MFA Isn’t Enough—Make It Phishing‑Proof
Attackers evolved. Your MFA must, too.
The Playbook: Make MFA Phishing-Resistant
Turn Push into Proof
- Enable number matching in Microsoft Authenticator (Authentication Methods › Policies).
- Show app name + location for context.
Combine with Conditional Access
- Require MFA with number matching for interactive logins.
- Block legacy protocols (IMAP/POP).
- Restrict by compliant devices, trusted locations, and Risk (User / Sign-in.
Go Passwordless (FIDO2 / Authenticator)
- Register FIDO2 keys or Authenticator app.
- Bind identity to device.
- Optionally add certificate-based auth with Intune.
Harden the Gaps
- Token Theft: endpoint protection, token binding, CAE.
- OAuth Consent: admin consent only, scope limits.
- Enrollment: strong ID verification + alerts.
- Helpdesk: enforce step-up verification for resets.
MFA Method Strengths
| Method | Phishing Resistance | Notes |
|---|---|---|
| SMS / Email OTP | Very Low | SIM swap & phishing risk |
| Voice Call OTP | Very Low | Spoofable, hijack risk |
| TOTP (Apps) | Low | Better than SMS; still phishable |
| Push (Approve/Deny) | Low–Moderate | Susceptible to fatigue attacks |
| Push + Number Matching | Moderate–High | Raises bar, stops blind approvals |
| App Context + Geo | Moderate–High | Adds visibility for suspicious logins |
| FIDO2 Hardware Keys | Very High | Device-bound, anti-phishing |
| Platform Biometrics | Very High | Strong when device-bound |
| Smart Cards / CBA | Very High | Hardware-bound; mutual TLS |
| Passwordless (FIDO2/App+Biometric) | Very High | Most robust option |
Don’t Just Check the Box—Change the Outcome
Attackers exploit human habits and protocol gaps. Basic MFA slows them down. Phishing-resistant MFA stops them.
If you remember only one thing:
Turn on number matching and start your passwordless/FIDO2 rollout now.