In September 2022, an operator from the Lapsus$ group bought an Uber contractor’s password on the dark web, then bombarded the contractor’s phone with multi-factor authentication push prompts until — over an hour later, after a WhatsApp message claiming to be Uber IT — the contractor tapped approve. The attacker landed inside Uber’s VPN, pivoted to Slack and Google Workspace, and walked off with screenshots from the company’s HackerOne portal. The contractor had MFA enabled. It didn’t matter.
The Uber breach is the famous case, but it’s not unusual. Microsoft tracked over 382,000 MFA fatigue attacks against its own customers in a single year. The 2025 Verizon Data Breach Investigations Report found MFA-fatigue tactics in roughly 14% of incidents it analyzed. The FBI’s Internet Crime Complaint Center logged 982 SIM-swap complaints in 2024 for nearly $26 million in reported losses, and that’s only the cases where victims correctly identified SIM swap as the root cause.
The four MFA factor types most people actually use are not interchangeable. Three of them can be defeated by off-the-shelf attacker tooling. One cannot. This piece ranks them from useless to bulletproof, explains why each fails or holds, and identifies which factor belongs on which account.
What “Phishing-Resistant” Actually Means
The phrase phishing-resistant MFA does real work in regulatory documents now, and it has a precise meaning. The Cybersecurity and Infrastructure Security Agency (CISA) defines it as authentication where the protocol itself prevents an attacker from intercepting and replaying credentials between a victim and a fake login page. NIST’s updated digital identity framework, SP 800-63-4 (finalized July 2025), uses the same definition and recognizes only two implementations: FIDO2/WebAuthn and PKI-based authentication using PIV or CAC smart cards.
The architectural distinction is whether the second factor is a shared secret — a value the user transmits to prove possession — or an origin-bound cryptographic operation. SMS codes, email codes, TOTP codes, and tap-to-approve push notifications are all shared secrets. The user transmits something the attacker can also transmit. FIDO2 uses public-key cryptography that’s bound to the legitimate domain at registration. The signed assertion from a passkey or hardware key only validates against the domain it was registered on, so a fake site cannot collect a usable response.
This is not a niche standards distinction. CISA designates phishing-resistant MFA as the “gold standard,” and both CISA and the FBI issued joint guidance in late 2024 explicitly recommending organizations stop relying on SMS for authentication. OMB Memorandum M-22-09 requires federal agencies to deploy phishing-resistant MFA. PCI DSS 4.0 explicitly cites FIDO2 passkeys as a qualifying mechanism for personnel with access to cardholder data, with enforcement deadlines through 2025 and 2026. The floor is rising.
Rank 4 — SMS and Email Codes (Useless)
SMS-based MFA exists in a regulatory triage state. NIST SP 800-63-4 classifies SMS as a restricted authenticator — federal agencies can still use it but must document a formal risk acceptance to do so. The classification recognizes that the link between a phone number and an identity is no longer reliable.
The mechanism: when you log in, the service generates a 6-digit code and texts it to your registered number. You retype it. The code is a shared secret transmitted over an unencrypted channel that depends on a third party — your carrier — to deliver to the right device. Three failure modes have been documented at scale.
SIM swapping. An attacker convinces or bribes carrier staff to port your number to a SIM under their control, often using personal information from prior breaches. From that moment, your codes go to them. The FBI’s 2024 IC3 report logged 982 SIM-swap complaints with $25,983,946 in losses, down from a 2022 peak of $72.6 million across 2,026 complaints. The decline is partly a reporting artifact: Cifas in the UK reported a 1,055% surge in unauthorized SIM swaps in 2024, with nearly 3,000 cases filed. In March 2025, T-Mobile was ordered to pay $33 million in arbitration after a single SIM swap drained a customer’s cryptocurrency wallet. In December 2024, federal authorities indicted a U.S. Army soldier for hacking telecom systems and selling SIM-swap services targeting Verizon Push-to-Talk customers — primarily federal agencies and emergency responders.
Real-time phishing. A fake login page asks for your code. You type it. The phishing infrastructure forwards it to the real site within its 30-to-60-second validity window. No carrier compromise required.
Network-layer interception. SS7 protocol weaknesses and unencrypted email mean codes can be captured in transit without ever touching the victim’s device or carrier account. CISA’s guidance to financial institutions and critical infrastructure has called this exposure out specifically.
The regulatory consensus has solidified. The UAE Central Bank issued circular guidance in March 2026 directing licensed financial institutions to move away from SMS OTP, citing SIM swap and SS7 exposure. The Reserve Bank of India updated its cybersecurity framework in April 2026 to require phishing-resistant MFA for transactions above specified thresholds. HHS issued a Notice of Proposed Rulemaking in December 2024 that would make MFA mandatory for HIPAA-regulated entities. SMS is better than nothing — and is increasingly treated as such.
Rank 3 — Authenticator App Codes (Weak)
Time-based one-time password codes — the rotating 6-digit numbers in Google Authenticator, Authy, 1Password, Microsoft Authenticator in code mode, and Okta Verify in TOTP mode — are a meaningful step up from SMS. The standard, RFC 6238, generates codes from a shared secret seeded at enrollment and the current time. The code never crosses the cellular network. There’s no SIM to swap, no SS7 to intercept, no carrier helpdesk to socially engineer.
Against any attack that targets channel, TOTP wins. Against any attack that targets the user, TOTP loses for the same reason SMS does: the user types the code into whatever site asks for it.
The dominant attack technique is adversary-in-the-middle (AiTM) phishing. The attacker sets up a reverse proxy — open-source frameworks like Evilginx (created by Kuba Gretzky) make this a few-command setup — that sits between the victim and the real login page. The victim sees what looks like the real Microsoft 365, Okta, or Google login, with a valid TLS certificate on a near-identical domain. They enter their password and TOTP code. The proxy forwards both to the real service, completes authentication, and steals the resulting session cookie. From the victim’s perspective the login succeeded. From the attacker’s, MFA is now a finished step they can replay indefinitely.
This is not theoretical. Microsoft’s threat intelligence has tracked AiTM kits across multiple actors: the prolific phishing operator Storm-0485, the Russian state-aligned Star Blizzard, and a steady churn of phishing-as-a-service offerings — Tycoon2FA, Mamba2FA, WikiKit, FlowerStorm, RaccoonO365. The 2022 0ktapus campaign (also tracked as Scatter Swine) used the same general approach against more than 130 organizations, including Twilio, DoorDash, and Cloudflare. TOTP did not save any of them — though, as below, hardware keys saved Cloudflare.
A code that can be typed can be relayed. That is the structural ceiling.
Rank 2 — Push Notifications (Strong, Until They Aren’t)
Push approval prompts — Duo Security, Microsoft Authenticator in push mode, Okta Verify push, the modern Google prompt — solve the typing problem. The user enters a password, the service sends an encrypted prompt to a registered device, and the user taps approve. There is no code for the attacker to capture in transit, and the prompt itself is delivered through a vendor channel that cryptographically authenticates the device.
Against AiTM proxies, push is meaningfully better than TOTP — the proxy can’t display the prompt itself. Against social engineering, it isn’t.
The attack pattern that broke push MFA at scale is MFA fatigue, also called push bombing or prompt bombing, catalogued in MITRE ATT&CK as T1621. The attacker authenticates with stolen credentials repeatedly, generating a new push prompt each time. The victim’s phone fills with notifications. Microsoft’s data, drawn from the company’s own MFA telemetry, found that about 1% of users will accept the first unexpected push prompt. After ten attempts, simple probability does the rest.
The breach record is grim. The Uber compromise in September 2022 combined push bombing with WhatsApp social engineering. Cisco disclosed a similar breach in August 2022 by the Yanluowang group, which paired push bombing with vishing calls. The MGM Resorts breach of 2023 followed the same playbook. The Russian state actor Midnight Blizzard has used MFA fatigue specifically against IT service desks. Even Apple customers experienced a small-scale push fatigue incident in early 2024 when an attacker bypassed rate limiting on the Forgot Password page.
The industry response has been number matching: instead of a yes/no prompt, the user is shown a number from the login page and must enter it on the device. Microsoft made number matching the default in Authenticator in May 2023. This kills generic push bombing because there is no number to match for an attack the user didn’t initiate. It does not, however, make push phishing-resistant. A determined AiTM attack can still extract the matching number from its proxy session and prompt the victim to enter it. Number matching is risk reduction, not architecture.
For most organizations, push with number matching is currently the most usable MFA method that is more than nominal. It is also still on the wrong side of the cryptographic line.
Rank 1 — Hardware Keys and Passkeys (Bulletproof)
FIDO2 is a standards family — WebAuthn (the browser/app API) plus CTAP2 (the protocol between the browser and the authenticator) — that replaces shared-secret authentication with public-key cryptography bound to the verifying domain. At registration, the authenticator generates a key pair scoped to the relying party’s origin. The private key never leaves the device. At sign-in, the server sends a challenge, the authenticator signs it, and the browser verifies the signature originated from a request to the correct domain.
The phishing-resistance is structural. A fake site at a lookalike domain cannot collect a usable signature because the authenticator refuses to sign for that origin. There is no code to type, no prompt to approve, no human decision in the loop that an attacker can exploit. The cryptography enforces domain verification automatically.
The deployment evidence is the strongest in MFA. Google reported in 2018 that after issuing FIDO security keys to all 85,000+ employees, the company experienced zero successful phishing attacks on employee accounts. Cloudflare, targeted by the 0ktapus campaign in August 2022 that broke Twilio the same week, blocked the intrusion entirely because hardware key requirements meant the phishing infrastructure could not produce a valid second factor — even though employees clicked the lures and entered passwords. Microsoft has rolled phishing-resistant MFA across its workforce of more than 200,000 to the point that 92% of employee accounts are protected with FIDO-based methods.
FIDO2 has two deployment shapes. Hardware security keys — YubiKey, Google Titan, Feitian, Nitrokey — are device-bound: the key never leaves the dongle, which is the strongest assurance level (NIST AAL3). Passkeys are FIDO2 credentials stored in a platform authenticator (Apple’s Secure Enclave, Windows Hello, Android Keystore) and authenticated with a biometric or PIN. Synced passkeys, where the credential propagates across a user’s iCloud Keychain or Google Password Manager devices, were formally recognized as AAL2-compliant in NIST SP 800-63-4 — they meet the phishing-resistance bar even though the credential itself can move between devices.
Adoption has moved from early to mainstream. The HID and FIDO Alliance 2025 State of Authentication survey reported 87% of enterprises actively deploying or piloting FIDO2 passkeys, up from 53% two years prior. Microsoft’s published telemetry for synced passkeys reports sign-ins 14× faster than password plus traditional MFA (3 seconds vs. 69 seconds) and 95% sign-in success vs. 30% for legacy methods. The usability case is no longer the friction it was in 2018.
How the Four Types Compare
The differences across the four types are categorical, not gradient. The table below summarizes the security properties that actually matter at scale.
| Type | Mechanism | Phishing-resistant? | Primary attack vector | NIST 800-63-4 |
|---|---|---|---|---|
| SMS / Email | 6-digit code over SMS or email | No | SIM swap, SS7 interception, real-time phishing | Restricted |
| TOTP app | Time-based code, RFC 6238, shared secret on device | No | AiTM proxy phishing (Evilginx, Tycoon2FA) | Permitted at AAL2 |
| Push approval | Encrypted prompt to registered device, user taps approve | No | MFA fatigue (T1621), social engineering | Permitted at AAL2 |
| FIDO2 / Passkey | Public-key crypto bound to RP origin, signed challenge | Yes | Lost device, recovery-flow social engineering | AAL2 (synced) / AAL3 (hardware) |
The right-most column is the only one whose row survives an attacker who has the user’s password and access to a competent phishing kit. The first three types are defenses against unsophisticated attackers and credential reuse — useful, but not adequate against active adversaries.
Which Factor Belongs on Which Account
The honest version: passkeys or hardware keys on every account that supports them, especially the recovery accounts that gate everything else. Email is the recovery vector for most personal services and most enterprise workflows. Password manager unlock is the recovery vector for everything else. Bank and brokerage accounts hold value that liquidates fast. These are the accounts that earn a hardware key.
For accounts that don’t yet support FIDO2 — and the long tail is real — the substitution order matters. TOTP beats push beats SMS. Push is convenient but exposes the user to social engineering on a daily basis; TOTP at least removes the prompt-fatigue surface. SMS is a fallback only when nothing else exists, and even then, the account it protects should not be a high-value target.
The other piece worth naming: account recovery is the new weak link. The 2025 Salesloft-Drift OAuth supply-chain breach demonstrated that access to authentication infrastructure can move sideways into hundreds of downstream environments. Midnight Blizzard’s service-desk attacks of 2024 didn’t bypass MFA at the protocol level — they convinced help desk staff to reset it. Strong MFA on the front door doesn’t matter if the help desk will swap it for an attacker who calls with a convincing story. Phishing-resistant authentication has to extend to the recovery flows, or attackers simply route around the front door.
Frequently Asked Questions
Is Microsoft Authenticator’s number matching phishing-resistant?
No. Number matching defeats unsophisticated push bombing, but a determined AiTM proxy attack can extract the matching number from its session with the legitimate service and prompt the victim to enter it on the malicious page. Microsoft’s own guidance still distinguishes number-matching push from phishing-resistant authentication. Use it as risk reduction over plain push, not as a substitute for FIDO2.
Are synced passkeys as good as hardware keys?
For most users, yes. NIST SP 800-63-4 recognizes synced passkeys as meeting AAL2 phishing-resistance requirements. Hardware keys are required for AAL3, the assurance level for privileged access in regulated environments. The practical translation: synced passkeys for general workforce and consumer accounts, hardware keys for admins, break-glass accounts, and roles with regulatory exposure.
Is TOTP fine for personal accounts that don’t support passkeys?
It’s the best available second factor on services that haven’t shipped FIDO2 support. Use it. But check the relying party’s roadmap — most major services (Google, Microsoft, Apple, Amazon, GitHub, every major password manager) have either shipped passkeys or are about to. The question for any account in 2026 is not whether to enable TOTP but how soon you can replace it.
Is push being formally deprecated?
Not under that name. NIST SP 800-63-4 doesn’t prohibit it; CISA still treats it as more secure than SMS. But the regulatory direction is unmistakable, and FFIEC member agencies — OCC, NCUA, FDIC — have begun citing SMS-only MFA on privileged accounts as examiner findings. Push is on the same trajectory; it just hasn’t reached the same point yet.
What to Do This Week
Audit your top five accounts in this order — email, password manager, bank, primary cloud (iCloud, Google, or Microsoft), broker — and check whether each supports passkeys or hardware keys. Most do. Enroll the strongest factor each one offers, then disable the weaker fallbacks where possible. The accounts that won’t let you remove SMS as a backup are the accounts you should care about replacing or pressuring next.
For organizations, the priority order is privileged accounts first (admins, service-desk personnel, finance, HR), then customer-facing portals where stolen sessions become fraud, then the general workforce. The 87% enterprise adoption number cited above is real, but most of those deployments are still scoped to subsets of users. The gap between “we offer passkeys” and “passkeys are the only factor on privileged sign-ins” is where the next round of breaches will land.
The Uber contractor in 2022 had MFA enabled. So did everyone Microsoft has watched approve a fatigue prompt. The factor type is the variable that determines whether MFA actually defends, and three of the four common types do not. The fourth does.
