MSP
SR/EN
Book an audit
Part of INTO d.o.o. · www.into.rsintomsp.com
// Security

MFA isn't enough: why you need phishing-resistant MFA

24 June 2026 · 6 min read

You've turned on two-factor login and you feel secure. That's a good move — but it's not the end of the story. Most MFA methods companies use will stop an amateur and only mildly inconvenience a professional. The difference between "we have MFA" and "we have phishing-resistant MFA" is the difference between an attack getting through or not.

Why classic MFA falls to phishing

The problem isn't the idea of a second factor, it's that the code can be relayed. An attacker sets up a fake login page, you enter your password and code, and they forward both to the real service in real time and log in as you. Every method where a human copies or approves something is vulnerable:

  • SMS code — the weakest; also exposed to number hijacking (SIM swap).
  • App-generated code (TOTP) — better than SMS, but can still be "fished" out of you.
  • Push "approve login" — vulnerable to fatigue, where fake requests pile up until someone taps "approve."

All of these share the same weakness: they don't verify where you're actually logging in.

What "phishing-resistant" means

Phishing-resistant MFA binds the login to a specific website address and to a device. If the address isn't genuine, the login simply doesn't work — there's no code a user can hand to an attacker by mistake. Two technologies dominate:

  • FIDO2 / security keys — a physical USB/NFC key that cryptographically confirms both your identity and the exact site.
  • Passkeys — the same principle, built into your phone or computer, with no separate key.

The point is that the secret never leaves the device and is tied to the real address. A fake page has nothing to steal.

Where to start without paralyzing the company

You don't have to do everything at once. The order that gives the most protection per effort:

  • Admins and privileged accounts first — they're target number one.
  • Then leadership and finance — access to money and sensitive data.
  • Then the rest of the company, gradually.

For accounts that haven't moved to keys yet, at least remove SMS as a method and switch to an app or push with extra confirmation (a number you must type, not just "approve").

Technology isn't the whole story

Even the strongest MFA doesn't help if the processes are loose:

  • Define what happens when an employee loses a key or phone — without a "quick" workaround an attacker can abuse.
  • Keep a backup login method (a spare key or code) somewhere safe, so losing a device doesn't lock the account.
  • Train people to recognize push fatigue — the rule is simple: if you didn't start the login, never approve it.

What this means for a small business

Security keys and passkeys are no longer reserved for large enterprises. The cost is modest compared with a single successful account takeover, and setup for a small team is a matter of days, not months. The realistic goal isn't "100% right now," but: critical accounts on phishing-resistant MFA, SMS removed everywhere, and a clear plan for a lost device.

The MFA you have is better than nothing. But if your account holds money, client data or access to the whole system, the question isn't "do we have MFA" — it's "would our MFA survive a well-built fake login." For most companies the answer today is "no," and that's exactly what needs fixing.

← All resources