Passkeys stop phishing. Your MFA fallbacks undo it.

AI-powered phishing has rendered traditional multi-factor authentication (MFA) methods largely ineffective due to adversary-in-the-middle (AiTM) attacks, deepfake voice manipulations, and AI-generated lures that significantly increase click-through rates. These attacks can bypass SMS codes, authenticator apps, and push notifications, exploiting the human element required to transmit authentication values. However, FIDO2 security keys and passkeys have proven resistant to such phishing attacks by employing cryptographic origin binding, which ensures that the authentication process is tied to a specific domain and cannot be intercepted by attackers. Despite their effectiveness, the continued vulnerability of organizations often stems from reliance on weaker MFA fallbacks, such as SMS or email recovery options, which attackers exploit. High-profile companies like Google, Cloudflare, and Snap have reported zero successful phishing attacks after adopting FIDO2 security keys and eliminating fallback methods, demonstrating the critical need for organizations to fully commit to these phishing-resistant technologies and avoid maintaining outdated authentication methods that compromise overall security.