What is Phishing-Resistant MFA?
Traditional multi-factor authentication methods, such as text messages, phone calls, and number-matching push notifications in authenticator apps, are no longer sufficient to protect sign-ins to applications that contain sensitive data. These methods remain vulnerable to social engineering and phishing attacks, in which a remote threat actor can trick a user into completing the required MFA prompt and grant access to the account from anywhere.
Phishing-resistant MFA addresses this risk by requiring an interaction between the authentication method and the sign-in experience. In other words, the user must prove they have physical access to both the authentication method and the device being used to sign in. Phishing-resistant MFA can also eliminate the need to enter a password in addition to the MFA method, making the sign-in process faster and more convenient. Once the user completes a phishing-resistant MFA prompt, access to the application is granted immediately.
Phishing-Resistant MFA Methods
These are the phishing resistant MFA methods available for Providence College users.
- Windows Hello for Business
- Microsoft Authenticator passkey
- FIDO2 security key (such as a YubiKey)
Register a Phishing-Resistant MFA Method
Users can manage MFA methods for their Providence College Microsoft account by going to mysignins.microsoft.com/security-info. There, they can add or remove any available MFA method, including phishing-resistant methods. For instructions on registering specific methods, refer to the Microsoft documentation below or contact the Help Desk.
Register passkeys in Authenticator on Android and iOS devices - Microsoft Entra ID | Microsoft Learn
Register a passkey (FIDO2) with a FIDO2 security key - Microsoft Entra ID | Microsoft Learn
Prepare users to provision and use Windows Hello for Business | Microsoft Learn