Phishing-Resistant Passwordless Best Practices: Read the Gartner® Report

We hear a lot about the urgent need for phishing resistance, and to be sure, phishing does pose a significant threat—as recent attacks on Change Healthcare and Fidelity Investments demonstrate.

Phishing is a type of cyberattack where attackers trick users into revealing credentials or sensitive information, often through deceptive emails, websites, or messages. Phishing-resistant authentication methods, including passwordless approaches, are designed to prevent credential theft by binding authentication to a device or origin and eliminating shared secrets.

Passwordless authentication: what are you waiting for?

We also hear a lot about the importance of passwordless authentication in making organizations phishing-resistant, with directives like M-22-09, Executive Order 14028, and M24-14 requiring more than just multi-factor authentication (MFA). OMB – M-22-09 states: “Agencies are encouraged to pursue greater use of passwordless multi-factor authentication as they modernize their authentication systems.”

But the need for passwordless goes beyond fighting phishing to more broadly creating authentication environments that offer real-world protection to repel cyberattacks of all kinds. As the Gartner® report Migrate to Passwordless Authentication to Enhance Security and Optimize UX points out:

“Organizations that continue to rely on passwords—even as part of multifactor authentication (MFA)—are less safe than those that have migrated to passwordless methods.”

At RSA, we often wonder why more organizations haven’t made greater strides toward adopting passwordless authentication. The Gartner report takes a deep dive into the factors holding organizations back, shares practical recommendations for moving forward, and sets out a phased approach for taking every opportunity to move to passwordless authentication.

Given the adjustment to culture and systems that need to be considered when moving to passwordless, it might be reasonable for organizations to seem hesitant. But given the demonstrated risk of credential theft, taking action sooner rather than later makes sense. The more passwords your users have in your environment, the greater the risk.

If CISOs or identity and access management (IAM) leaders are worried about investing in new passwordless technology too soon, then in the meantime they will face the very real risk of being the victim of a credentials-based attack. Those cybersecurity risks seem to outweigh most organizations’ hesitation.

The FIDO Alliance reports that 87% of companies are either deploying or plan to deploy passkeys to enhance security and UX. And it’s not just businesses: consumers are increasingly moving toward passwordless authentication, with more than 175 million Amazon customers now using passkeys to log in.

Common phishing tactics that bypass weak MFA

Even organizations using traditional MFA can be vulnerable if authentication methods are not phishing-resistant:

• Credential interception: OTPs sent via SMS, email, or authenticator apps can be captured.
• Man-in-the-middle attacks: Attackers trick users into providing credentials via fake login portals.
• Malware keyloggers: Software records keystrokes, including passwords and OTPs.
• Phishing kits: Automated attack frameworks target MFA methods that are not cryptographically bound to the device or origin.

The Gartner report notes that organizations can successfully implement passwordless in manageable increments: “IAM leaders should follow a phased approach.”

The report proposes four specific steps organizations must take:

1. Identify use cases, starting with an inventory of where passwords are used.
2. Agree on target states based on security and UX goals.
3. Identify preferences among different methods and flows.
4. Create a roadmap for workforce and customer use cases.

At RSAC Conference 2025, I explained that passwordless is a journey that requires as much auditing of current authentication methods and MFA deployment as it does planning for the future. Organizations may find that if they currently have strong authentication in place, they may already be halfway to getting to passwordless.

Phishing-resistant MFA works by binding authentication to a user’s device and origin and eliminating shared secrets over the network. Methods include:

• Passkeys and app-based push notifications: Users can approve or deny authentication requests from a mobile device without sending passwords over the network.
• Device-based factors: Identity verification is tied to a specific device, not shared credentials.
• Hardware-based authentication: RSA iShield Key 2 Series and RSA DS100 authenticators support FIDO2 passwordless authentication.
• Biometrics: Fingerprint and face recognition on Android, iOS, and Windows devices.
• Smart cards / PKI certificates: Common in government and highly regulated industries.

Why enterprises need phishing-resistant MFA

• Increasing sophistication of phishing attacks targeting OTPs and traditional MFA
• Regulatory drivers (NIST 800-63B, Executive Orders 14028, CISA Zero Trust guidance)
• Real-world credential theft risk
• Improved security and user experience over traditional MFA

The Gartner report states that “IAM leaders should implement passwordless methods where they are readily supported and take further action to extend passwordless authentication to other use cases.”

For organizations looking to implement passwordless solutions, RSA offers a wide variety of specific passwordless capabilities and resources, all available within the AI-powered RSA Unified Identity Platform.

• Passkeys: RSA supports passkeys through the RSA Authenticator App, which allows users to register a device as a passkey and use it for passwordless authentication.
• App-based push notifications: RSA offers app-based push notifications that allow users to approve or deny authentication requests from their mobile devices.
• Device-based factors: RSA identity verification capabilities include linking identity to a specific device, not a set of credentials that can be targeted by phishing and other attacks.
• Hardware-based authentication: The RSA iShield Key 2 Series of authenticators and the RSA DS100 authenticator both offer FIDO2-based passwordless authentication for use cases where biometrics or mobile phones may not be suitable, like when healthcare professionals need to wear plastic gloves and masks, or in clean rooms that don’t permit internet-connected devices.
• Biometrics: RSA supports fingerprint and face recognition on both Android and iOS devices. We also support Windows Hello as a biometric authentication method for Windows users.

Beyond RSA’s passwordless and device-based solutions, organizations can leverage additional phishing-resistant MFA technologies to enhance security:

• Smart Cards / PKI Certificates: Certificates stored on secure devices, often used in government and highly regulated industries for strong authentication.
• Passkeys for Mobile and Desktop: Device-bound credentials that enable seamless, passwordless login across platforms.
• Adaptive MFA: Context-aware authentication that combines device signals, geolocation, and user behavior to enforce stronger verification when risk is detected.
• Software Security Tokens: Cryptographically generated keys stored on secure apps that meet phishing-resistant standards (e.g., FIDO2-compliant apps).

These technologies, when combined with a phased deployment strategy, help enterprises build a layered, phishing-resistant authentication framework that protects both workforce and customer identities.

Benefits of phishing-resistant MFA

• Stops credential phishing and replay attacks
• Meets compliance mandates and regulatory standards
• Improves user experience compared to OTP-based MFA
• Reduces risk of account compromise across enterprise and customer systems

For organizations seeking enterprise-grade hardware authentication, the RSA iShield Key 2 Series offers a secure, compliant, and user-friendly solution. Combined with RSA’s full suite of passwordless and phishing-resistant MFA options, it helps protect your organization against modern credential attacks while simplifying user access.

Learn more about the passwordless capabilities available as part of RSA ID Plus, and sign up for a free trial to see for yourself how RSA can help speed your journey to passwordless authentication.

Download the Gartner report, Migrate to Passwordless Authentication to Enhance Security and Optimize UX

Gartner, Inc. Migrate to Passwordless Authentication to Enhance Security and Optimize UX. Ant Allan, James Hoover. Originally published 30 August 2024

GARTNER is a registered trademark and service mark of Gartner, Inc., and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.