Why phishing-resistant MFA belongs in every Zero Trust access strategy

The shift from password-only to multi-factor authentication (MFA) was significant. The shift that matters now is from any MFA to the right MFA, and the urgency is increasing as passkeys and other phishing resistant MFA become easier to deploy through platforms like Microsoft Entra ID.

Choosing the right method, or combination of methods, should sit at the heart of modern secure access management strategies and be a principal component of your identity-driven Zero Trust architecture.

Measuring MFA resilience

Most organisations track MFA adoption as a percentage and stop there. A better question is whether your chosen methods hold up when a real attacker targets your people and your sign-in processes.

The gap between adoption and resilience is where modern phishing and social engineering succeed, even in organisations that look “mature” on paper.

The challenge is that “MFA enabled” covers an enormous range of security postures. SMS codes, push notifications, and time-based one-time passwords all provide a layer of protection, but they share a common vulnerability.

They depend on the user completing an authentication step that can be intercepted, relayed, or exploited through social pressure.

This is no more explicit than in the following common attack patterns.

Adversary-in-the-middle (AiTM)

AiTM attacks use reverse-proxy tooling to sit between the user and the legitimate service. The user sees what appears to be a normal sign-in page, enters their password, satisfies the MFA prompt, and the attacker captures the authenticated session token. From the user’s perspective, nothing was unusual. From the attacker’s perspective, they now hold a valid session with no need to persist in the environment.

AiTM has surged in recent years with attackers even commercialising the threats through subscription service tool kits like Evil Proxy or Tycoon2FA.

MFA fatigue attacks

These exploit the predictability of push-based methods. An attacker who has a password can generate repeated authentication prompts until the user approves one, particularly under time pressure or when combined with a social engineering call to the service desk. Microsoft research has shown that even a simple push request can succeed around 1% of the time on the first attempt.

The MFA method, in this case, becomes the attack surface rather than the control.

If an MFA method can be relayed, coerced, or satisfied from a lookalike origin, it will be abused.

Why phishing resistant MFA is structurally different

FIDO2 and WebAuthn-based authentication removes what attackers need to relay: a reusable credential or an approval step that can be socially engineered. The authentication response is cryptographically bound to the legitimate domain. The private key never leaves the user’s device. A response generated on a phishing origin cannot be replayed against the real service.

This is a significant step-up. Organisations that have moved high-value user populations to FIDO2-based authentication report dramatically lower rates of phishing-driven account takeover compared with code and push-based methods. The attack still runs; it simply fails at the authentication step rather than succeeding.

The practical effect is that attackers are forced to find a weaker link: unmanaged devices, unprotected recovery paths, or workloads that have not yet migrated.

That is a much more constrained attack surface than the open window that push and code-based MFA leaves, and a much stronger foundation for a Zero Trust access model.

Phishing resistant MFA in Microsoft Entra ID

Microsoft Entra ID is one of the most complete platforms for operationalising phishing resistant authentication because it combines modern credential types with policy, risk signals, and session control.

Used well, it lets you express a Zero Trust assurance intent (who, what, from where, and under what risk) and enforce it consistently, without relying on user judgement as the control.

Most Entra deployments raise the security floor by standardising a small set of phishing resistant MFA methods, aligning them to access tiers (privileged, high-value business apps, general workforce), and using Conditional Access to require the right strength only where it meaningfully reduces risk.

Windows Hello for Business

Windows Hello for Business is often the most scalable phishing resistant path for Windows-heavy organisations because it’s device-bound and backed by hardware protection. In Entra ID, it can meet strong MFA requirements while improving user experience, provided you invest in clean enrolment, device hygiene, and a clear stance on shared or unmanaged endpoints.

FIDO2 security keys

FIDO2 keys are a strong option where you need high assurance and clear proof of possession (for example, privileged roles and sensitive admin actions). They are origin-bound, so relay-style phishing (AiTM) is far less effective than against codes or push. In Entra ID, they integrate via WebAuthn and can be controlled through policy (including where and when they’re required), which makes them viable to deploy broadly without forcing them on every user.

Microsoft Authenticator with passkeys

Passkeys in Microsoft Entra ID support phishing resistant sign-in journeys that are easier to roll out than physical keys for many users. Industry tracking from the FIDO Alliance (Passkey Index 2025) shows passkeys moving into mainstream use, which is helping make this a realistic default for everyday access. Dedicated hardware or device-bound credentials can then be reserved for higher assurance scenarios.

Certificate-based authentication

Certificate-based authentication can be phishing resistant where you already have mature PKI and device lifecycle controls. In Entra ID it can be effective for regulated or operationally constrained environments, but it typically comes with higher complexity (certificate issuance, renewal, and revocation) that needs to be owned as an ongoing programme.

Interim controls and their limits

Not every environment can move to phishing resistant MFA immediately. The key is to treat interim controls as risk reduction measures with explicit acceptance of what they do not stop, and to be clear about the operational blockers (device coverage, user journeys, legacy apps, and support processes).

• Number matching on push notifications reduces accidental approvals significantly and remains vulnerable to AiTM proxies. Treat it as a waypoint toward phishing resistant methods, not a destination.
• Magic links remove the password from the sign-in flow and can support lower-risk scenarios or consumer-grade access. They do not meet the criteria for phishing-resistant MFA.
• SMS one-time codes are the weakest option in widespread use. They are vulnerable to SIM swapping, telecom-level protocol weaknesses, and interception. Restrict them to low-sensitivity access and set a clear timeline for deprecation.

Conditional Access and adaptive authentication

Phishing resistant MFA is most effective when it’s enforced selectively and consistently. Conditional Access lets you apply the right authentication strength based on application tiering, data sensitivity, device posture, network context, and identity risk, without turning every sign-in into a high-friction event.

Risk-based signals (for example, anomalous sign-ins, unfamiliar locations, and suspicious session patterns) are most valuable when they drive automatic control changes: step-up to phishing resistant methods, block, or require reauthentication for sensitive actions.

Continuous Access Evaluation (CAE) supports faster session containment by revoking access when conditions change, including elevated risk, device non-compliance, or credential resets. It shortens the window in which a stolen session token remains useful.

Where it is available, Token Protection adds another layer by binding tokens to the device so that stolen tokens are harder to replay from elsewhere. Today this is most relevant for Microsoft services and some integrated applications, but it fits naturally alongside CAE as part of a wider approach to reducing the value of a captured sign-in.

One common blind spot: even excellent sign-in controls can be bypassed if recovery and support workflows are weaker. Threat actors routinely use impersonation to reset MFA, change factors, or redirect recovery, turning the service desk into an identity backdoor. Treat recovery assurance (verification, logging, and segregation of duties) as part of your identity perimeter, and modernise it with stronger identity verification where appropriate.

What this means for your organisation

If your estate still relies primarily on push approvals or one-time codes, assume an attacker who already has a password can often progress, particularly against high-value apps and privileged roles. Focus on which identities and workflows remain defensible under token relay, coercion, and recovery abuse.

You don’t need a single “big bang” migration. A pragmatic path is to start with privileged accounts, administrators, finance and other high-impact roles; then expand by application tier. Standardise on a small number of phishing‑resistant methods (for example, Windows Hello for Business, FIDO2 keys, and passkeys) and design the supporting mechanics early: device eligibility, enrolment and loss processes, break-glass access, and how legacy or non-interactive workloads will be handled.

The organisations that move fastest are treating authentication as an assurance programme, not a configuration state, because attackers are already optimised for the weakest acceptable method.

Conclusion

MFA strategy has shifted from enrolment to assurance. The strongest programmes reduce the attacker’s options by combining phishing-resistant methods with policy that enforces them where it matters most, plus session containment and recovery workflows that are held to the same standard as sign-in.

That is what Zero Trust access looks like in practice.

If you want to sense-check your current Entra approach or pressure-test your recovery and session controls against these attack paths, get in touch and arrange a call with our identity specialists.

If you liked this, please share on your social channels.