Why Phish-Resistant Authentication Needs to Be a Priority for Every Organization
Username- and password-based login credentials have always been a weak point in cybersecurity, and they’re more vulnerable to phishing attacks than ever. Phish-resistant authentication methods take these credentials out of the equation so threat actors can’t steal them or trick users into giving them up.
One third of data breaches involve stolen credentials and phishing remains one of the most effective ways for threat actors to gain initial access. Verizon reported that in 2025, phishing was present in 16% of data breaches while credential abuse (often the result of phishing) was present in 22% of breaches. Phish-resistant multi-factor authentication (MFA) replaces “something you know” factors like a username and password with passwordless authentication methods based on something you are, a biometric, or something you have, like a registered device.
We’re about to dive into what makes phish-resistant authentication better than password-based MFA and why organizations should prioritize making the shift to phishing-resistant methods. We’ll also introduce Microsoft’s phish-resistant authentication tools and how an IT professional services provider (like IX Solutions) can help you get started.
What is Phish-Resistant Authentication?
Phish-resistant authentication is a type of multi-factor authentication (MFA) that does not involve any shared secrets, like passwords or one-time passcodes (OTPs) sent via SMS or push notifications and number matching. Instead, phishing-resistant authentication uses asymmetric cryptographic keys, which are unique public and private key pairs, and validates that the user is in possession of the private key that matches the public one that lives within the system they’re logging into. The user’s key could be stored on a device like a laptop or phone, in an authenticator app, or on a FIDO2 hardware security key—typically a USB, smartcard, or a fob that uses Bluetooth or near-field communication (NFC). What makes it multi-factor is that users initiate the authentication process by providing their biometric or PIN.
As long as the public key device is connected to or near the device where the private key is stored, the public key can verify the validity of the private key and authenticate the person trying to access the system. Since users don’t have a password or secret that they can accidentally share or input into a malicious website, their credentials can’t be readily phished. Attackers would need both the private key and be able to provide the biometric or PIN to gain access. This prevents cybercriminals from completing phishing attacks, brute force attacks, credential stuffing, replay attacks, or man-in-the-middle (MITM), aka adversary-in-the-middle (AITM) attacks.
Phishing-Resistant Authentication in Action
Let’s take a look at a common phishing method, MITM attacks. In this type of attack, threat actors get in between a user and the system they want to authenticate to or between two users (like an employee and a help desk agent). This way, all communication runs through the attacker and they can both steal credentials or send malicious packets.
There are several types of MITM, but a common tactic is to trick users into entering their username, password, and MFA code into a fake website that mimics the authentication page they’re familiar with. Once the attacker has the information, they can then begin their own session through the legitimate site and steal the session token. With the token they can stay logged in without having to provide another MFA code. Attackers can even register their own MFA authentication token after completing the MITM attack, enabling them to authenticate whenever they want as if they were an authorized user.
Phish-resistant MFA is key (pun intended) for man-in-the-middle attack prevention. Public keys are tied directly to the legitimate site’s domain. When the user tries to authenticate to a fake site with their private key, there’s no public key to match up with and the authentication challenge can’t be signed. The cryptographic information on the private key never leaves the device it lives on, so threat actors can’t steal it.
Why Organizations Need to Prioritize Phish-Resistant Authentication Today
The Cybersecurity and Infrastructure Security Agency (CISA) recommends that all organizations implement phish-resistant MFA based on FIDO Alliance standards. NIST, the National Institute of Standards and Technology, considers phish-resistant MFA methods the best way to mitigate the risk of credential theft and unauthorized access.
Phishing has always been an issue, so why should organizations need to prioritize phish-resistant authentication right now? We can thank Generative AI (GenAI) for that. SlashNext (now Veronis) found that the volume of malicious emails surged by a stunning 4151% since ChatGPT’s launch in 2022. And AI is only getting better at concocting really convincing phishing attacks at scale.
In 2023, security training solutions provider Hoxhunt launched an ongoing experiment pitting AI agents against expert human Red Teams. After two years of testing, Hoxhunt’s AI agents were able to create more effective simulated phishing campaigns than humans. When they began testing, AI was 31% less effective than humans with a failure rate of 2.9% versus 4.2% for the human-made campaign. By 2025, the AI agents were 24% more effective than the human teams, whose efficacy relative to AI had dropped by a whopping 142% over the course of testing.
Real-world data tells us that businesses are feeling the impact of AI-enabled email phishing campaigns. Email security solutions provider KnowBe4 saw a 17.3% increase in phishing emails sent in the latter half of 2024. It’s worth noting that over half of these emails were sent from compromised accounts and 81% of the victims’ emails had been leaked in a previous data breach. The World Economic Forum found that 42% of organizations say that they’ve experienced phishing and social engineering attacks in the past year. Nearly half of leaders say that they’re worried about how threat actors will use GenAI to increase the volume and sophistication of social engineering attacks.
And it’s not just email. Threat actors are using AI to support voice phishing (vishing) attacks as well. Crowdstrike reported a 442% increase in vishing attacks between the first and second half of 2024. These attacks often involve threat actors pretending to be IT staff calling victims and persuading them to allow remote support sessions, download malicious files, or enter credentials into fake MITM websites. Threat actors also call IT teams pretending to be employees asking for a password reset.
AI enables cybercriminals to iterate on their campaigns faster and deliver outcomes beyond what they’d normally be able to achieve with their skillset alone. At the very least, AI helps threat actors launch phishing attacks on more individuals, putting probability on their side. Phishing-resistant MFA is essential for organizations that need to stay one step ahead of threat actors with AI at their fingertips.
Microsoft Authentication Solutions for Phish-Resistant MFA
Phishing-resistant authentication is central to the Microsoft Secure Future Initiative (SFI), the company’s ongoing effort to improve cybersecurity both internally and for its customers. Microsoft Entra ID, the software provider’s cloud identity and access management (IAM) solution, offers several options for phishing-resistant MFA:
Windows Hello for Business: Setting up Windows Hello for Business involves users registering their device through an MFA process with the identity provider (IdP) to generate a public/private key pair. The private key is stored locally on the registered device’s trusted platform module (TPM) and the public key is registered with the IdP and mapped to the user in Microsoft Entra ID. Users initiate authentication by providing their biometric or PIN when they want to log in. In the background, the system public and private keys communicate to complete authentication.
FIDO2 security keys or Microsoft Authenticator: This option requires you to outfit your team with physical FIDO2 security keys like the ones available from vendors like Yubico. Users authenticate by plugging their key into their computer. Passkeys can also be enabled within Microsoft Authenticator and stored within the device’s secure enclave or TPM. This turns the mobile device “into” a security key.
Microsoft Entra certificate-based authentication (CBA): You can use this to allow your users to authenticate directly against Microsoft Entra ID using X.509 certificates. Microsoft set this up so organizations no longer have to implement federated CBA, which involved deploying Active Directory Federation Services (AD FS). Certificates are bound to usernames. In this authentication flow, users initiate by entering their username and then selecting the option to use a certificate.
Phish-resistant authentication requires authenticating both users and devices. Microsoft Entra Conditional Access, Microsoft’s zero-trust policy engine, makes it easy to bring different identity-driven signals from multiple sources together to help you make access control decisions. For example, you might want to restrict access to a database based on whether a user has a trusted IP address, if they are using a specific device, and if they’re a member of a high-ranking user group. To access the database, you could require users to authenticate using a phishing-resistant MFA method. Conditional Access provides granular controls so you can add as much protection as you need, where you need it most.
Implement Phish-Resistant MFA with Expert Guidance from IX Solutions
As threat actors increase the scale of their phishing campaigns, it’s high time organizations make phishing-resistant authentication the new status quo. That said, 83% of organizations still rely on password-based authentication for some of their IT resources.
Implementing phishing-resistant authentication hardens the login process and helps defend against social engineering and MITM attacks. Our team of experts can assess your current MFA methods and give you insight into your risk level. We can guide you through the process of deploying and onboarding your team onto Windows Hello for Business or FIDO2 security keys, so you can roll out phish-resistant MFA faster across your organization. To fortify your security throughout your environment, we can also work with you to design conditional access policies that require phishing-resistant MFA verification where you need the most protection.
Upgrade your MFA strategy to phish-resistant authentication and harden your identity layer against attacks. Get in touch with our team for an assessment and learn how you can implement and roll out phish-resistant MFA to all your users.