top of page
  • subhashpaudel

Phishing-Resistant Multi-Factor Authentication

Updated: Jan 15


·        Introduction

·        Emerging Threats to MFA

·        Conclusion



The protection of sensitive information from the ever-looming threat of cyber-attacks has become not just important but crucial. Organisations, recognising the need to strengthen their defences, are placing significant emphasis on a pivotal aspect – the implementation of Phishing-Resistant Multi-Factor Authentication (MFA). This article seeks to delve into the evolving landscape of cybersecurity, emphasising robust MFA measures.

Not all MFA is created equal


Understanding Multi-Factor Authentication (MFA)

Multi Factor Authentication (MFA) is more than just a security measure; it's a call for users to present a combination of two or more factors or type of evidence to verify their identity – something they know (like a password), something they have (such as a token), or something they are (like biometric data). The real strength of MFA lies in its ability to thwart cyber threats, particularly when passwords or PINs are compromised through phishing attacks or other means. However, not all MFA is built the same as you’ll soon understand.

Two-factor authentication (2FA), sometimes referred to as 2-step verification, is a security approach requiring users to present two factors for authentication to access an account. This means that all 2FA is an MFA, but not all MFA is a 2FA.

Here are some common MFA methods and how they work

Authenticator Apps: LastPass Authenticator, Google Authenticator, Authy, and Microsoft Authenticator etc. all verify a user’s identity either by generating One-Time Password (OTP) codes or by sending “push” pop-up notifications to the mobile device. Number matching push notifications are more resistant to some forms or MFA attack such as push bombing / fatigue but are prone to phishing attacks (see more in Emerging Threats to MFA).

Backup Codes: Some services provide a set of backup codes to use if your primary MFA method is unavailable.

Biometric Authentication: Fingerprint or facial recognition serves as a form of MFA, adding an extra layer of security.

Email Code: A one-time code is sent to your email address for authentication after entering your password. Again, caution should be exercised with this MFA option.

Hardware Tokens: Physical devices like YubiKey (USB) or RSA SecurID generate or store authentication credentials for enhanced security.

Push Notifications: You receive a push notification on your mobile device to approve or deny a login attempt after entering your password. Unlike the number matching push notification, this type of MFA is vulnerable to push bombing attacks as well as user error.

SMS Code: Like Email, a one-time code is sent via text message to your mobile phone after entering your password for login verification. This form of MFA should only be used as a last resort MFA option.

The Advocacy for MFA Adoption

The Cybersecurity and Infrastructure Security Agency (CISA), part of the US federal government’s Department of Homeland Security, consistently emphasises the adoption of MFA across all user accounts and services, spanning email, file sharing, and financial account access.

Additionally, the Australian Signals Directorate (ASD) and its subsidiary the Australian Cyber Security Centre (ACSC) have long maintained that MFA was an effective mitigating strategy against cyber incidents as part of its Essential Eight Maturity Model first published in 2017.

While MFA proves indispensable in mitigating cyber threats, not all MFA implementations are created equal. Certain forms are susceptible to various attacks, including phishing, "push bombing” or “push fatigue”, SS7 protocol vulnerabilities (controls SMS traffic on networks), and SIM Swap attacks (porting mobile numbers to steal the authenticator).

Emerging Threats to MFA

In the dynamic landscape of cybersecurity, cyber threat actors employ diverse methods to compromise MFA credentials.

Phishing, a prevalent social engineering tactic, involves users being lured, usually via a fraudulent email into visiting and submitting their credentials on malicious websites. This attack tactic is sometimes referred to as adversary-in-the-middle (AiTM).

Another common threat is "push bombing” (also known as “push fatigue”), where users are inundated with notifications until unwittingly accepting them and thereby granting access.

And finally, there are the more traditional exploitations of the SS7 protocol vulnerabilities or SIM Swap attacks, allowing threat actors to gain control over MFA-protected systems that rely on SMS communication to your mobile number.

Recommended Implementations

Recognising the need for a gold standard in MFA security, CISA and more recently the ACSC are placing particular emphasis on Phishing-Resistant MFA. This encompasses Fast IDentity Online (FIDO)/WebAuthn authentication and PKI-based MFA. The former, developed by the FIDO Alliance, introduces a phishing-resistant authenticator, available in physical tokens or embedded in devices. Public Key Infrastructure/PKI-based MFA, though less widespread, offers robust security, particularly suitable for large and complex organisations.

Prioritising Implementation and Overcoming Common Challenges

CISA recommends organizations embrace a phased approach to migrate towards phishing-resistant MFA. Considerations involve identifying high-value targets, allocating resources for protection, and implementing phased transitions for specific user groups. Familiar challenges, such as systems lacking support for phishing-resistant MFA and potential user resistance, are addressed through a strategic focus on supportive services and phased implementation.

Empowering Organisations with Resources

In empowering organisations on their journey to robust MFA implementation, both the ACSC and CISA provide valuable resources. These encompass CISA’s MFA webpage, factsheet, and Capacity Enhancement Guide. The recent changes to the ASD/ACSC Essential Eight Maturity Model also spell out the requirements for strong MFA at all three maturity levels. Additionally, insights into FIDO2 authentication specifications from the FIDO Alliance offer comprehensive guidance, placing the human element at the forefront of digital defences.

A Collective Call to Action

As organisations navigate the ever-evolving digital landscape, the call to action is clear – embrace Phishing-Resistant Multi-Factor Authentication. In the pursuit of cyber resilience, this proactive step, stands as a formidable defence against emerging cyber threats. For further clarification or assistance, organisations are encouraged to reach out and collaborate in the collective effort to secure our digital realms.

Authentication is a delicate balance between security and user experience. Instead of employing a one-size-fits-all MFA approach, organisations should adopt a more granular authentication process based on the sensitivity of the resource being accessed. Lower value resources may require simple MFA from any device and network, while higher-sensitivity applications may demand a compliant, corporate-managed device along with MFA. Extremely sensitive resources should incorporate more elaborate measures, such as a compliant, managed device, MFA with a physical token, and access restricted to a known network or zero trust network access (ZTNA) service. It’s important to remember that passing an MFA challenge only verifies the authenticator but does not guarantee identity, necessitating additional security measures for highly sensitive resources.

How Spartans Security Can Help?

Spartans Security is dedicated to comprehensively understanding the unique needs of your organisation. Our approach involves tailoring recommendations to provide the best-suited solutions for your specific requirements. We not only identify the most fitting security solutions but also offer practical advice on successful implementation. Our commitment lies in ensuring that your organisation not only achieves its security goals but does so with a seamlessly implemented and practical strategy for success.


Safeguarding against cyber threats necessitates the adoption of Phishing-Resistant Multi-Factor Authentication (MFA). The ASD/ACSC and CISA's emphasis on advanced MFA solutions, such as FIDO/WebAuthn and PKI-based MFA, establishes a gold standard for cybersecurity. Organisations are encouraged to adopt a phased approach, leveraging the ACSC/CISA resources, and of course Spartans Security stands ready to provide tailored solutions and practical implementation advice in the ongoing collective effort to secure digital landscapes.

Looking for cyber security advice and guidance? Then feel free to reach out to us at Our dedicated experts are looking forward to assist with robust solutions according to your organisation's needs.

37 views0 comments


bottom of page