Inside CISA’s Phishing-Resistant MFA Playbook 

Cyberattacks targeting the login process are rising fast, and the limits of traditional multi-factor authentication (MFA) are becoming impossible to ignore. One-time passcodes (OTP’s) via email, SMS or an app and push approvals add some protection, but cyberadverseries have adapted with new tactics. OTPs can be stolen through phishing, social engineering, and adversary-in-the-middle (AiTM) attacks.  

Phishing-resistant MFA is different. Instead of reusable codes, it relies on public-key cryptography that’s bound to the original device or service, so credentials can’t be copied or reused elsewhere. 

The Cybersecurity and Infrastructure Security Agency (CISA) defines phishing-resistant authentication as the “gold standard” for securing sensitive systems. Two technologies meet the standard: 

• PIV/PKI Smartcards – physical cards that authenticate through a cryptographic handshake, widely used in federal agencies. 

• FIDO2/WebAuthn – security keys, built-in device authenticators and passkeys that validate against the actual domain. 

By contrast, common methods like SMS codes, email links, authenticator apps and push notifications, even with features like number matching, do not qualify. These remain vulnerable to phishing and man-in-the-middle (MiTM) attacks. 

CISA’s MFA guidance emphasizes that agencies must prioritize phishing-resistant methods in alignment with OMB M-22-09, the federal mandate requiring a Zero Trust architecture. 

Inside CISA’s playbook

As part of a broader federal effort, CISA released a playbook that gives agencies a clear roadmap for rolling out phishing-resistant MFA. It’s designed to meet the Zero Trust requirements in OMB M-22-09, which call for modern, unphishable authentication processes across employees, contractors and public-facing systems. 

Key directives from the playbook

1. Offer multiple secure options 
   Agencies should provide different phishing-resistant choices, like smartcards, FIDO2 authenticators and passkeys, so users can sign in across devices and platforms. 

2. Eliminate weak MFA  
   Older methods such as OTPs, push approvals or recovery through email and text must be retired for systems that require high assurance. 

3. Adopt in three stages 

• Map user groups and use cases. 

• Acquire phishing-resistant technologies. 

• Run a pilot using the FIDO2 Certification of Assertion (CoA) framework before scaling broadly. 

4. Secure enrollment and recovery 
   Since account setup is a prime target for attackers, the playbook calls for secure enrollment processes that bind authenticators to real users and remove weak recovery paths. 

5. Prioritize rollout by risk 
   Start with high-value users like admins, executives and elevated-access staff and lock down the most critical systems first, including SSO portals, cloud consoles, VPNs and email.  

6. Unify policies through ICAM 
   Identity, Credential and Access Management (ICAM) tools should enforce consistent authentication policies across the organization. 

The ultimate goal isn’t just safer logins, it’s to make strong, continuous, and policy-driven authentication the foundation of Zero Trust security. 

Federal example case — what’s working, what’s challenging

Federal agencies are making steady progress on phishing-resistant authentication, with some deployments showing what success looks like at scale. At the U.S. Department of Agriculture (USDA), about 40,000 users now log in without passwords using FIDO2 and Windows Hello for Business.

This rollout worked in part because USDA clearly defined when exemptions were appropriate, trained staff to handle them and used a centralized ICAM system to apply policies consistently across business units. Adoption also grew because users had options, they could authenticate with either external security keys or built-in biometrics. 

Even with examples like USDA, many agencies are finding the road difficult: 

• Legacy applications remain a major barrier, as many still depend on username-and-password flows that must be upgraded or connected through middleware. 

• Extending phishing-resistant MFA to the public is another challenge. OMB M-22-09 encourages it for citizen-facing systems “where possible,” but scaling FIDO technologies to millions of users is complex.  

• Perhaps the toughest obstacle is enrollment at scale: agencies need secure ways to bind authenticators to real identities without relying on slow, in-person checks. 

Why Enterprises Should Pay Attention

If phishing-resistant MFA is now required for federal systems, the private sector should take note. Credential phishing is the most successful attack method worldwide and attackers have easy access to turnkey phishing kits and adversary-in-the-middle tools that bypass OTPs and push-based MFA. When the U.S. Government declares these methods unfit for sensitive access, enterprises using SSO platforms, VPNs, admin portals and cloud environments should not depend on them either. Recent pressure from Congress to speed up adoption in the Department of Defense shows this is not a future problem, it is urgent. 

The good news is that phishing-resistant MFA is now practical at scale. What was once costly and complex is now built into the tools organizations already use: 

• FIDO2, WebAuthn and passkeys are supported across all major operating systems and browsers 

• Apple, Google and Microsoft all support passkeys natively across platforms 

• Cloud identity providers and Identity-as-a-Service (IDaaS) vendors offer straightforward FIDO2 authentication workflows 

• Widespread use of biometrics has made modern authentication familiar to both employees and consumers 

In short, the barriers that once slowed deployment are gone; this is achievable now. 

Preparing Your Next Steps 

Whether you’re a federal agency in transition or an enterprise ready to modernize, the following five steps can help you get started with phishing-resistant MFA: 

1. Take Inventory of Login Flows 

Audit all systems—internal and customer-facing—to identify where credentials are used and what authentication methods are in place. Pay attention to: 

• SSO platforms and cloud consoles 

• VPNs and remote access systems 

• Admin panels and privileged access workflows 

• Customer or citizen-facing portals 

2. Choose at Least Two Phishing-Resistant Options 

Not all users or use cases are the same. Provide both platform-bound (e.g., biometric passkeys) and roaming (e.g., security keys) options. Prioritize methods that align with your device footprint and user behavior. 

3. Pilot Across a Few Apps or Departments 

Don’t try to boil the ocean. Instead, pilot with: 

• Administrative users 

• Developers with production access 

• Executives 

• Teams with elevated privileges 

Use the pilot to learn what enrollment, support, and backup options work best. 

4. Secure MFA Enrollment and Account Recovery 

This is non-negotiable. Treat enrollment like authentication itself: 

• Use authoritative identity data to bind credentials (e.g., Government ID, employee record) 

• Avoid email or SMS-only recovery 

• Use device-bound cryptographic attestation when possible 

Solutions like ID Dataweb enable secure enrollment via authoritative identity verification, whether for employees or public users. 

5. Use Identity Orchestration to Enforce Policy Consistently 

Phishing-resistant MFA only works if it’s enforced. Use your IDP or an identity orchestration layer to enforce consistent MFA policies across applications, environments, and user roles. 

Enforcing FedRAMP-aligned standards across both internal and external identities is increasingly seen as a must-have—not just for compliance, but for resilience.