Phishing-Resistant MFA in 2025: Passkeys Done Right
August 29, 2025
Phishing-Resistant MFA in 2025: Passkeys Done Right
Stop OTP phishing. Deploy passkeys and security keys with clear guardrails for users, helpdesk, and legacy apps.
Plain words: One-time codes and push prompts are easy to trick. Passkeys and hardware keys tie login to your device and the real site, blocking fake pages. Roll them out in phases and keep sensible backups.
Why change now
- Attackers proxy real logins and steal OTPs and cookies.
- Push fatigue trains users to tap “Approve.”
- Passkeys bind authentication to the browser/device and the site origin.
What “phishing-resistant” means
- Origin binding: credentials only unlock for the real domain.
- Public-key crypto: no shared secrets to steal or replay.
- User presence/verification: touch, PIN, or biometrics required locally.
Deployment blueprint
Phase 1: Pilot
- Enable passkeys on the IdP for a test group.
- Issue two FIDO2 hardware keys per pilot user.
- Turn on number-matching or challenge words for residual push flows.
Phase 2: Expand
- Require passkeys for admin and finance roles.
- Gate risky apps behind conditional access.
- Rotate backup codes and revoke OTP where possible.
User setup: simple script
1) Add a passkey on your primary device:
Settings → Passwords → Passkeys → Add
2) Register two hardware keys:
Insert key → Touch → Name it "Primary"
Insert second key → Touch → Name it "Backup"
3) Store backup key off-site:
Locked drawer or home safe, not in the same bag.Helpdesk guardrails
| Scenario | Allowed | Not allowed |
|---|---|---|
| User lost phone | Use hardware backup key or one-time recovery code. Re-enroll passkey. | Issuing temporary OTP over chat or email. |
| Travel laptop replacement | Short-lived step-up link after ID check on video + manager approval. | Permanent bypass or push-only reactivation. |
| Vendor access | Time-boxed account with passkey or hardware key. No shared logins. | Long-lived generic accounts with OTP. |
Legacy and edge cases
Use an app proxy or IdP-hosted login. Terminate modern auth at the front door and pass a session to the app. Block direct legacy endpoints on the network.
Use roaming hardware keys and short session TTLs. Enforce device posture and network checks at the proxy. Disable passkey sync on shared profiles.
Risk-based policies that users understand
Example rules
ALLOW if:
identity.assurance ≥ 2
AND device.posture = compliant
AND auth.method in {passkey, hardware_key}
REQUIRE step-up if:
geo.new_country = true OR risk.score ≥ 60
DENY if:
impossible_travel = true OR session_token_reuse = trueMetrics to watch
Security
- Percent of logins using passkeys/keys
- Phished-session detections per week
- Admin logins on legacy methods (should trend to zero)
Experience
- Median login time
- Helpdesk tickets per 1,000 users
- Recovery events using backup keys
Takeaway: replace OTP and push with passkeys and hardware keys, front legacy apps with a modern gateway, and script recovery so users never need unsafe bypasses.