Phishing.
An attack where the user is tricked into entering credentials on a fraudulent site that looks like a legitimate one, usually delivered via email or SMS.
The 2022–2024 wave of AitM-proxy phishing kits (Storm-1242, Caffeine, EvilProxy) reset the threat model. Before, MFA stopped most phishing. Now, only phishing-resistant auth stops AitM-proxy phishing. The 2026 baseline for serious deployments is to drive passkey adoption, not just to add MFA.
Common questions
What is AitM phishing?
Are passkeys phishing-resistant?
Does MFA prevent phishing?
Related terms
In the guides
Account Takeover Defense: A Layered Approach for 2026
ATO is the single largest CIAM threat in 2026. The defense stack is layered, credential stuffing protection, MFA, session management, and recovery design, each addressing a different attack class.
Passwordless Authentication: A 2026 Practitioner's Guide
How passkeys, magic links, and biometrics replace passwords in CIAM, with implementation patterns, adoption data, and vendor support.