What makes MFA 'phishing-resistant', and how do FIDO2/passkeys achieve it?
Short answer
Phishing-resistant MFA means the second factor can't be replayed against the real site even if the user is tricked. FIDO2/WebAuthn passkeys achieve this with origin-bound public-key cryptography: the authenticator signs a challenge tied to the real site's domain, so a credential captured by a lookalike or attacker-in-the-middle site is useless. TOTP codes and push prompts are still phishable because they can be relayed in real time.
Not all MFA is equal. The standard you'll be asked about is phishing resistance: can the second factor survive a user being tricked into a fake or proxied login page?
Why common MFA is still phishable
- TOTP codes (authenticator apps) and SMS codes are just secrets the user types. An attacker-in-the-middle (AiTM) phishing kit shows the user a perfect replica of the login page, captures whatever they enter — including the live code — and relays it to the real site instantly. The code works because it isn't tied to where it's used.
- Push approvals are vulnerable to the same relay plus "MFA fatigue," where the attacker spams prompts until the user taps approve.
In all these cases the credential is portable: it has no idea what site it's actually being used against.
How FIDO2/WebAuthn fixes it
FIDO2 (the protocol stack behind passkeys and WebAuthn) uses public-key cryptography bound to the origin. At registration, the authenticator (security key, phone, or platform TPM) generates a key pair scoped to the real site's domain and gives the site only the public key. At login, the site sends a challenge; the authenticator signs it only if the requesting origin matches the one the key was registered for, and the private key never leaves the device.
So when a user lands on paypa1-login.com, the browser/authenticator sees the origin doesn't match and refuses to sign. There's no code to type, nothing to relay, and nothing the AiTM proxy can capture and reuse.
Passkeys flavors
Passkeys come device-bound (private key never leaves one hardware authenticator — strongest) or synced across a cloud keychain (more usable, but trust shifts to the keychain provider). Either is dramatically better than codes.
What interviewers look for: you explain that AiTM relay defeats codes/push, and you can articulate origin binding and the private key never leaving the device as the mechanisms that make FIDO2 phishing-resistant.
Likely follow-ups
- How does an attacker-in-the-middle (AiTM) proxy defeat TOTP and push MFA?
- What is the difference between a synced passkey and a device-bound passkey?
- What role does the WebAuthn 'origin' check play?