Phishing-resistant authentication
Demonstrate that authentication mechanisms for privileged and high-value accounts resist credential phishing, man-in-the-middle interception, and replay attacks through cryptographic origin binding.
Description
What this control does
Phishing-resistant authentication requires multifactor authentication mechanisms that cannot be successfully exploited through social engineering, man-in-the-middle, or credential replay attacks. This typically includes FIDO2/WebAuthn hardware security keys, platform authenticators (biometric passkeys), or PKI-based certificate authentication bound to a hardware root of trust. Unlike SMS or TOTP codes, phishing-resistant factors cryptographically bind the authentication ceremony to the origin, preventing attackers from proxying credentials even if the user is tricked into authenticating to a fraudulent site.
Control objective
What auditing this proves
Demonstrate that authentication mechanisms for privileged and high-value accounts resist credential phishing, man-in-the-middle interception, and replay attacks through cryptographic origin binding.
Associated risks
Risks this control addresses
- Adversary-in-the-middle (AitM) phishing attacks successfully proxying user credentials and session tokens despite MFA
- Credential replay attacks using harvested OTP codes or push notifications approved by socially engineered users
- Real-time phishing proxy frameworks (e.g., Evilginx, Modlishka) bypassing TOTP and SMS-based MFA
- Session hijacking following successful MFA where origin validation is absent
- Insider threats exfiltrating TOTP seeds or SMS-based codes to unauthorized parties
- Compromise of privileged accounts (administrators, developers, finance) leading to elevated access despite MFA deployment
- Regulatory non-compliance with emerging standards requiring phishing-resistant authentication for critical systems
Testing procedure
How an auditor verifies this control
- Obtain the current inventory of all authentication methods deployed, categorized by user population and system criticality.
- Review identity provider configuration exports to identify authentication policies and enrolled factor types for privileged accounts.
- Verify technical specifications of deployed MFA factors against FIDO2/WebAuthn standards, examining origin validation and attestation mechanisms.
- Select a sample of at least 10 privileged users and inspect their enrolled authentication methods to confirm phishing-resistant factor usage.
- Attempt to authenticate to a production or representative test environment using TOTP, SMS, or push notification methods to verify these are blocked or unavailable for privileged access.
- Review conditional access or authentication policy rules to confirm enforcement of phishing-resistant factors for administrative consoles, cloud tenant administration, and financial systems.
- Examine authentication logs over a 30-day period to identify any successful authentications using non-phishing-resistant methods for in-scope accounts.
- Interview identity and access management personnel to understand exception processes, fallback mechanisms, and breakglass procedures that may bypass phishing-resistant requirements.