Phishing-Resistant MFA: Why Passkeys Are the Next Step
Multi-factor authentication has been a game-changer. MFA remains one of the most effective measures to protect access to corporate systems and data. That hasn’t changed. What has changed is what attackers can do to get around it.
Over the past two years, a technique known as adversary-in-the-middle (AiTM) has become one of the top threats to authentication systems. The mechanism is simpler than it sounds. An employee receives an email that appears to be a legitimate Microsoft 365 notification. They click the link and land on what appears to be the real sign-in page. They enter their username and password. They get the MFA push on their phone and approve it. Everything looks normal. But between their browser and Microsoft, there was a proxy controlled by the attacker, capturing the session cookie in real time. With that cookie, the attacker accesses the account as if they were the legitimate user, without needing to authenticate again.
These are not theoretical or fringe attacks. The Canadian Centre for Cyber Security documented over 100 AiTM campaigns targeting Microsoft Entra ID accounts between 2023 and early 2025. According to data published by Cisco Talos, half of their incident responses in 2024 involved MFA bypass techniques. And what once required advanced technical skill is now available to anyone: platforms like EvilProxy and Tycoon 2FA offer these attacks as a service (Phishing-as-a-Service), with campaigns detected by Proofpoint hitting thousands of organizations in April 2025 alone.
This doesn’t mean MFA has stopped working. It means not all MFA offers the same level of protection.
What Makes Phishing-Resistant MFA Different
The most widely used MFA methods (push notifications, OTP codes, SMS) do their job: they add a verification layer that stops the vast majority of attacks based on stolen credentials. But they share a limitation: they rely on the user entering or approving something on a site that may not be legitimate. If the attacker replicates that step through an AiTM proxy, the verification is completed just the same.
Phishing-resistant MFA removes that dependency. Instead of transmitting a code or approval that can be intercepted, it uses public-key cryptography bound to the real service domain. Authentication happens directly between the user’s device and the legitimate service. If there’s a proxy in between, the cryptographic verification fails, and access is denied.
Passkeys are the most accessible implementation of this model. Built on the FIDO2/WebAuthn standard, they work with device biometrics (Face ID, Touch ID, Windows Hello) or a PIN, and the private key never leaves the user’s device. There’s no password to steal, no code to intercept, and the authentication is cryptographically bound to the real domain.
How Passkeys and Traditional MFA Work Together
Let’s be clear: passkeys don’t replace traditional MFA or make it unnecessary. Both have a role in a well-designed security strategy.
Push-based, OTP, or app-based MFA remains effective for the vast majority of scenarios, and it’s far superior to relying on passwords alone. For many organizations, deploying MFA across all their services is already a significant step forward, and it should be the priority if they haven’t done it yet.
Passkeys add an extra layer for higher-risk scenarios: accounts with admin privileges, remote access to critical systems, and cloud applications that handle sensitive data. The goal isn’t to replace everything at once, but to strengthen protection where it matters most and expand from there.
In practice, an MSP can combine both naturally: push-based MFA as the standard method for general user access, and passkeys for admin accounts, Microsoft 365 access with elevated privileges, or applications handling financial or customer data. This reinforces protection where a breach would cause the most damage, without adding unnecessary friction for the rest of the users.
There’s also an advantage that often gets overlooked: the user experience with passkeys is actually better than traditional MFA. No code to copy, no push to wait for, no app to open. The user unlocks with their face or finger and they’re in. For partners managing clients whose resistance to MFA comes precisely from the friction it creates, this is a real argument to close the conversation.
Why Regulators and Insurers Are Pushing Toward Phishing-Resistant MFA
But there’s another reason to act, and this one hits the bottom line.
On the regulatory side, the direction is clear. Frameworks like NIST, CISA, NIS2, and DORA all point to the same conclusion: access controls based on traditional methods are no longer sufficient, and a growing number of regulations explicitly require or recommend phishing-resistant MFA as part of zero trust architectures.
But the pressure that hits closest to home is coming from cyber insurance.
If you manage security for your clients as an MSP or channel partner, you’ve probably already seen this. Cyber insurance renewal conversations are putting MFA on the table in meetings where it never came up before.
Insurers have learned from their claims. They know compromised credentials are behind most of the incidents they pay out on, and they’ve adjusted their requirements accordingly. Roughly 80% now require MFA as a non-negotiable condition for issuing or renewing policies. But the more significant shift is that insurers increasingly distinguish between basic MFA and phishing-resistant MFA when calculating premiums and defining coverage terms. Organizations that can’t demonstrate strong access controls face higher premiums, coverage exclusions, or outright denials.
This isn’t hypothetical. There are documented cases: the City of Hamilton, Canada, had an 18-million-dollar ransomware claim denied because MFA wasn’t fully implemented across the affected systems.
This changes the conversation with your client. It’s no longer “you should protect yourself better.” It’s “you need this to renew your policy and meet the requirements coming your way.” And if you’re not the one offering it, someone else will.
How AuthPoint Brings Passkeys into Your Security Offering
WatchGuard AuthPoint supports FIDO2 passkeys for OIDC (OpenID Connect) resources, allowing users to authenticate to applications like FireCloud, Microsoft Entra ID, and any OIDC-integrated application using their device biometrics without passwords or codes.
The design follows the principles we’ve described: cryptographic authentication bound to the real domain, with the private key always on the user’s device. Phishing-resistant by design.
For administrators, passkey availability is controlled per OIDC resource through Zero Trust policies in WatchGuard Cloud. This enables a gradual rollout: enable passkeys for specific applications, restrict them to high-security resources, or combine them with other authentication methods depending on the scenario.
One point worth noting: passkeys are included with both AuthPoint MFA and AuthPoint Total Identity Security licenses at no additional cost. It’s not an add-on module or a premium feature. Partners already working with AuthPoint can offer this to their clients by simply enabling it, with no license changes or renegotiations needed.
To learn more about why MFA remains essential and how to protect access against credential theft, check out these posts on our blog: