Multi-factor authentication is the single most effective control against credential-stuffing and phishing — when implemented with phishing-resistant factors. SMS-based MFA, push-notification fatigue MFA, and TOTP-only MFA have all been bypassed at scale (LAPSUS$, Scattered Spider, the wave of MFA-fatigue attacks against Microsoft Entra in 2022-2024). The current bar is FIDO2 / WebAuthn — passkeys, security keys, platform authenticators — which are bound to the legitimate site origin and cannot be relayed by a man-in-the-middle.

Passwordless is the natural next step: replace the password (something you know) with cryptographic proof of possession (something you have) plus user verification (something you are). Apple, Google, and Microsoft have all shipped synced passkeys; FIDO2 hardware tokens still cover the highest-assurance use cases. The hard parts of rollout are recovery flows (what happens when a user loses their device?), legacy-app coverage (the long tail of SAML and OIDC apps that need step-up), and admin / privileged user enrollment.

This page tracks our reporting on phishing-resistant MFA, passkey deployments, MFA-bypass attack analyses, and the state of FIDO2 in the enterprise.