Secure your digital future with Syndis

Our team of seasoned professionals is dedicated to understanding your unique challenges and providing tailored solutions that drive success.

Phishing-Resistant Authentication

3.6.2025

Phishing-Resistant Authentication

Phishing is an increasingly subtle threat in the modern digital world. It doesn’t matter how tech-savvy someone is—one tired day, a moment of distraction, or a coincidence can be enough. Attackers only need to succeed once; defenders must succeed every time. Artificial Intelligence (AI) has made it easier for attackers to create convincing fake websites with minimal effort. In addition, phishing attacks are often run as a service (PhaaS – “Phishing-as-a-Service”), making powerful attacks accessible to a broader group. This article provides an overview of how phishing-resistant authentication—especially through passkeys—can strengthen your company’s security.

Why Traditional MFA Is No Longer Enough

MFA has long been a cornerstone of cybersecurity. However, traditional MFA methods—even those using number matching—do not offer sufficient protection against modern “Attacker-in-the-Middle” (AitM) attacks. In such attacks, users are redirected to fake login pages where the attacker captures both login credentials and MFA factors, thus gaining access. The need for stronger protection is clear.

What Does “Phishing-Resistant Authentication” Mean?

The idea of strong phishing-resistant authentication is not entirely new. Its core principle is that authentication only works on the correct website:

When phishing-resistant authentication (such as a passkey or an older U2F key) is created for a site (e.g., https://syndis.is), it is cryptographically bound to that exact domain.

If a user lands on a fake site (e.g., https://syndis.ist), the authentication device simply won’t work.

This happens automatically—without the user needing to detect the deception.

Thus, phishing-resistant authentication ensures you’re communicating with the correct service.

Many are familiar with the FIDO U2F standard, which often used a hardware security key as MFA alongside a password. Passkeys are a more advanced evolution of FIDO technology and take a step toward eliminating passwords entirely.

Limitations of Passkeys

Although passkeys and phishing-resistant MFA protect against stolen credentials via fake login pages, it’s important to note that they don’t guard against all types of attacks. For example, they do not directly protect against cookie theft via malware that has already infected a user’s device.

Adoption and Support

Many major companies and services such as Cloudflare, AWS, GitHub, Microsoft Entra ID, and the entire Google ecosystem have already implemented support for phishing-resistant authentication. Social media platforms are also increasing their support. This growing adoption highlights the importance and reliability of the technology.

Types of Passkeys

  • Device-Bound Passkey:

    These are specialized, portable devices (USB-A, USB-C, NFC, Bluetooth) that securely store passkeys and often support PIN protection in case the device is lost or stolen.

  • Synced Passkey:

    These are stored in software and synced across cloud services, making them accessible across multiple user devices. This functionality is handled by system cloud services (like Apple iCloud Keychain, Google Password Manager) or third parties (like 1Password). While hardware security keys are generally considered the most secure storage method (“something you have”), synced passkeys still offer protection against phishing.

    However, in a corporate environment, caution is needed when using personal cloud accounts to store passkeys, as this can introduce security risks if the personal account is compromised.

 

A Practical Step Toward Greater Security

Phishing-resistant authentication using passkeys offers significantly improved protection against one of today’s most common cyber threats. However, it’s important to understand that rolling out passkeys to all users in a company can be a sizable task.

Still, security is often about reducing risk step by step. Passkeys are not an all-or-nothing solution. Often, it makes sense to begin implementation in the highest-risk departments, such as IT, finance, and leadership. This phased approach emphasizes that even a partial rollout is better than no solution at all. Each step toward phishing-resistant authentication, even if not universal at first, is a critical advancement. Being aware of this and prioritizing wisely is the essence of effective risk management.

Contact us at Syndis to discuss how your company can take practical steps toward a more secure future.

 

 

Collaborate with us

We are happy to meet you and talk your security situation through

Contact us