CRYPTAS Blog: PKI, Post-Quantum & Compliance Insights

Phishing-Resistant MFA & the Path to Passwordless | CRYPTAS

Written by CRYPTAS Editorial | Jun 16, 2026 11:54:06 AM

Most multi-factor authentication can still be phished. Here is what phishing-resistant really means — and how to get to passwordless.

Phishing remains the most common way attackers break in, and the uncomfortable truth is that much of today's multi-factor authentication does little to stop it. One-time codes by SMS or app, and simple push approvals, can all be intercepted, replayed or fatigued out of a tired user. As NIS2 and zero-trust strategies raise the bar, organisations across the DACH region are moving from MFA that ticks a box to phishing-resistant MFA that genuinely holds the line.

Why legacy MFA falls short

The weakness is shared secrets and human approval. A code can be entered into a fake site; a push notification can be approved by a user worn down by repeated prompts. Attackers have industrialised these techniques with phishing kits and prompt-bombing. If a credential can be relayed to an attacker in real time, it is not phishing-resistant — no matter how many factors are involved.

What phishing-resistant actually means

  • Cryptographic, origin-bound credentials. Standards like FIDO2 and passkeys bind the authentication to the legitimate site, so a credential simply will not work on a look-alike domain.
  • Certificate-based and smart-card authentication. PKI-backed credentials on a smart card or virtual smart card prove identity with a private key that never leaves the device.
  • No phishable shared secret. There is no code to type and no push to fatigue — nothing for an attacker to capture and replay.

The path to passwordless

  • Start with your highest-risk users. Administrators and privileged accounts first — they are the prize attackers want most.
  • Deploy phishing-resistant factors. Roll out FIDO2 security keys, passkeys or PKI-based smart cards and virtual smart cards.
  • Retire weak fallbacks. Remove SMS and other phishable methods as backups, or they become the path of least resistance.
  • Extend to the workforce. Expand coverage to all users and move toward a passwordless experience that is both safer and smoother.

How CRYPTAS helps

CRYPTAS delivers strong authentication built on proven PKI — including primeID virtual smart cards and egofy smart cards — so you can give users and administrators credentials that resist phishing by design. We help you map your highest-risk access, deploy phishing-resistant factors, and move toward passwordless in line with NIS2 and zero-trust expectations.

Ready to phase out phishable MFA? Talk to CRYPTAS about a phishing-resistant authentication rollout.
View full post