Phish Resistant Authentication

Phish-resistant authentication is one of the most effective ways to prevent Adversary-in-the-Middle (AiTM) attacks. This page explains what phish-resistant authentication is, which methods qualify, and how these methods protect accounts even when attackers attempt to intercept login sessions.

What Is Phish-Resistant Authentication?

Phish-resistant authentication refers to sign-in methods that cannot be intercepted or replayed by phishing sites or AiTM infrastructures.
Unlike traditional MFA methods—such as SMS codes, app notifications, or TOTP codes—phish-resistant methods do not rely on the user typing in or approving anything that an attacker can intercept.

These methods use strong cryptographic protections that tie the login process to:

The user
A trusted device
The legitimate, real domain

If the login attempt happens through a fake or malicious site, the authentication request fails automatically.

Why Phish-Resistant MFA Matters for AiTM

AiTM attacks work by placing an attacker’s server between the user and the real login page. This allows the attacker to:

Steal passwords
Intercept MFA prompts
Capture session tokens
Replay sessions to bypass MFA entirely

Phish-resistant authentication stops this because:

It won’t authenticate on a fake website
Authentication requires cryptographic verification that cannot be relayed or proxied

Even if the user is completely fooled and interacts with a phishing page, the attacker cannot complete the authentication on their side.

Phish-Resistant Authentication Methods

Microsoft supports four primary phish-resistant authentication options:

1. FIDO2 Security Keys

Hardware keys (such as YubiKeys) that use strong cryptographic authentication and cannot be phished or intercepted.

Considerations:

Requires purchasing hardware tokens
Is not fully supported on all device platforms

2. Passkeys

Passkeys are cryptographic credentials stored on devices or cloud accounts that replace passwords. They work seamlessly across devices and platforms, providing strong phishing-resistant authentication without requiring the user to type a password.

Considerations:

Is not fully supported on all device platforms

3. Certificate-Based Authentication (CBA)

Authentication using certificates installed on trusted devices. Only devices with the proper certificate can authenticate, preventing attackers from using stolen credentials or session tokens.

Considerations:

Requires setting up and maintaining Certificate Authority
Requires deployment method of certificates

4. Windows Hello for Business

A device-based authentication method that uses biometrics (like facial recognition or fingerprints) or PINs tied to the device. While not fully phish-resistant in all scenarios, it adds a strong layer of protection against password-based phishing.

Considerations:

Only supports Windows devices

How These Methods Prevent AiTM

Phish-resistant MFA prevents AiTM attacks because:

Authentication must happen on the real domain, not a fake one.
Private keys never leave the device, so they cannot be stolen.
Attackers cannot relay the authentication exchange.

Combined, these controls make it extremely difficult for attackers to hijack login sessions—even if users fall for phishing attempts.