Overview
Direct Answer
Phishing-resistant authentication uses cryptographic mechanisms that bind credentials to a specific legitimate service, preventing attackers from harvesting and reusing credentials on fraudulent sites. Standards such as FIDO2 and WebAuthn exemplify this approach by leveraging public-key cryptography rather than shared secrets.
How It Works
The authentication flow uses asymmetric cryptography where a private key remains on the user's device and never transmitted. During registration, the service receives only a public key. At login, the device cryptographically signs a challenge that includes the service's origin (domain); an attacker's phishing site cannot forge a valid signature because it cannot access the private key or produce a signature matching a different origin.
Why It Matters
Organisations face escalating costs from credential compromise and account takeover. Unlike passwords and SMS one-time passcodes, origin-bound credentials eliminate the attack surface for phishing exploitation, reducing both breach risk and incident response overhead whilst improving user experience by eliminating memorisation burdens.
Common Applications
Enterprise single sign-on systems, financial services platforms, cloud infrastructure access, and government identity verification programmes increasingly mandate or encourage deployment. Major online service providers have integrated support into their authentication flows to defend high-value accounts.
Key Considerations
Implementation requires device capability (secure enclave or trusted platform module) and user adoption of appropriate hardware or platform authenticators. Recovery workflows and backup authentication methods remain necessary for account access when devices are lost or unavailable.
Cross-References(1)
More in Cybersecurity
DevSecOps
Security GovernanceAn approach integrating security practices within the DevOps process, making security a shared responsibility.
SOC 2
Security GovernanceAn auditing framework that evaluates the security, availability, processing integrity, confidentiality, and privacy of service organisations.
Security Orchestration Automation and Response
Defensive SecurityTechnology that automates security operations by orchestrating tools and processes for incident response.
SQL Injection
Offensive SecurityA code injection technique that exploits vulnerabilities in database-driven applications through malicious SQL statements.
Cross-Site Scripting
Offensive SecurityA web security vulnerability allowing attackers to inject malicious scripts into web pages viewed by other users.
Cyber Threat Intelligence
Offensive SecurityEvidence-based knowledge about adversary capabilities, infrastructure, motives, and tactics that informs security decisions and enables proactive defence against cyber attacks.
Man-in-the-Middle Attack
Offensive SecurityAn attack where the attacker secretly relays and potentially alters communication between two parties.
Adversary Simulation
Offensive SecurityAdvanced red team exercises that replicate the tactics, techniques, and procedures of specific threat actors to evaluate an organisation's detection and response capabilities.