Phishing-resistant MFA: FIDO2, passkeys and what's coming next

A question showing up on 2026 cyber insurance renewal questionnaires: “Is the MFA phishing-resistant?” Firms that answer “we have Microsoft Authenticator push notifications for everyone” are landing in the middle of the MFA quality spectrum, solid, but increasingly not what underwriters want to see. The distinction between “MFA” and “phishing-resistant MFA” is one of the fastest-moving parts of the cyber insurance and customer-security-review landscape right now.

Understanding the distinction and knowing what to deploy today versus what to plan for in the next 12-24 months, is worth a focused hour.

The MFA spectrum

Multi-factor authentication is not a binary property. It exists on a spectrum that reflects how well it actually stops attackers:

Weakest, SMS codes. A one-time code sent to a phone number. Vulnerable to SIM-swap attacks, intercepted SMS messages and straightforward social engineering. NIST has recommended against SMS for high-value authentication since 2017; cyber insurance carriers are catching up.

Better, TOTP apps. Time-based one-time passwords generated by an app like Google Authenticator, Microsoft Authenticator (in code mode), Authy, or 1Password’s built-in TOTP. Not vulnerable to SMS interception. Still vulnerable to real-time phishing (adversary-in-the-middle attacks that harvest the code before it expires).

Better still, push notifications. Microsoft Authenticator push, Duo Push, Okta Verify. More user-friendly than TOTP. Vulnerable to “MFA fatigue” attacks (attacker triggers many push requests until the user approves one), though number-matching features in current versions reduce this significantly.

Phishing-resistant, FIDO2 / WebAuthn. Hardware security keys (YubiKey, Google Titan, Feitian) and passkeys. Cryptographically bound to the specific domain requesting authentication. A phishing site cannot capture the credential because the cryptographic challenge is scoped to the legitimate domain.

The bottom of the spectrum (SMS) is actively being phased out of serious cybersecurity programs. The top (FIDO2) is what “phishing-resistant MFA” actually means in current cyber insurance and customer-review questionnaires.

How FIDO2 actually works

FIDO2 authentication uses public-key cryptography. When a user registers a security key or passkey with a service, the authenticator generates a key pair. The public key goes to the service; the private key stays on the authenticator. Authentication works like this:

1. User attempts to log in to a service.
2. Service sends a cryptographic challenge to the browser.
3. Browser asks the authenticator to sign the challenge with the private key for this specific service’s domain.
4. Authenticator signs. User confirms with biometric, PIN or physical touch.
5. Browser sends the signed challenge back. Service verifies.

The critical property: the authenticator will only sign for the domain that originally registered the credential. If a user clicks a phishing link and lands on microsott.com, the authenticator refuses to sign because the domain does not match the registered credential for microsoft.com. The attacker cannot proxy the authentication challenge through their phishing site either, the cryptographic binding to the domain is enforced by the browser.

This is why FIDO2 is described as phishing-resistant. It is not that users are less likely to fall for phishing; it is that the authentication mechanism itself cannot be phished.

Hardware keys vs. passkeys

Two physical forms of FIDO2 are in play:

Hardware security keys, YubiKey, Google Titan, Feitian. USB or NFC devices that the user plugs in or taps. Device-bound credentials; the private key never leaves the device. Typical enterprise pricing is $20-60 per key. The traditional high-assurance form factor.

Passkeys, the same FIDO2 protocol, but with credentials synced through a platform keychain (Apple iCloud Keychain, Google Password Manager, Microsoft Accounts) or stored in a password manager (1Password, Bitwarden, Dashlane all support passkey storage). User experience is dramatically better, face or fingerprint unlock rather than reaching for a physical key. Security is slightly different: the private key exists in a cloud-synced vault rather than strictly on one device.

For cybersecurity-sensitive roles (administrators, finance personnel, executives) we recommend hardware security keys as the primary factor. For broad organizational rollout, passkeys have made the user-experience calculation much better over the last 18 months and the security properties are sufficient for the vast majority of users.

What cyber insurance and customer reviews expect

As of 2026, the underwriter and customer-review landscape divides MFA into three rough buckets:

• Unacceptable, SMS-only MFA or no MFA on administrative or remote-access accounts.
• Baseline, TOTP or push MFA with number-matching, applied to all accounts.
• Preferred / phishing-resistant, FIDO2 security keys or passkeys, at minimum for privileged accounts, increasingly expected across all users.

A firm with baseline MFA on all accounts is acceptable for most cyber insurance applications today. A firm with phishing-resistant MFA on privileged accounts and plans to expand it organization-wide is ahead of the curve and typically earns better pricing. A firm still running SMS-only MFA is getting declined or priced punitively.

Deployment realities for a mid-market firm

A 40-person firm deploying phishing-resistant MFA for the first time typically follows this arc:

Month 1, privileged accounts first. Issue hardware security keys to every user with administrative access, remote access or privileged permissions. This is usually 5-15 keys in a firm this size. Configure the identity provider (Entra ID, Okta, Google Workspace) to require FIDO2 for these accounts and to deny lower-assurance methods. Register the keys and run a documented rollover.

Month 2, passkey rollout for general users. Pilot passkey enrollment with a small group. Iterate on the user-experience friction points. Roll out to the full organization with clear documentation and support cadence.

Month 3, tighten and harden. Disable SMS MFA organization-wide. Disable legacy authentication methods. Document the authentication policy. Update the offboarding procedure to revoke FIDO2 credentials when employees leave.

Ongoing, backup authenticators for every privileged user (in case a primary key is lost), documented recovery procedures, annual review of privileged access and the associated MFA posture.

The time cost is real. The tool cost is modest. The security improvement is substantial, FIDO2 essentially eliminates the credential-phishing attack class that accounts for a large share of ransomware precursors.

What’s coming

Passkey adoption is accelerating. Apple, Google, and Microsoft have all shipped first-party passkey implementations in the last 18 months and the major password managers have matched. For most mid-market firms, the practical question has moved from “should we deploy phishing-resistant MFA” to “how quickly can we phase out push and SMS.” Insurers and customers are moving faster than many IT teams realize.

If your organization is evaluating phishing-resistant MFA for a cyber insurance renewal, a customer security review or as part of a general cybersecurity baseline update, schedule a discovery call. We can scope the deployment and help sequence it against the rest of your compliance calendar.