Authentication: MFA, FIDO2, passwordless
Beyond the password
The password has been the dominant authentication mechanism for sixty years. It has also been the source of the majority of authentication-related breaches. Passwords are reused, shared, stolen through phishing, harvested by infostealers, brute-forced when weak, and exposed in data breaches affecting third-party services. The security industry’s collective response — requiring longer, more complex passwords changed more frequently — has largely made the problem worse by pushing users toward predictable patterns and password reuse.
Modern authentication approaches reduce or eliminate dependence on shared secrets that can be stolen, intercepted, or guessed.
Multi-Factor Authentication (MFA)
MFA combines two or more factors: something you know (password), something you have (phone, physical key), something you are (biometrics).
MFA methods ranked by strength:
| Method | Phishing resistance | Ease of use |
|---|---|---|
| SMS OTP | Low (SIM swap, interception) | High |
| TOTP app (Google Authenticator) | Medium (real-time phishing) | High |
| Push notification | Medium (MFA fatigue attacks) | High |
| FIDO2/WebAuthn | Strong (domain-bound) | Medium |
| Physical key (YubiKey) | Very strong | Medium |
Any MFA is better than no MFA. But not all MFA provides equal protection. SMS-based OTP is vulnerable to SIM-swapping and real-time phishing proxies. Push notifications are susceptible to fatigue attacks where attackers spam approval requests.
SIM swapping occurs when an attacker convinces a mobile carrier to transfer a victim’s phone number to an attacker-controlled SIM card. The attacker then receives all SMS messages, including OTP codes, enabling account takeover. High-profile individuals and executives are particularly targeted because mobile carriers can sometimes be socially engineered.
Real-time phishing proxies operate as man-in-the-middle tools: the victim enters their credentials and OTP on a convincing phishing site; the proxy forwards these to the legitimate site in real time, captures the session token, and gives the attacker authenticated access — all while the victim believes they logged in normally. These attacks render most forms of MFA ineffective because the attacker receives the valid session, not the credentials.
MFA fatigue attacks exploit push notification convenience. If an attacker has a valid password, they can trigger repeated MFA push requests to the victim’s phone. Most users will eventually approve a request out of confusion, frustration, or the assumption that the notification is legitimate. Microsoft and other providers have responded with number matching requirements (the user must enter a displayed number, not just approve/deny) to mitigate this attack.
FIDO2/WebAuthn
FIDO2 is the phishing-resistant standard. The cryptographic key is bound to the website’s domain: a phishing site on a different domain cannot intercept the authentication. The private key never leaves the user’s device, making credential theft attacks fundamentally ineffective.
FIDO2 works through public-key cryptography. During registration, the authenticator generates a key pair. The public key is stored by the service; the private key never leaves the hardware or device. During authentication, the device signs a challenge using the private key, which the server verifies with the stored public key. Because the signing operation is domain-bound — the challenge includes the site’s origin — a phishing site on a different domain receives a response that is only valid for the attacker’s domain, not the legitimate site.
Hardware security keys (YubiKey, Titan Key) store the private key in tamper-resistant hardware. Even malware on the computer cannot extract the key. These devices are the strongest available authenticator and should be mandated for all privileged accounts and high-value users.
Passwordless
The future of authentication is eliminating the password entirely. Passkeys (supported by Apple, Google, Microsoft) combine FIDO2 cryptography with device biometrics for a seamless, phishing-resistant experience.
A passkey is a FIDO2 credential synced across the user’s devices through a platform authenticator (iCloud Keychain, Google Password Manager, Windows Hello). The user authenticates with biometrics — Face ID, fingerprint, or PIN — and the cryptographic operation handles the rest. There is no password to phish, steal, or forget.
Passkey adoption has accelerated rapidly. Major services including Google, Apple, Microsoft, GitHub, and Shopify support passkey login. Enterprise rollout requires an identity provider that supports FIDO2 authentication and a change management process to migrate existing users.
Implementation roadmap
Organizations should target a phased passwordless roadmap:
- Immediate: deploy MFA universally, starting with administrators and high-risk users. Any MFA is better than none.
- Short-term: migrate administrators and privileged accounts to FIDO2 hardware keys. This eliminates the highest-risk accounts from the credential theft attack surface.
- Medium-term: deploy number matching for push MFA to eliminate fatigue attacks. Audit and eliminate SMS OTP for any account with access to sensitive systems.
- Long-term: roll out passkeys for the broader user base. Target eliminating passwords from all external-facing authentication.
Measuring progress requires tracking MFA adoption rates by user segment, monitoring authentication anomalies, and reviewing authentication logs for patterns that indicate credential stuffing or AiTM phishing.
Advertisement