When it comes to authentication then what once passed for good enough — a strong password or a two-factor SMS code — is now a soft target for attackers who’ve leveled up. So if you’re still relying on passwords alone, or even bolting on MFA without thinking about phishing resistance, it’s time to reconsider.
This is my reference for authentication that works. Not theoretically. not “should work under perfect conditions" actually works — under pressure, in the wild, when someone’s actively trying to break in.
Passwords Are Weak, No Matter How You “secure” them
Let’s start with the obvious. Passwords — even complex ones — are shared secrets. They’re stored on servers, passed into login forms, and can be stolen, guessed, phished, or reused. If you still use passwords alone to secure something valuable, you’ve already accepted a risk you probably shouldn’t.
I don’t trust passwords alone for anything critical.
MFA: Better Than Nothing, but Not Much
Multi-factor authentication was a good stopgap. A second step — a code sent to my phone, an app notification, or maybe a push — makes an attacker’s job harder.
But MFA is not phishing-resistant. I can be tricked into entering a one-time code on a fake site. If the attacker’s watching in real-time, they win. MFA makes things harder, not impossible.
You need to bear in mind if MFA is the only feature you can roll out to protect your users. It does not protect them from many applications out there that will intercept MFA process, you must remember that MFA can also include SMS notifications, which are considered insecure, but unfortunately, still seem to be enabled in many circumstances below is a list of applications that have been designed to intercept or bypass these apparently secure MFA methods:
- Evilginx/Evilginx2
- Modlishka (a.k.a. Muraena)
- Transparent Tribe / Crimson RAT
- Teardrop / Sunburst Backdoor
- Android Malware (e.g., Cerberus, MaliBot, BRATA)
- AiTM (Adversary-in-the-Middle) Toolkits
- Infostealers (e.g., RedLine, Raccoon, Vidar)
- SIM-Swapping Attacks
That’s where hardware-backed authentication like FIDO2 comes in.
Why FIDO2 Actually Changes the Game
FIDO2 is a standard, not a product. It’s built around the idea that the private key never leaves the device. The website or service stores a public key, and when I log in, my device signs a challenge issued by the site. No secrets are transmitted, and the response is only valid for that domain.
It’s phishing-resistant because even if I’m tricked into visiting a fake site, the key refuses to authenticate — the domain is wrong. That’s not something MFA can do.
Why It’s Called Phishing-Resistant
Because the hardware key (or built-in platform authenticator) has to see and verify the domain it's talking to. That domain hash is part of the challenge. No match, no login.
And the device I use must physically interact with me — via a touch, biometric, or PIN — and it must be able to communicate over:
- USB (inserted key)
- NFC (tap on mobile)
- Bluetooth (for some platform authenticators)
That physical link is what stops remote takeover attempts cold.
FIDO2 Login Flow Diagram
Passkeys: Nearly There, Not Quite FIDO2
Passkeys use the same cryptographic foundation as FIDO2 but are synced across my devices through a cloud provider like Apple, Google, or Microsoft.
They’re convenient. I can use Face ID to log into a site on my laptop without ever touching a hardware key. Behind the scenes, my phone approves the challenge using a stored credential synced via iCloud Keychain or Google Password Manager.
They’re secure. But not bulletproof.
If I get a prompt on my phone — "Do you want to sign into somesketchylogin.biz?" — I might tap yes, especially if I think it’s legit. That’s where phishing resistance technically weakens. It’s not the protocol’s fault — it’s the user interface.
Passkeys are excellent for general users, and I use them daily. But for admin portals, root accounts, or anything exposed to the internet, I fall back to physical FIDO2 keys.
Passkey Login Flow Diagram
If I Had to Rank Them
From weakest to strongest:
- Password only – avoid at all costs
- Password + SMS/OTP MFA – weak but tolerable in low-risk apps
- Passkey – secure, user-friendly, ideal for everyday use
- FIDO2 key – the gold standard for anything critical
Passkeys are an excellent advance toward eliminating passwords but are not a full replacement for hardware-backed authentication in threat-critical environments. They should be viewed as a major usability gain for most users and a solid security upgrade — but not a substitute for FIDO2 keys where phishing resistance must be absolute.
Security teams should ensure authentication policy aligns with risk tiering, device management, and origin validation, rather than solely convenience or user preference.