banner

Thales Blog

Phishing-Resistant MFA: Why FIDO is Essential

May 8, 2025

Sarah Lefavrais Sarah Lefavrais | IAM Product Marketing Manager More About This Author >

Phishing attacks are one of the most pervasive and insidious threats, with businesses facing increasingly sophisticated and convincing attacks that exploit human error. Traditional Multi-Factor Authentication (MFA), while a step up from password-only security, is no longer enough to fight modern phishing schemes.

Today’s threat actors use AI to craft compelling phishing campaigns and advanced social engineering tactics to slip past MFA, resulting in credential theft and account takeovers. As malefactors hone their methods, entities must adopt phishing-resistant multi-factor authentication to secure their digital identities.

The Fast Identity Online (FIDO) standard stands out as a robust solution that helps businesses implement authentication mechanisms that eliminate dependence on passwords and help mitigate phishing risks.

The Rising Threat of Phishing and Credential-Based Attacks

As malicious actors evolve their tactics, adding AI to their arsenal of malicious tools and automating and scaling their campaigns on an unprecedented scale, phishing remains a top initial attack vector. According to Thales’s 2024 Data Threat Report, 93% of Enterprises reported a rise in threats, and phishing was identified as one of the three fastest-growing attack types, chosen by 36% of respondents. AI-powered, highly convincing phishing can clone legitimate websites and manipulate users into divulging sensitive credentials and data.

Credential theft is particularly dangerous as it facilitates account takeovers, lateral movement within networks, and access to critical business systems. Attackers can leverage these stolen credentials to slip through perimeter defenses, compromise cloud environments, and carry out ransomware attacks.

High-profile breaches illustrate the devastating impact of credential-based attacks. For instance, a breach discovered in hospitalities businesses was reportedly initiated through social engineering tactics that exploited weak authentication controls. Similarly, the data breach that targeted a large technology company saw bad actors tricking an employee into giving MFA approval, highlighting the limitations of conventional MFA. These incidents stress the dire need for firms to adopt phishing-resistant multi-factor authentication mechanisms like FIDO.

How FIDO Standards Enhance MFA Security

To effectively fight phishing, authentication mechanisms must reduce the use of shared secrets, like passwords and codes, to eliminate the risk of credential interception and unauthorized access. Phishing-resistant MFA ensures that even if a bad actor deceives a user, they cannot get their hands on reusable credentials or compromise accounts.

FIDO standards provide a basis for strong authentication by replacing conventional passwords with cryptographic security keys. The key principles of FIDO authentication include:

  • Public-key cryptography: Authentication relies on asymmetric cryptographic keys, preventing credential reuse or interception.
  • Anti-Phishing: the private and public keys are bound to a specific service provider domain, if the domain is fake, the authentication fails.
  • Device-bound passkeys: For high-risk scenarios, guarantee that authentication occurs only on the specific device where the passkey was originally generated. The device can be a hardware FIDO security key, a mobile phone or a laptop.
  • Biometric and hardware-based security: the use of a biometric element such as a fingerprint instead of registering a PIN code can be offered to end users in order to facilitate and accelerate the FIDO adoption.

FIDO-based authentication addresses the risks associated with traditional MFA—one-time passcodes (OTPs) and push notifications—which can be intercepted or manipulated. Unlike conventional MFA, FIDO authentication ensures that credentials cannot be used outside the legitimate authentication flow, rendering phishing attacks ineffective.

The Business Benefits of Phishing-Resistant MFA

Adopting unphishable MFA arms entities with a host of security and operational benefits, including:

  • Better Security and User Experience: Passwords are ineffective, as people struggle to remember unique passwords for each account, which often results in weak passwords or the reuse of the same password across multiple platforms, compromising security. FIDO authentication streamlines the process, allowing users to authenticate securely with biometrics and/or hardware security keys without the risk of credential theft.
  • Regulatory Compliance and Cybersecurity Framework Alignment: Many industry regulations, including the NIST Cybersecurity Framework, ISO 27001, GDPR, and DORA, stress the importance of strong authentication. FIDO-based solutions help firms meet compliance requirements while limiting the risk of data breaches.
  • Lower Operational Costs: Password resets and account recovery processes are a hefty burden for IT teams, and replacing passwords with phishing-resistant authentication helps businesses dramatically cut support costs and improve workforce productivity.

How Thales Helps Businesses Stay Ahead

Thales provides phishing-resistant authentication solutions that help businesses protect their digital identities. With a suite of FIDO-certified authentication devices, Thales enables companies to implement secure, scalable, and user-friendly identity security. Thales’ solutions integrate flawlessly with third parties or Thales identity and access management (IAM) frameworks, offering a future-proof approach to eradicating password-based vulnerabilities.

Phishing attacks are becoming more sophisticated, making traditional MFA insufficient for protecting digital identities. Organizations must adopt phishing-resistant MFA to mitigate credential theft and account takeovers. By leveraging Thales’ expertise in cybersecurity and identity protection, entities can stay ahead of evolving phishing threats and maintain compliance with industry regulations.

FIDO-based authentication gives firms a robust security framework, eliminating passwords and ensuring strong, phishing-proof access controls. Businesses looking to enhance security while improving user experience should explore Thales’ authentication solutions.

Download our Phishing-Resistant MFA eBook and Passwordless 360 Report to learn more.