AI phishing forces stronger MFA

At the Gartner Identity & Access Management Summit in London on March 17, 2026, Yubico’s Niall McConachie and Neil Fox said passkeys bind authentication to a device with public–private key cryptography, enabling removal of passwords for some account flows. (bankinfosecurity.com)) Yubico’s speakers also highlighted FIDO pre‑registration for enterprise passkey rollouts and described hardware security keys as the continued “gold standard,” noting major identity providers are building native passkey support. (bankinfosecurity.com) Microsoft’s Secure Future Initiative sets a target of protecting 100% of user accounts with phishing‑resistant MFA and reports about 92% of employee productivity accounts already protected by phishing‑resistant methods. (learn.microsoft.com)) CISA’s April 12, 2023 guidance called phishing‑resistant MFA (smartcards and FIDO security keys) the practical defense against MFA‑bypass attacks and explicitly urged widespread issuance of security keys. (cisa.gov) The federal Phishing‑Resistant Authenticator Playbook (dated February 22, 2024) ties to OMB M‑22‑09 and directs agencies to remove phishable authenticators such as SMS and TOTP in favor of phishing‑resistant options. (idmanagement.gov) FIDO Alliance U.S. government guidance (version 1.1, March 14, 2025) recommends FIDO2/WebAuthn and outlines FIDO2 as a complement to federal PKI and PIV programs to meet Zero Trust and OMB mandates. (fidoalliance.org) Okta’s analysis of the VoidProxy Phishing‑as‑a‑Service operation (reported Sept. 2025) showed reverse‑proxy/AiTM campaigns capture usernames, passwords and MFA responses in real time while FIDO2 security keys blocked those proxy attempts. (expertinsights.com) Security researchers and vendors documented a wave of advanced phishing kits in 2025 (BlackForce, GhostFrame, InboxPrime AI, Spiderman) that use Man‑in‑the‑Browser or reverse‑proxy tactics to capture OTPs and session tokens; BlackForce was first observed in August 2025 and similar kits have been offered on underground markets for roughly €200–€300, enabling scale. (thehackernews.com) Industry intelligence warns scale is real: an Arkose Labs white paper cites roughly 3.4 billion phishing emails sent daily, says financial services account for about 31% of phishing volume, and attributes much of the attack acceleration to GenAI lowering the barrier to entry. (arkoselabs.com) Government playbooks and vendor research emphasize platform authenticators as a cost‑effective, device‑native phishing‑resistant option for broad rollouts, while multiple threat reports (Jan 2026) call for rapid migration to phishing‑resistant controls in response to AI‑driven kits. (idmanagement.gov)