Phish Resistant Authentication
Phish-resistant authentication is one of the most effective ways to prevent Adversary-in-the-Middle (AiTM) attacks.
Microsoft notes, “Phishing-resistant MFA is no longer optional—it is essential for reducing the risk of credential-based attacks.”
This page explains what phish-resistant authentication is, which methods qualify, and how these methods protect accounts even when attackers attempt to intercept login sessions.
What Is Phish-Resistant Authentication?
Phish-resistant authentication refers to sign-in methods that cannot be intercepted or replayed by AiTM infrastructures.
Unlike traditional MFA methods—such as SMS codes, app notifications (including number matching), or TOTP codes—phish-resistant methods do not rely on the user typing in or approving anything that an attacker can intercept.
These methods use strong cryptographic protections that tie the login process to:
The user
A trusted device
The legitimate, real domain
If the login attempt happens through a fake or malicious site, the authentication request fails automatically.
Why Phish-Resistant MFA Matters for AiTM
AiTM attacks work by placing an attacker’s server between the user and the real login page. This allows the attacker to:
Steal passwords
Intercept MFA prompts
Capture session tokens
Replay sessions to bypass MFA entirely
Phish-resistant authentication stops this because:
It won’t authenticate on a fake website
Authentication requires cryptographic verification that cannot be relayed or proxied
Even if the user is completely fooled and interacts with a phishing page, the attacker cannot complete the authentication on their side.
Phish-Resistant Authentication Methods
Microsoft supports the following phish-resistant authentication options:
Device Support
To use phishing-resistant authentication methods natively, devices must meet minimum OS requirements:
Windows 10 22H2 (Windows Hello for Business)
Windows 11 22H2 (optimal passkey experience)
macOS 13 Ventura
iOS 17
Android 14
These versions have built-in support for passkeys, Windows Hello for Business, and macOS Platform Credential. Older OS versions may require external authenticators such as FIDO2 security keys.
For additional details, review Entra ID FIDO2 supportability guidance.
1. FIDO2 Security Keys
Hardware keys (such as YubiKeys) that use strong cryptographic authentication and cannot be phished or intercepted.
Considerations:
Requires purchasing hardware tokens
Further reading:
2. Passkeys in Microsoft Authenticator (Device-Bound)
Device-bound passkeys are cryptographic credentials stored directly in Microsoft Authenticator on a user’s mobile device. Once created, they can be used to authenticate on that device or on another device through supported connections, such as Bluetooth.
Key benefits:
Cannot be phished or stolen, because the credential never leaves the device.
Strong protection against adversary-in-the-middle attacks.
Consideration:
Because the passkey is bound to the original device, it cannot be directly transferred to a new device, so a new passkey must be created when switching devices.
Further reading:
3. Synced Passkeys (preview)
Synced passkeys allow users to add passkeys to third-party authenticators (e.g., 1Password, Bitwarden) for passwordless and phish-resistant authentication. Unlike device-bound passkeys, they do not require Bluetooth to authenticate and can securely synchronize across multiple devices.
Key Benefits:
Can be used on multiple devices without creating a new passkey for each one.
Resistant to phishing and adversary-in-the-middle attacks, since authentication is cryptographically bound.
Considerations:
Still in preview, so availability and platform support may be limited.
Because synced passkeys can exist on multiple devices, an attacker who compromises a synced authenticator could potentially steal the credential.
Further reading:
4. Windows Hello for Business
Windows Hello for Business replaces passwords with strong, device-bound authentication using biometrics (fingerprint or facial recognition) or a PIN. Authentication is backed by asymmetric cryptography, ensuring that credentials cannot be phished or replayed. While TPM hardware provides the strongest protection, Windows Hello for Business can also operate using software-backed keys when TPM is unavailable.
Considerations:
Only supported on Entra-Joined devices natively, and hybrid domain joined devices with proper configuration.
Further reading:
5. Platform Credential for macOS
Platform Credential for macOS enables passwordless, phishing-resistant authentication using the Secure Enclave on macOS devices. It is provisioned via the Enterprise Single Sign-On Extension (SSOe) and stores a hardware-bound cryptographic key used for SSO across apps that rely on Entra ID. Users can authenticate using Touch ID or their local account password, which unlocks the key in the Secure Enclave without affecting the Mac login process.
Key Benefits:
Enables single sign-on (SSO) for macOS, cloud, and on-premises applications.
Considerations:
Requires configuration with the Enterprise SSO Extension.
Further reading:
6. Certificate-Based Authentication (CBA) / Smart Cards
Certificate-based authentication (CBA) uses X.509 certificates installed on trusted devices or smart cards to authenticate users directly. Only devices with the proper certificate can sign in, preventing attackers from using stolen credentials or session tokens. Authentication relies on asymmetric cryptography, making it highly phishing-resistant.
Considerations:
Requires setting up and maintaining a Certificate Authority (CA).
Certificates must be deployed to devices via a defined method (e.g., smart cards, device enrollment, or MDM).
Lifecycle management of certificates adds operational overhead.
Further reading:
How These Methods Prevent AiTM
Phish-resistant MFA prevents AiTM attacks because:
Authentication must happen on the real domain, not a fake one.
Private keys never leave the device, so they cannot be stolen.
Attackers cannot relay the authentication exchange.
Combined, these controls make it extremely difficult for attackers to hijack login sessions—even if users fall for phishing attempts.