Phishing-Resistant Authentication.
An authentication mechanism whose credential cannot be tricked into authenticating to a malicious site — passkeys, FIDO2 hardware keys, and PIV/CAC smart cards qualify; passwords, OTPs, and magic links do not.
The recurring confusion: push-notification MFA looks phishing-resistant (the user approves on a separate device) but isn't — the user can be tricked into approving a push triggered by an attacker who has the password. Number-matching push raises the bar significantly but doesn't reach FIDO2-class resistance. The phishing-resistant authenticators in 2026 are FIDO2 / passkeys, PIV / CAC smart cards, and verifier-impersonation-resistant variants of the above.
Common questions
Why aren't OTP and push notification considered phishing-resistant?
Is a passkey phishing-resistant by default?
Which authenticators meet CISA's phishing-resistant guidance?
Related terms
In the guides
FIDO2 Explained: CTAP2, WebAuthn, and Where Security Keys Still Win
FIDO2 is the umbrella for WebAuthn (browser API) plus CTAP2 (the authenticator protocol). How the pieces fit, when to require security keys, and how passkeys changed the deployment model.
Multi-Factor Authentication (MFA): A 2026 Practitioner's Guide
How to roll out MFA in CIAM in 2026: factor selection, adoption, recovery design, anti-patterns, and where SMS OTP no longer meets the standard.
Passkeys Explained: How Synced Credentials Replace Passwords
Passkeys are the user-facing brand for synced WebAuthn credentials. A practical explanation of how they work, sync, recovery, and the deployment patterns that make adoption real.