Strong Authentication in a Phishing-Driven World: What Really Works
Written by Kenechi Obillor, Cyber Security Consultant at Data Protection People
Limitations of Traditional Multi-Factor Authentication (MFA)
MFA has become standard practice. However, the strength depends on the chosen factors. Many common MFA methods still rely on shared secrets like OTPs, passwords or PINs, which are vulnerable to interception.
Attackers now use real-time phishing, SIM-swap fraud, and account recovery abuse to bypass these protections. Traditional MFA is no longer enough on its own.
How Phishing Attacks Bypass MFA: Real-World Scenarios
Fake login pages, SIM swap fraud, and weak recovery processes are commonly exploited. As long as MFA depends on guessable or interceptable elements, attackers will find a way around it.
Understanding Phishing-Resistant Authentication
Phishing-resistant methods use asymmetric cryptography. The user’s private key stays on the device and signs authentication requests. If an attacker tries to trick the user, the system won’t respond.
Examples include FIDO2 passkeys, smartcards, and hardware security keys.
Core Principles of Phishing-Resistant Authentication
- No shared secrets transmitted or stored
- Authentication uses private/public key cryptography
- Authentication is domain-bound
- Phishing, relay, and replay attacks are blocked by design
Passwordless vs. Phishing-Resistant Authentication
Not all passwordless options are phishing-resistant. Methods like SMS OTPs and magic links still carry risks. Passkeys using FIDO2 provide stronger protection by being bound to a specific domain or app.
The Use of Synced Passkeys (Convenience vs. Complexity)
Synced passkeys increase convenience but also increase compliance scope. Under PCI DSS, all synced devices become part of the in-scope system. This can increase audit complexity.
PCI DSS v4.x and Phishing-Resistant Authentication
PCI DSS now mandates MFA for all non-console and remote access to cardholder data environments. Phishing-resistant auth methods may satisfy some MFA requirements for non-admin access.
Requirement 8.4 details where MFA applies. Requirement 8.5.1 outlines how MFA must work: prevent replay, not be bypassable, and involve at least two factors.
PCI SSC Ranks Authentication Methods
According to PCI SSC:
- Best Practice: Passkeys, smartcards, hardware-bound credentials
- Good Practice: App-generated OTPs, strong passwords
- Acceptable: SMS OTPs, email OTPs, magic links (with limitations)
Traditional MFA using SMS or email is only “acceptable”, not best practice. NIST also recommends moving away from SMS-based authentication.
Conclusion
Organisations must go beyond basic MFA. The goal is to implement phishing-resistant methods like passkeys or smartcards, layered with biometrics or PINs where needed, and aligned to security standards like PCI DSS.
Key Takeaways
- SMS, email OTPs, and magic links are baseline, not best practice
- Passkeys and smartcards provide stronger, phishing-resistant authentication
- Synced credentials can increase scope and audit complexity
How Data Protection People Can Assist
We help organisations interpret authentication standards and implement best practices.
- Selection and rollout of phishing-resistant methods
- Design of compliant authentication flows
- Evaluation of current controls and system risk
- Support with PCI DSS audit readiness and scope reduction