MFA Methods — Phishing Resistance Ranked — Free Mind Map

SMS codes can be intercepted via SIM-swap attacks, SS7 protocol exploits, malware on the device, or — most commonly — adversary-in-the-middle phishing where the attacker proxies the legitimate site, captures the SMS code from the user, and replays it within seconds. Microsoft, NIST (SP 800-63B revisions), and Gartner all now recommend SMS only as a fallback, never as the primary MFA for privileged accounts. Disable it entirely for admins via Authentication Strength policies.

FIDO2 credentials are bound to the website's origin (domain) using cryptographic challenge-response. When you authenticate to fake-microsoft.com, your passkey simply doesn't have a credential for that origin — there's nothing to steal, nothing to phish. The private key never leaves your device, never gets transmitted, never gets typed. This is fundamentally different from any code-based method (TOTP, SMS, Authenticator code) where the secret travels from user's eyes to the attacker's keyboard.

Phased approach: (1) Disable SMS/voice for admin accounts immediately. (2) Roll out Microsoft Authenticator with number matching as the org default — most users adopt easily. (3) Pilot passkeys with security-conscious teams (Microsoft Authenticator now supports passkeys natively). (4) Use Authentication Strength policies in Conditional Access to require phishing-resistant MFA for admin portals + sensitive apps. (5) Long-tail migration to passkey-only over 12-18 months. Don't skip step 1 — admin SMS is the single biggest risk.

When you sign in, Authenticator now shows you a 2-digit number that you must type into the app — the legitimate sign-in screen displays the same number. This defeats 'push fatigue' attacks where attackers spam approval prompts hoping the user taps Approve out of habit. Microsoft enabled number matching by default in 2023; if you've turned it off, turn it back on. Cheap, near-frictionless, blocks a real attack class.