Although multi-factor authentication (MFA) has long served as a fundamental security measure, threat actors have advanced their techniques. As a result, conventional MFA approaches are becoming more susceptible to complex attacks, prompting organizations to consider enhanced security alternatives.
The future? Phishing-resistant MFA. Solutions like security keys, passkeys, and smart cards provide stronger protection against today’s advanced threats.
This blog explains why traditional MFA is no longer enough, what phishing-resistant MFA means, and why it’s the right time to act, with Microserve as your trusted partner.
The Challenge: Limitations of Traditional Multi-Factor Authentication
The Canadian Centre for Cyber Security strongly recommends MFA as a baseline safeguard for accounts and devices, but not all MFA methods offer the same level of protection. Here are some critical weaknesses in traditional MFA to consider::
1. MFA Fatigue (Push Bombing)
One significant vulnerability in traditional multi-factor authentication is the risk of MFA fatigue, also known as push bombing attacks. In this scenario, attackers repeatedly send push login prompts to targeted users, overwhelming them with notifications and requests for approval. The constant barrage of prompts can cause frustration and confusion for the victim.
- MFA fatigue has become a common tactic in recent years, resulting in security breaches at large enterprises.
- Many users end up approving login attempts just to silence the notifications, unknowingly allowing attackers into their accounts.
2. Token Theft
With MFA, each login gives you a digital token that confirms your identity and is saved in your browser or app to simplify future access. Tokens make cloud platforms, Single Sign-On systems, and business tools easier to use, but they are also attractive targets for phishing, malware, or network attacks. If stolen or cloned, these tokens allow attackers to bypass security measures and gain account access.
- Session hijacking intensifies this threat, as an attacker with a session token can keep using an account without re-authenticating, highlighting the risks of token theft in traditional MFA setups.
3. Man-in-the-Middle (MitM) Attacks
Phishing attacks have evolved to proxy MFA interactions in real time. In these scenarios, attackers create convincing fake login pages that mimic legitimate websites. When users attempt to log in and enter their authentication codes on these phishing pages, the information is immediately relayed to the genuine site by the attacker.
As a result, the attacker can successfully log in to the victim’s account, while the victim stays unaware.
4. SIM-Swapping Attacks
A SIM swap attack occurs when an attacker gains control over a victim’s phone number by manipulating the victim’s mobile provider, allowing interception of calls and texts. Once the attacker has control of the number, they receive all SMS messages intended for the victim, including MFA verification codes, making SMS-based MFA especially vulnerable.
Beyond SIM-swapping, SMS messages can be easily intercepted in transit, further weakening SMS-based MFA as a secure method for protecting sensitive accounts.
While traditional MFA provides a decent level of protection, it falls short for admin accounts, executives, or organizations at risk from targeted cyberattacks due to these vulnerabilities.
Why MFA Still Matters
It is important to note that enabling any MFA is still far better than no MFA at all.
- Microsoft found that over 99.9% of compromised accounts didn’t have MFA enabled. (Source)
- An academic study of Azure Active Directory data showed MFA reduced compromise risk by 99.22% overall, and up to 99.99% in some cases. (Source)
The problem isn’t whether to use MFA, but which kind of MFA you deploy.
The Future: Phishing-Resistant MFA
Phishing-resistant MFA refers to authentication methods designed to block phishing, token theft, and MitM by default. Instead of codes or pushes, these rely on cryptographic challenge-response mechanisms tied to legitimate domains.
Examples of Phishing-Resistant MFA
- Hardware Security Keys (e.g., YubiKeys) – Physical devices like USB or NFC keys that authenticate users by requiring them to physically present the hardware during login.
- Passkeys (FIDO2 / WebAuthn) – Utilize passwordless authentication based on cryptographic credentials that are bound to the user’s device, now widely supported by major browsers and platforms.
- Smart Cards / PKI Cards – Similar to a hardware key, these cards are commonly deployed in government and enterprise environments for secure authentication.
All phishing-resistant MFA methods are origin-bound, meaning they only work on legitimate website domains or apps, making phishing ineffective. There are no tokens to intercept, and no approval prompts that can be abused through fatigue attacks. These methods deliver robust protection against common MFA vulnerabilities.
Why It’s Stronger
- Resistant to phishing — domain checks are built-in.
- No MFA fatigue — no push prompts abuse.
- Secure against token theft — private keys stay inside the device.
- MitM proof — cryptographic binding ensures authenticity.
Phishing-resistant MFA is recommended by the Canadian Centre for Cyber Security (source) as a strong security measure, and the Cybersecurity and Infrastructure Security Agency (CISA) refers to it as the “gold standard” (Source).
Traditional MFA vs. Phishing-Resistant MFA
| Aspect | Traditional MFA (SMS, OTP, Push) | Phishing-Resistant MFA (FIDO2 Passkeys, Security Keys, Smart Cards) |
| Phishing Protection | Vulnerable to MitM & proxy phishing | Strong protection — origin-bound |
| MFA Fatigue | Push prompts can be abused | Not applicable |
| Token Theft | Tokens/cookies can be cloned | Private keys never leave hardware |
| User Experience | Manual entry of codes | Seamless — tap a key or use biometrics |
| Compatibility | Works on legacy systems | Requires modern browser/system support |
| Security Rating (CISA) | Medium | Highest (gold standard) |
Phishing-resistant MFA Adoption in Canada: A Growing Trend
Canada is at a turning point in digital security. With 25% of Canadians reporting fraud in the past three years and billions of stolen credentials circulating on the darknet, the risks of relying on traditional MFA have never been higher. The push toward passkeys is driven by both regulatory pressure and the need to combat sophisticated phishing attacks.
- The FIDO Alliance has formed a Payments Working Group (PWG) to develop FIDO solutions for payments, with Royal Bank of Canada as a member.
- Canadian privacy laws such as PIPEDA and sector-specific frameworks like OSFI B-13 for financial institutions are pushing organizations to adopt stronger authentication methods.
Organizations that delay adoption risk regulatory penalties, reputational damage, and increased operational costs due to fraud and account recovery issues.
How to Deploy Phishing-Resistant MFA
Start with these steps:
- Audit current MFA deployments — identify where SMS or push is still used.
- Prioritize high-risk groups — secure admin, top executives, and finance accounts first.
- Phase migration — run a pilot with a small user group or team first.
- Run awareness and adoption campaigns — educate users while cybersecurity is top-of-mind.
Early adopters of passkeys and phishing-resistant MFA will not only meet compliance requirements but also gain a competitive edge and reduce operational costs.
Microserve’s Phishing-Resistant MFA Solutions
At Microserve, we understand the urgency. That’s why we offer comprehensive phishing-resistant MFA solutions tailored for Canadian organizations.
What We Provide
🔒 Seamless Integration with Microsoft Entra ID and existing Microsoft 365 environments, enabling quick deployment with minimal disruption.
🔒 FIDO2-Based Authentication: Support for both software passkeys and hardware security keys (e.g., YubiKeys) for passwordless, origin-bound authentication.
🔒 Real-Time Protection: Protects against the latest phishing, social engineering, and man-in-the-middle attacks, including those powered by AI.
🔒 Comprehensive Security: Secures critical business applications and sensitive data with strong cryptographic verification, requiring physical presence for authentication
Why Choose Microserve
- In-house Expertise: Microserve was among the first to pilot and deploy FIDO2 authentication, giving us a deep understanding of the technology and offering a smoother implementation.
- Comprehensive Support: We offer full implementation and support, guiding your team through the integration process with a focus on minimizing downtime and maximizing security.
- High-Touch Local Service: Dedicated support teams in British Columbia and Alberta for personalized service.
- Competitive, Flexible Pricing: Agile pricing suited for varied project sizes.
Conclusion
Traditional MFA isn’t enough anymore. Attackers have adapted, and organizations need to keep pace. Phishing-resistant MFA, using passkeys, security keys, and smart cards, offers the strongest defense against modern attacks like phishing, token theft, and man-in-the-middle exploits.
Contact Microserve today to explore phishing-resistant MFA solutions tailored for your organization. Protect your people, data, and reputation — with security that’s built for 2025 and beyond.
