Home

Phishingresistant

Phishingresistant authentication describes methods designed to resist phishing attacks by ensuring credentials cannot be stolen through fraudulent websites or deceptive domains. In practice, it refers to passwordless and multi-factor approaches that rely on public-key cryptography and origin-bound credentials, such as those enabled by FIDO2/WebAuthn. Security guidelines, including NIST SP 800-63, categorize certain authenticator implementations as phishingresistant when they cannot be phished or misused by an attacker.

How it works: For each relying party, the authenticator generates a unique public–private key pair. The private

Adoption and limitations: Phishingresistant credentials are recommended for high-security accounts and enterprise deployments and are supported

key
remains
on
the
user’s
device;
the
service
stores
only
the
public
key.
During
sign-in,
the
server
issues
a
challenge
that
the
authenticator
signs
with
the
private
key.
The
signature
is
valid
only
for
the
origin
that
registered
the
credential,
making
it
ineffective
on
a
phishing
site.
This
model
often
uses
hardware
security
keys
or
platform
authenticators
and
may
require
user
verification
(such
as
a
fingerprint
or
PIN).
It
enables
passwordless
login
and
broad
phishing
resistance
for
web
and
mobile
applications.
across
many
platforms,
but
may
require
compatible
devices
and
services
and
can
involve
hardware
costs.
They
are
not
a
foolproof
shield
against
all
phishing,
especially
in
cases
of
social
engineering
around
legitimate
sites
or
device
compromise;
they
should
be
implemented
as
part
of
a
layered
security
approach
with
recovery
and
backup
considerations.