Hyrje
Multi-factor authentication (MFA) is one of the most effective controls against phishing, but not every MFA method is equal.
Teoria
SMS codes and TOTP authenticator apps both stop pure credential theft, but they can still be phished in real time. A sophisticated attacker uses a reverse-proxy kit like Evilginx or Modlishka that places a phishing page between the victim and the real service: when the victim enters their password and one-time code, the proxy forwards both to the legitimate site and captures the resulting session cookie, giving the attacker full access. This class of attack is called adversary-in-the-middle (AiTM) and has been used in multiple documented incidents against Microsoft 365 tenants.
Phishing-resistant MFA means the second factor is bound to the origin and cannot be proxied. WebAuthn (passkeys) and FIDO2 hardware tokens like YubiKey achieve this: the authenticator cryptographically signs a challenge that includes the real site's origin, so if the victim is on a phishing domain the signature does not match and the login fails. Smart cards with client certificates offer similar guarantees and are standard in government and high-security environments.
For organizations, the minimum bar for administrators and privileged users in 2024 should be a FIDO2 token or passkey. For general users, TOTP is better than SMS but should be upgraded to WebAuthn when possible. Every incident response report in the last two years has a line that says "if they had enforced phishing-resistant MFA, this would not have happened."
Mjetet
Faktorët e dytë të rezistuar ndaj phishing:
- FIDO2 / WebAuthn (YubiKey, Titan Key, passkeys).
- Smart cards (PIV, CAC).
- Push notifications me number matching (Microsoft Authenticator, Duo).
Faktorët jo-rezistent: SMS OTP, TOTP i thjeshtë (Google Authenticator pa number matching), email.
Praktika
Aktivizim i passkey në një aplikacion PHP:
// Me bibliotekën web-auth/webauthn-lib
$server = new Webauthn\Server($rpEntity, $repository);
$options = $server->generatePublicKeyCredentialCreationOptions($user);
// Dërgo te klienti → navigator.credentials.create({publicKey: options}) Ushtrime
- Konfiguro passkey në një llogari Google / Microsoft personale dhe testo login.
- Shpjego pse SMS OTP është i thyeshëm nga SIM swap.
Burime
- FIDO Alliance docs.
- NIST SP 800-63B — AAL3.
Vlerësimet dhe komentet
Kyçu për të lënë një vlerësim.
Ende pa komente. Bëhu i pari!
Diskutime
Ende pa diskutime. Hap një temë të re