Glossary / Authentication
Phishing-Resistant Authentication
Phishing-resistant authentication refers to authentication methods that are structurally immune to phishing attacks because the credential is bound to the legitimate origin and cannot be replayed on a fake site.
Also: phishing resistant
Phishing-resistant authentication describes methods where the credential cannot be captured or replayed by an attacker, even if the user is tricked into visiting a malicious site. The defining characteristic is origin binding: the credential is cryptographically tied to the legitimate website’s domain and will not function on any other.
FIDO2 and WebAuthn are the primary examples. When a user authenticates with a passkey or hardware security key, the authenticator checks the requesting origin before signing the challenge. If the origin does not match the one registered during setup, the operation fails silently. There is nothing for the user to type, paste, or approve on a fake site.
NIST SP 800-63B identifies verifier impersonation resistance as a requirement at the highest authentication assurance level. Methods that meet this requirement prevent the user from unknowingly providing credentials to an impostor.
For CIAM, adopting phishing-resistant authentication protects customers against the most common and effective attack vector, especially when combined with account recovery flows that maintain the same level of assurance.
Sources
- NIST SP 800-63B, Authentication and Lifecycle Management: https://pages.nist.gov/800-63-3/sp800-63b.html
Related terms
Standards
- NIST SP 800-63B