Phishing-resistant MFA and passwordless access: are your controls ready?

TL;DR: Phishing-resistant MFA uses origin-bound cryptography, device-bound authenticators, and verified user intent to stop proxy-based phishing and session replay attacks, according to 1Kosmos. Traditional MFA can be relayed in real time, which makes recovery paths, fallback methods, and enrollment policy the real governance problem.

NHIMG editorial — based on content published by 1Kosmos: phishing-resistant MFA and passwordless security guidance

By the numbers:

• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.

Questions worth separating out

Q: How should security teams implement phishing-resistant MFA for privileged users?

A: Start with administrators, developers, finance teams, and remote access paths where a compromised session has the highest blast radius.

Q: Why do traditional MFA methods still fail against phishing attacks?

A: Because many common factors can be relayed in real time.

Q: What do security teams get wrong about recovery after phishing-resistant MFA rollout?

A: They often treat recovery as an administrative afterthought, then leave email resets, help desk shortcuts, or temporary exceptions in place.

Practitioner guidance

• Eliminate downgrade methods in policy Remove SMS, OTP app, email link, and push approval fallback from high-risk sign-in flows so the primary phishing-resistant method cannot be bypassed through a weaker option.
• Harden enrollment and proofing Bind each authenticator to a verified individual and device at enrollment, then require auditable proofing steps for replacements, resets, and new device registration.
• Redesign recovery as a controlled privileged workflow Treat account recovery like privileged access, with verified identity, logged approvals, and step-up checks before any credential reset is issued.

What's in the full article

1Kosmos's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step guidance on phishing-resistant MFA methods such as FIDO2, WebAuthn, smart cards, and identity-backed biometrics
• Enrollment and recovery workflow considerations for managed devices, backups, and identity proofing
• Policy enforcement patterns that prevent fallback to weaker methods in real sign-in flows
• Deployment challenges in legacy applications and bring-your-own-device environments

👉 Read 1Kosmos's analysis of phishing-resistant MFA for passwordless access →

Phishing-resistant MFA and passwordless access: are your controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →