Phishing-resistant MFA is enforced for privileged and high-value accounts
Standard MFA methods like SMS one-time codes and push notifications can be defeated by real-time phishing attacks, SIM swapping, and MFA fatigue campaigns. Privileged accounts and accounts with access to sensitive systems need a stronger guarantee: hardware security keys (FIDO2/WebAuthn) or device-bound passkeys that cryptographically bind authentication to the legitimate site. These cannot be intercepted or replayed, even if the user is actively being phished. CISA specifically calls out phishing-resistant MFA as the standard for high-value targets.
Implementation steps
- 1
Identify privileged and high-value accounts that require phishing-resistant MFA
Compile a list of accounts that warrant the strongest protection: IT administrators, security team members, executive accounts, service accounts with broad permissions, and anyone with access to sensitive data stores or production infrastructure. This list should be maintained and reviewed quarterly.
okta azure-ad google-workspace - 2
Procure and distribute FIDO2 hardware security keys
Purchase hardware security keys such as YubiKey 5 series or Google Titan keys for all identified privileged accounts. Distribute two keys per person: one primary and one backup. Register both keys in the identity provider. Store backup keys securely in a documented location. Budget roughly $50-80 per user for two keys.
yubikey google-titan feitian - 3
Enforce hardware key or passkey authentication in the identity provider
Create a conditional access or authentication policy that restricts privileged account logins to FIDO2 hardware authenticators or device-bound passkeys only. Block SMS, voice call, and push-notification MFA methods for these accounts. Test the policy in audit mode before enforcing to confirm no gaps.
okta azure-ad duo google-workspace - 4
Document recovery procedures for lost or damaged keys
Define a recovery process: who can authorize a key reset, what identity verification is required, and how long the process takes. A gap in recovery procedures can lock out critical administrators during an incident. The recovery process itself must require in-person or out-of-band identity verification, not just an email link.
okta azure-ad
Evidence required
Conditional access policy enforcing phishing-resistant MFA for privileged accounts
Evidence that hardware key or passkey authentication is required and weaker MFA methods are blocked for privileged users.
- - Azure AD Conditional Access policy restricting privileged roles to FIDO2 keys
- - Okta sign-on policy requiring hardware authenticator for admin group
- - YubiKey enrollment records for all administrator accounts
Privileged account inventory
A documented list of accounts subject to phishing-resistant MFA requirements.
- - Spreadsheet or identity provider report listing privileged accounts and enrolled key serial numbers
- - RBAC group membership showing who is subject to the strengthened policy
Related controls
Multi-factor authentication is required for all user accounts
Account Security
Unique credentials are used and shared accounts are eliminated
Account Security
Privileged accounts are separated and access is minimized
Account Security
Credentials are revoked immediately on known or suspected compromise
Account Security