Verifier Impersonation Resistance.
The property of an authenticator that prevents an attacker impersonating the legitimate verifier (the RP, the website) from extracting a usable credential or replay artifact from the user.
The distinction is subtle but real. A phishing-resistant credential refuses to be used at a fake site; a verifier-impersonation-resistant credential additionally produces no artifact the attacker can replay or repurpose. FIDO2 / passkeys provide both by design. Smart cards (PIV/CAC) provide both. Push notification with number matching is phishing-resistant but not verifier-impersonation-resistant. The pairing matters most in federal and high-assurance enterprise contexts where AAL3 is required.
Common questions
Is phishing resistance the same as verifier impersonation resistance?
Does a passkey provide verifier impersonation resistance?
Why does AAL3 require verifier impersonation resistance?
Related terms
In the guides
FIDO2 Explained: CTAP2, WebAuthn, and Where Security Keys Still Win
FIDO2 is the umbrella for WebAuthn (browser API) plus CTAP2 (the authenticator protocol). How the pieces fit, when to require security keys, and how passkeys changed the deployment model.
Passkeys Explained: How Synced Credentials Replace Passwords
Passkeys are the user-facing brand for synced WebAuthn credentials. A practical explanation of how they work, sync, recovery, and the deployment patterns that make adoption real.