If your business has implemented multi-factor authentication (MFA), you have already taken an important step towards securing your accounts. However, not all MFA is created equal. The SMS codes and authenticator app tokens that most businesses rely on today can be intercepted, phished, and bypassed by attackers using increasingly accessible toolkits. The next generation of authentication — phishing-resistant MFA — eliminates these vulnerabilities entirely, and it is rapidly becoming the standard that regulators, insurers, and security frameworks expect.

TL;DR — Key Takeaways

  • Discover why SMS and TOTP codes can be phished and how FIDO2, hardware keys, and passkeys provide truly phishing-resistant MFA for your business
  • Understand why SMS and TOTP Codes Can Be Phished
  • Learn about what Makes MFA Phishing-Resistant

Visual Overview

flowchart LR
    A["Login Attempt"] --> B["Password Entry"]
    B --> C["FIDO2 Hardware Key"]
    C --> D["Cryptographic Verification"]
    D --> E["Phishing Resistant"]
    E --> F["Secure Access"]

This article explains why traditional MFA methods are vulnerable, what makes certain forms of authentication truly phishing-resistant, and how small businesses can begin the transition without disrupting their operations.

Why SMS and TOTP Codes Can Be Phished

To understand the need for phishing-resistant MFA, it helps to understand precisely how attackers defeat the codes most businesses currently rely on. There are several well-established attack methods.

Real-Time Proxy Attacks (Adversary-in-the-Middle)

This is the most common and dangerous technique. The attacker creates a convincing replica of a legitimate login page — your email provider, your accounting software, or your CRM. When an employee visits this fake page (typically via a phishing link) and enters their username and password, the attacker's server instantly relays those credentials to the real login page. When the real service requests an MFA code, the attacker's fake page prompts the victim for their code. The victim enters it, the attacker relays it to the real service in real time, and gains full access — including a valid session token that persists even after the code expires.

Readily available phishing toolkits have made these attacks trivially easy to execute. An attacker with minimal technical skill can deploy a real-time proxy attack in hours, complete with valid SSL certificates that make the fake site appear legitimate.

SIM Swapping

For SMS-based MFA specifically, SIM swapping is a persistent threat. Attackers contact the victim's mobile carrier, use social engineering or compromised personal data to convince the carrier to transfer the phone number to a new SIM card, and then receive all SMS messages — including MFA codes — intended for the victim. Despite carrier efforts to prevent this, SIM swapping remains alarmingly common.

MFA Fatigue Attacks

For push-notification-based MFA (where the user taps "Approve" on their phone), attackers repeatedly trigger login attempts, bombarding the user with approval requests until they tap "Approve" out of frustration or confusion. This technique has been used in several high-profile breaches.

The fundamental problem with all of these methods is the same: traditional MFA relies on codes or approvals that can be transferred from the legitimate user to an attacker. The code itself has no awareness of whether it is being entered on the real website or a fake one.

What Makes MFA Phishing-Resistant

Phishing-resistant MFA solves this problem through a concept called origin binding. Instead of generating a code that can be typed into any website, the authentication is cryptographically bound to the specific website requesting it. If an attacker creates a fake login page, the authentication simply will not work — the cryptographic handshake fails because the fake site's domain does not match the one the credential was registered with.

The key technologies that enable phishing-resistant MFA are:

  • FIDO2/WebAuthn — An open standard developed by the FIDO Alliance and the W3C that enables passwordless, phishing-resistant authentication using public-key cryptography.
  • Hardware security keys — Physical devices (such as YubiKeys or Google Titan keys) that connect via USB, NFC, or Bluetooth and perform the FIDO2 authentication ceremony.
  • Passkeys — A consumer-friendly implementation of FIDO2 that stores credentials in your device's secure enclave (or synchronises them across devices via cloud platforms), eliminating the need for a separate hardware device.

All three approaches share the same core principle: the authentication credential never leaves the secure hardware, and the cryptographic challenge is bound to the legitimate website's domain. There is nothing for an attacker to intercept, replay, or proxy.

How Phishing-Resistant MFA Works Technically

Understanding the technical mechanism helps explain why this approach is so effective. When you register a FIDO2 credential with a website, your device generates a unique public-private key pair. The private key is stored securely on your device and never leaves it. The public key is sent to the website's server.

When you subsequently log in, the following process occurs:

  1. The website sends a cryptographic challenge — a random string of data — to your browser.
  2. Your browser verifies the challenge originates from the correct domain (origin binding) and passes it to your authenticator (hardware key, passkey, or platform authenticator).
  3. You verify your identity to the authenticator, typically through a biometric (fingerprint or face) or a PIN.
  4. The authenticator signs the challenge with your private key and returns the signed response to the website.
  5. The website verifies the signature using your stored public key. If the signature is valid, authentication succeeds.

The critical security property is in step two: the browser automatically checks that the domain requesting authentication matches the domain the credential was registered with. If an attacker hosts a phishing page at a different domain, the browser refuses to engage the authenticator. Even if the attacker somehow intercepted the challenge, they cannot produce a valid signature without the private key, which resides solely on your device.

This is fundamentally different from typing a six-digit code into a text field, where neither the code nor the browser has any awareness of whether the site is legitimate.

The Passkey Revolution

Hardware security keys have provided phishing-resistant authentication for years, but their adoption has been limited by cost and usability concerns. Passkeys are changing this equation dramatically.

Passkeys use the same FIDO2 cryptographic foundation as hardware keys but store the credential in your device's secure enclave — the same protected hardware that safeguards your biometric data. On Apple devices, passkeys synchronise across all your devices via iCloud Keychain. On Android, they synchronise via Google Password Manager. Windows devices support passkeys through Windows Hello.

For small businesses, passkeys offer several compelling advantages over hardware keys:

  • No additional hardware cost — Employees use the devices they already have.
  • Familiar user experience — Logging in with a fingerprint or face scan is easier than typing a password plus a code.
  • No codes to phish — The same origin-binding protection as hardware keys.
  • Synchronisation — Losing a single device does not mean losing access, as credentials synchronise across the user's device ecosystem.
  • Growing platform support — Major services including Microsoft 365, Google Workspace, and many cloud applications now support passkey authentication.

The transition from traditional passwords to passkeys represents the most significant shift in authentication in decades. For businesses that have struggled with credential stuffing attacks and password reuse, passkeys eliminate entire categories of risk.

Implementation Strategies for SMBs

Transitioning to phishing-resistant MFA does not need to happen overnight. A phased approach allows your business to build familiarity and confidence whilst maintaining security throughout the process.

Phase 1: Audit Your Current MFA

Start by cataloguing which accounts and services currently use MFA, and what type. Identify your highest-value accounts — email, financial systems, and administrative consoles — as these should be prioritised for phishing-resistant MFA.

Phase 2: Enable Passkeys Where Available

Many services your business already uses support passkeys. Begin enabling passkey authentication for critical services, starting with your identity provider (Microsoft Entra ID, Google Workspace, or Okta). Once the identity provider supports phishing-resistant MFA, all applications that authenticate through it inherit the protection.

Phase 3: Deploy Hardware Keys for High-Value Accounts

For your most sensitive accounts — domain administrators, financial system administrators, and anyone with access to critical infrastructure — consider issuing hardware security keys as a dedicated second factor. Keys cost between twenty and fifty pounds each and provide the highest assurance level available.

Phase 4: Set Policies to Require Phishing-Resistant MFA

Once your team is comfortable with the new authentication methods, configure your identity provider to require phishing-resistant MFA for sensitive operations. Many platforms allow you to enforce this through conditional access policies, requiring hardware keys or passkeys for administrative actions whilst allowing less sensitive operations with standard MFA.

Phase 5: Phase Out Legacy MFA

As adoption matures, progressively reduce reliance on SMS codes and TOTP tokens. Rather than removing them entirely (which can cause access issues), move them to a fallback role whilst making phishing-resistant methods the default.

Addressing Common Concerns

Small business owners and IT managers often raise legitimate concerns about phishing-resistant MFA. Here are the most common ones addressed directly.

What if an employee loses their hardware key? This is why you should issue two keys per user and register both. Store the backup key in a secure location. With passkeys, device loss is less critical because credentials synchronise across the user's devices.

What about services that do not support FIDO2? Not all services support phishing-resistant MFA yet. For these, continue using the best available option (authenticator apps over SMS). Prioritise phishing-resistant MFA for your identity provider, as this protects all applications that authenticate through it.

Is this too complex for non-technical employees? Passkeys are actually simpler than traditional MFA. Instead of finding a code in an app and typing it before it expires, users simply touch a fingerprint sensor or glance at their phone. In usability testing, passkeys consistently outperform passwords and traditional MFA.

What does this cost? Passkeys are free — they use hardware your employees already own. Hardware security keys are a one-time cost of twenty to fifty pounds per key. Compared to the cost of a single successful phishing attack, the investment is minimal.

The Path Forward

The trajectory of authentication is clear: phishing-resistant MFA is becoming the baseline expectation. Cyber insurance providers are increasingly asking about MFA quality, not just whether it is enabled. Regulatory frameworks including NIST and the UK's Cyber Essentials programme are moving towards requiring phishing-resistant methods for sensitive systems.

For small businesses, the window to adopt these technologies proactively — before a breach forces the issue — is now. The tools are mature, the cost is manageable, and the user experience is often better than what your employees deal with today. By making the transition to phishing-resistant MFA, you are not just checking a compliance box; you are eliminating one of the most exploited attack vectors in cybersecurity.