Future Tech/authentication
Phishing-Resistant Auth Becomes the Default by 2027
CISA mandated phishing-resistant auth for federal agencies in 2022. Enterprise follows federal within 24 months. Consumer follows enterprise within 24 more.
// By 2027 · high confidence · disruption 7/10
Prediction
// 2027
By 2027, phishing-resistant authentication will be the default in every major consumer and B2B SaaS application.
What dies
- → sms mfa
- → the password
Who wins
- → Apple Passkeys
- → Google Passkeys
- → Yubico
The hook
CISA issued an executive order in 2022 mandating phishing-resistant MFA for federal agencies. Federal mandates drive enterprise procurement within 24 months. Enterprise procurement drives SaaS defaults within 24 more.
Thesis. 'Phishing-resistant' stops being a premium feature and becomes the floor. Apps that do not offer it lose enterprise deals. Apps that do not enforce it lose security certifications.
The story
The setup
SMS and TOTP have dominated MFA for a decade. Both are phishable in real time on a fake login page. NIST has known this since 2017; the regulatory inertia of changing the floor took another 5 to 7 years.
The federal hinge
CISA's 2022 mandate creates enterprise pull. Federal contractors must comply, then everyone supplying them. Federal procurement is one of the few mechanisms that consistently drives security floors upward in the broader market.
The platform alignment
Apple, Google, Microsoft, FIDO Alliance push passkeys to platform-default status. The cost of shipping phishing-resistant auth drops to near zero for any app using platform identity APIs.
The B2B cascade
SaaS vendors ship phishing-resistant options. Compliance auditors start flagging non-phishing-resistant flows. SOC 2 and ISO 27001 audit reports begin treating SMS MFA as a finding rather than a control.
The default flip
By 2027, new apps default to passkeys or hardware-bound credentials. SMS becomes a compliance exception that requires written justification, not a feature you ship out of habit.
First signals (verify today)
CISA mandate for federal agencies (2022). Apple/Google/Microsoft default passkey support. SMS MFA actively deprecated in NIST guidance.
Key data points
- CISA executive order on phishing-resistant MFA: 2022
- NIST SP 800-63B SMS deprecation: 2017
- Apple passkey launch: 2022
- FIDO Alliance certified 1B+ deployments: 2024
- Estimated SMS MFA market share: declining 5 to 10% annually
Contrarian angle
Most enterprise security roadmaps still treat phishing-resistant auth as a 2028 to 2030 goal. CISA and the platform vendors are pulling the timeline forward by 24+ months.
The flip side
What this kills
The paired obituary in Tech Graveyard.
Read the obituaryFAQ
What counts as 'phishing-resistant' authentication?
NIST defines it narrowly: cryptographic binding to a specific origin and verifier so credentials cannot be replayed on a different site. In practice that means WebAuthn (passkeys), FIDO2 hardware keys, and PIV/CAC smart cards. SMS, TOTP, and push prompts do not qualify.
Are software-based passkeys as secure as hardware keys?
For phishing resistance, yes. For attestation strength and device-binding guarantees, hardware keys are stronger. The right answer depends on your threat model: consumer phishing resistance, software passkeys are sufficient; nation-state targeted threats, hardware-bound credentials are warranted.
What's the cost of moving from SMS MFA to passkeys?
Implementation is usually 4 to 12 engineering weeks for a mature SaaS. The bigger cost is enrollment migration: getting existing users onto the new factor. Most successful programs run a 12 to 18 month dual-factor period.
More from guptadeepak.com
Want the technical deep-dive behind this prediction?
Read the companion articleRelated predictions
More from the authentication desk.
// By 2030
medium confidencePasswordless Everything by 2030
When I founded a CIAM platform in 2013, we built password reset infrastructure handling hundreds of millions of requests yearly. By 2030 that infrastructure is a museum exhibit.
First signals: Apple/Google/Microsoft all default to passkeys. Amazon and Best Buy launched passkey-only signup in 2024. FIDO Alliance certified 1B+ deployments.
authentication · Disruption 9/10
// By 2028
high confidenceMachine Identities Outnumber Humans 100 to 1 by 2028
Enterprises are managing machine identities with tools designed for humans. Agent Identity Governance is a category that does not exist yet. It will be a $5B market by 2028.
First signals: Current enterprise ratio at 45:1 (CyberArk 2024). Anthropic, OpenAI, and Google all shipping agent platforms. MCP specification adoption growing.
authentication · Disruption 10/10
// By 2029
medium confidencePersonal Data Vaults Become the Default Identity Model
The 25-year era of giving every app a copy of your data is ending. Personal data vaults give you back the keys. Selective disclosure replaces blanket sharing.
First signals: EU Digital Identity Wallet regulation enforced from 2026. Solid protocol production deployments. iOS App Intents normalizing app-to-app data borrowing.
authentication · Disruption 8/10