Lumina Technologies logo
Support
Lumina TechnologiesIT ServicesProtect ITPhishing-Resistant MFA

Phishing-Resistant MFA

Advanced authentication that protects your business even when someone clicks a malicious link, because one wrong click shouldn’t risk your company.

Get in touch

Why Traditional MFA Is No Longer Enough

Multi-factor authentication (MFA) has been a security staple for years, requiring something you know (password) and something you have (often a code sent to your phone). But sophisticated scammers and cyber criminals have evolved their tactics, learning to use technology to crack passwords, intercept MFA codes or trick users into sharing them.

In fact, 84% of UK businesses that experienced cyber breaches in 2023/24 were targeted by phishing attacks – many bypassing traditional MFA completely.

The problem isn’t careless employees. It’s that we’re asking people to make perfect security decisions during their busiest moments:

  • The Monday morning rush checking emails
  • That urgent client request needing immediate attention
  • The end-of-day fatigue when concentration naturally wanes

This is where phishing-resistant MFA makes the difference – providing protection that works even when we’re human and make innocent mistakes.

Where You Might Be Today

Most businesses exploring phishing-resistant security share similar concerns:

  • Worried about the limitations of traditional MFA as phishing attacks grow more sophisticated
  • Concerned about the impact of a potential data breach caused by stolen credentials
  • Looking for security that doesn’t add friction to your team’s daily workflow
  • Uncertain about which phishing-resistant solutions would work best for your specific business
  • Wondering how to implement advanced security without disrupting your operations
  • Needing protection that works even during those rushed, human moments

 

The Power of Phishing-Resistant Authentication

Phishing-resistant MFA represents a fundamental shift in how we secure digital access. Instead of relying on information that can be phished or stolen, these solutions create security that’s tied directly to physical devices and cannot be compromised through social engineering.

As shown in our IT Security Journey roadmap (above), these advanced authentication technologies sit at the heart of a mature security posture, particularly at the Premium and Enterprise security levels where phishing-resistant MFA becomes a critical component of your multilayered defence strategy.

 

Different Types of Phishing-Resistant Authentication

 

1. Passkeys: Security Tied to Your Device

Passkeys transform how we protect access to business systems by linking authentication to your specific device rather than information that can be stolen. How Passkeys Work

When you set up a passkey:

  • Two digital keys are created – one public, one private
  • The private key stays securely on your device
  • The public key sits on the service you’re accessing
  • When logging in, the system checks if these keys match
  • Only your registered device can successfully authenticate

Unlike passwords or one-time codes, no secret information is ever transmitted during the login exchange. Even if someone tricks you into clicking a malicious link, they can’t access your accounts without your physical device.

Business Benefits of Passkeys

  • Phishing Immunity: Passkeys cannot be stolen through phishing attempts
  • Reduced Human Error Risk: Protects your team even during rushed moments
  • Simplified Experience: No passwords to remember or codes to enter
  • Immediate Protection: Already available on all major platforms including Microsoft and Google
  • Enhanced Security Posture: Demonstrates your commitment to advanced security measures

 

 

 

2. FIDO Security Keys: Portable, Physical Protection

FIDO security keys take the same technology found in passkeys but build it into a physical device that provides even greater flexibility and control.

How FIDO Keys Work:

  • Small physical security devices that connect to your computer, tablet, or smartphone
  • Each key contains secure cryptographic credentials unique to your business
  • Authentication requires both the physical key and a simple touch or tap
  • No passwords or codes to phish – physical presence is required

Business Benefits of FIDO Keys

  • Portable Security: Use the same key across multiple devices
  • Physical Control: Tangible security that’s easy to manage and distribute
  • Universal Compatibility: Works across various platforms and services
  • Simplified Management: Easily provision or revoke access
  • High-Assurance Authentication: Meets the highest security standards for authentication

 

Additional Phishing-Resistant Technologies

While passkeys and FIDO security keys offer the most straightforward implementation of phishing-resistant security, a comprehensive security posture requires multiple layers working together.

As highlighted in our IT Security Journey above, these complementary technologies become increasingly important as you progress toward Premium and Enterprise Security Leadership.

 

 

3. Risk-Based Conditional Access

Think of this as a digital security guard that adjusts verification requirements based on context:

  • Analyses factors like location, device, and user behaviour
  • Triggers additional verification for suspicious login attempts
  • Balances security with user experience based on risk levels
  • Provides an adaptive layer that responds to unusual patterns

If the system suspects unusual activity, then it will either ask for extra verification or even block access until it’s sure it’s really the correct user on the account.

 

 

 

4. Token Protection

A token is a digital credential that keeps you logged in after authentication, similar to a wristband you might receive after showing ID to enter an event.

Token protection prevents token theft, a technique used to bypass traditional MFA:

  • Session token theft occurs when attackers steal this “digital wristband” after you’ve legitimately authenticated, allowing them to access your accounts without needing to provide passwords or MFA codes
  • Token Protection cryptographically ties these session tokens to the specific device that created them
  • Ensures stolen tokens can’t be used on other devices, even if intercepted
  • Creates an additional technical barrier against sophisticated attacks
  • Evolving technology that will continue to strengthen security postures

The technology involved with this is still in its infancy and is similar to how passkeys are created.

 

5. Certificate-Based Authentication

Certificate-Based Authentication (CBA) operates similarly to passkeys and token protection, but it uses different technology for encryption and authentication and is centrally managed.

  • Digital certificates are issued by your IT team to each device
  • Verifies both user identity and device legitimacy
  • Seamlessly integrates with VPNs and wireless networks
  • Provides enterprise-grade control over authentication
  • Can be used alongside other MFA methods

 

 

Phishing-Resistant MFA in Your IT Security Journey

Phishing-resistant technologies play a crucial role in your IT Security Journey, with different solutions becoming relevant as your security posture matures. Rather than standalone tools, these technologies integrate with and enhance your overall security framework at each stage.

Basic Security Foundation

At this stage, you’re establishing fundamental security controls. While traditional MFA begins here, this foundation creates the security baseline necessary before implementing more advanced authentication methods.

Baseline Security Practices

This tier introduces more proactive security measures like standard phishing protection (typically awareness training and basic filtering) and getting ready for Cyber Essentials certification.

At this stage, you’re building awareness of phishing threats and implementing the prerequisite account security controls that phishing-resistant technologies will enhance.

 

 

Premium Security Enhancements

This is where phishing-resistant authentication becomes essential.

  • Passkey implementation for critical systems
  • FIDO security key options for high-security roles
  • Enhanced security awareness training focused on authentication threats

 

As shown in the security journey roadmap, these premium enhancements work together with phishing-resistant authentication to create a more resilient security posture.

 

Enterprise Security Leadership

At this level, authentication security becomes fully integrated with your broader security governance, creating a comprehensive defence system that protects against even the most sophisticated attacks.

The Lumina Approach to Phishing-Resistant Security

Our approach to security is always multilayered and contextual – we implement phishing-resistant technologies as part of your overall IT Security Journey, not as isolated solutions.

 

Why Choose Lumina for Phishing-Resistant MFA

We’re not your typical IT security provider. As architects of our own IT Security Journey framework, we understand how phishing-resistant technologies fit within a broader security maturity roadmap.

Here’s what makes us different:

We Get Business: We understand security must support your operations, not hinder them. Our implementations balance protection with productivity.

We Understand Human Nature: We know even your most dedicated employees can make innocent mistakes during rushed moments. That’s why we implement security that works even when we’re human.

Real Experience: As early adopters of passkeys and FIDO security keys, we’ve already implemented these solutions for businesses like yours, strategically positioning them within your security journey. We understand not just the technologies themselves, but how they complement your existing security controls.

Service That Shows We Care: When transitioning to new security measures, responsive support makes all the difference. Our award-winning team ensures your questions never go unanswered.

The Perfect Size: We’re big enough to have deep security expertise but small enough that you’ll know your security team by name. No generic advice or cookie-cutter solutions – just real protection tailored to your business.

Ready to Advance Your Security Journey?

Let’s discuss how phishing-resistant MFA can enhance your security posture, regardless of where you are in your Client IT Security Journey—whether you’re building a solid foundation or advancing toward enterprise-level protection.

Why Choose Us?

  • Best in class technology
  • Cyber security experts
  • We understand how people actually work

Get in touch today

    Sign me up to receive your newsletter

    I understand that by ticking this box and submitting this form, I consent to Lumina Technologies contacting me by email or phone in order to process my enquiry. Lumina Technologies will not pass your details onto other companies or third parties.*

    Ready to Advance Your Security Journey? Contact us using the form or call 01442 500890 to find out more.

    Get in touch FAQs

    Frequently Asked Questions

    What is phishing-resistant MFA?

    Phishing-resistant MFA (Multi-Factor Authentication) is an advanced form of authentication that cannot be compromised through social engineering or phishing attacks. Unlike traditional MFA methods that rely on one-time codes or push notifications (which can be intercepted or tricked from users), phishing-resistant methods use cryptographic techniques that bind authentication to specific physical devices and cannot be stolen or duplicated through deception.
    The most common forms of phishing-resistant MFA include passkeys and FIDO security keys, which use public-key cryptography to ensure that authentication cannot occur without the actual physical device, even if a user is tricked into visiting a malicious website.

    How do passkeys work?

    Passkeys use cryptography to authenticate you securely without needing a password. They rely on a pair of mathematically linked keys:

    • A private key, which is stored securely on your device (e.g. phone, laptop)
    • A public key, which is saved by the website or service you’re logging into

    When you try to log in:

    1. The service sends a unique challenge to your device
    2. Your device signs the challenge using your private key
    3. This signed response is sent back to the service
    4. The service verifies the signature using your public key
    5. If the signature is valid, access is granted

    The key advantage is that your private key never leaves your device, and nothing sensitive is transmitted or stored by the service that could be reused or stolen. Even if a hacker builds a perfect replica of a login page, they can’t intercept or replay your authentication – because it depends entirely on your physical device and its cryptographic key.

    What’s the difference between passkeys and FIDO security keys?

    Passkeys and FIDO security keys are both based on the FIDO2/WebAuthn standards and offer phishing-resistant authentication, but they differ in how they’re deployed and managed.

    Passkeys:

    • Built into modern devices (phones, laptops, tablets)
    • Typically synchronised across your devices via cloud providers like Apple iCloud, Google, or Microsoft
    • No extra hardware needed
    • Very convenient for everyday personal or business use
    • Tied to your device ecosystem (e.g. Face ID on iPhone, Windows Hello on PC)

    FIDO Security Keys:

    • Physical hardware devices (e.g. USB or NFC tokens)
    • Portable and can be used across any compatible system
    • Not tied to a specific cloud or ecosystem
    • Can be issued and managed centrally by your organisation
    • Ideal for high-security use cases, shared workstations, or environments without consistent device access

    Both options provide a high level of protection, but businesses often prefer FIDO security keys when they need greater control – for example, issuing keys to staff in finance, IT, or compliance roles, or supporting access across multiple non-managed devices.

    Why is traditional MFA no longer enough?

    While traditional MFA (like SMS codes, authenticator apps, or email links) still offers better protection than passwords alone, it has become increasingly vulnerable to advanced attack methods:

    • MFA Fatigue: Scammers send repeated login prompts, hoping users will eventually approve one out of frustration or confusion.
    • Real-time Phishing Proxies: Fake login pages forward your credentials and MFA codes to the real service instantly – giving attackers immediate access.
    • Session Token Theft: Once you’ve logged in, your session token keeps you authenticated. Scammers who steal this token can bypass future MFA checks entirely.
    • Social Engineering: Scammers impersonate IT or support staff and trick users into revealing MFA codes over the phone or via email.

    These attacks succeed because traditional MFA still requires human involvement and decision-making, which can be manipulated.

    Phishing-resistant MFA removes this risk by using cryptographic authentication tied to your device. The login process can’t be completed without possession of that device, and it doesn’t rely on codes, approvals, or user input – making it resistant to phishing, token theft, and social engineering.

    Which phishing-resistant MFA solution is right for my business?

    The right solution depends on your business’s needs and where you currently are in Lumina’s Client IT Security Journey. We tailor our recommendations to ensure your authentication strategy matches your operational environment, technical maturity, and compliance goals.

    If you’re progressing through Premium Security Enhancements:

    Passkeys may be the right fit if:

    • Your team mostly uses managed devices (e.g. Windows + Azure AD or all Apple)
    • You want a low-friction login experience with minimal user training
    • You already have device and identity management systems in place
    • Your team is relatively tech-savvy and open to change

    FIDO Security Keys may be the better choice if:

    • You have a mixed-device environment with laptops, desktops, and mobile from various vendors
    • You need to issue physical tokens that can be collected or revoked
    • You require additional assurance — for example, in finance, legal, or compliance roles
    • Users work across multiple platforms or don’t have centrally managed devices

    If you’re moving toward Enterprise Security Leadership:

    At this stage, we recommend a layered strategy that may combine multiple phishing-resistant methods:

    • Implement both passkeys and security keys across different teams, based on risk
    • Enable risk-based authentication that adjusts based on context (e.g. device, location)
    • Align your approach with compliance needs like Cyber Essentials Plus, GDPR, or ISO 27001
    • Integrate with identity and access management (IAM) tools and formal governance processes

    During your initial consultation with Lumina, we’ll assess where your business sits on the Security Journey and recommend the right phishing-resistant MFA strategy to support your long-term growth and resilience.

    What our customers say

    The quality of IT Support provided by Lumina Technology is of the highest standard and is complemented by effective client liaison with impressive response times. Trap Oil Group plc has no hesitation in recommending Lumina as a dedicated and specialist group of IT professionals.

    Martin David
    Technical Director, Trap Oil Group plc

    Society Limited has been supported by Lumina Technologies since our earliest start-up phase. From large logistical challenges like an office move, through to smaller fiddly issues like fixing a faulty e-template, we know we can count on their support and advice. They’ve also been able to engage with us strategically on the challenge of scaling-up our infrastructure as the firm continues to grow and evolve. We always feel confident going to Lumina with a problem, since we know they genuinely care about sorting things out and helping us to get on with our core business.

    Simon Lucas
    Managing Director, Society Limited

    The team at Lumina Technologies have made the Amoun Travel & Tours office IT transition seamless and problem free. The office set-up has been vastly improved and the IT Support services are flawless. No issue goes unresolved, which is extremely reassuring.

    Adam Helmy
    Amoun Travel & Tours Ltd

    Richard and his team at Lumina have provided Perrett Laver Limited with high quality strategic and practical IT Services for over ten years. During this period, Perrett Laver has grown from 10+ colleagues based in London to nearly 100 colleagues located in six offices across the Americas, EMEA and Asia-Pacific. Richard and the Lumina team have not just been responsive to our ‘everyday’ IT needs, but have proactively sought to work with us on developing an infrastructure suitable for the type of operation we are today, and are planning to be months and years down the line. I would not hesitate to recommend Richard, especially for small to medium size business with growth in mind.

    Clementine McKinley
    COO, Perrett Laver Limited

    Lumina Technologies have taken the time to understand the requirements of our business and work as our strategic IT partner, enabling us to concentrate on delivering a high quality service to our clients and focus on our growth strategy. They have delivered a 100% cloud solution to our business with no underlying infrastructure costs or maintenance, which gives us scalability for our planned growth. It also means our business critical applications and data are securely accessible from virtually all our user devices. Lumina’s professional approach and strategic expertise is highly valued and their management of our IT – based on their in-depth knowledge, leaves us confident that our systems are available 24×7.

    Luke Harrison
    Keidan Harrison LLP

    Lumina Technologies Prism Hosted Desktop has allowed our business to centralise our global corporate data, allowing much faster access for all our staff – regardless of their location. We have also been able to simplify and reduce our infrastructure and management overhead. With the new Prism Hosted Desktop solution all staff now have simple and secure access to corporate data using any device they choose. Prism Hosted Desktop has increased the productivity of our staff and given us a single, consistent and familiar experience for all users from any device, in any location, 24/7.

    Katherine Roe
    Chief Executive Officer, Wentworth Resources PLC

    We’ve been so well supported by Paige and the Lumina team. They’ve been highly professional, very responsive, friendly, supportive. It’s really validated the decision to engage an IT partner, and we’re glad it’s with Lumina. 

    Bruce Storey
    Chief Operating Officer, Estu Global Ltd

    Richard and his team are a real inspiration to anyone who meets them and I have watched Lumina’s growth over the last few years with interest and admiration. Richard has been an amazing supporter of the Hospice of St Francis, being a Gold member of the Corporate Partner Network for almost two years. He takes an active interest in the community and is passionate about his company and his town: nothing is too much trouble, he is always willing to help, to give up his time and to provide business advice when asked. Lumina is an inspiration to any company wanting to set up business in Hertfordshire.

    Carolyn Addison
    Corporate Fundraising Manager, The Hospice of St Francis

    Hawkstone Management Services Ltd is a small company for which IT Outsourcing is realistically the only viable option. Lumina Technologies have successfully performed this role for over fifteen years. They also provide innovative solutions to keep pace with technological progress. I would have no hesitation in recommending Lumina to similar sized businesses.

    Stephen Pembury
    Hawkstone Management Services Ltd

    Related Articles

    Discuss your business needs today

    Get in touch Schedule a call