishing-resistant MFA deployment.