Cybersecurity regulations are converging on a clear message: phishing-resistant multi-factor authentication (MFA) is now the baseline for compliance.
Whether you operate in financial services, critical infrastructure, healthcare, or any regulated sector, regulators are making it clear that weak authentication methods (like passwords or SMS codes) can no longer protect sensitive systems or pass audits.
Why phishing-resistant MFA matters
Traditional MFA methods, such as SMS one-time codes or knowledge-based questions, remain vulnerable to phishing and credential theft.
Phishing-resistant MFA, based on standards like FIDO2/WebAuthn, protects against these threats by ensuring authentication factors cannot be intercepted, replayed, or socially engineered.
For organizations, this means:
- Meeting compliance requirements without relying on fragile stopgaps
- Reducing the risk of credential-based breaches
- Lowering operational costs linked to password resets and account recovery
What the regulations say
Several major regulatory frameworks have set phishing-resistant MFA as a core requirement:
- DORA (Digital Operational Resilience Act, EU) – In force since Jan 2023, applicable from Jan 17, 2025. Requires financial entities to implement strong, resilient ICT security controls, including phishing-resistant authentication. Source: European Commission
- NIS2 Directive (EU) – Effective Oct 18, 2024. Requires operators of essential and important entities to enforce robust access controls and MFA resistant to common attack vectors. Source: European Commission
- PCI DSS 4.0 (Global) – Effective from March 31, 2025. Specifies that MFA for administrative and remote access must use methods resistant to phishing and credential replay attacks. Source: PCI Security Standards Council
- OMB Memo M-22-09 (US Federal) – Issued Jan 26, 2022, mandates phishing-resistant MFA for federal agencies under the Zero Trust Strategy. Source: The White House
Together, these frameworks establish a new baseline: phishing-resistant MFA everywhere, including legacy and mission-critical systems.
The challenge of legacy systems
Many organizations struggle to deploy modern authentication across legacy or custom applications. These systems were never designed to support modern standards, yet regulators make no exceptions.
This creates a common dilemma:
- How to implement phishing-resistant MFA everywhere without rewriting legacy apps or replacing existing IAM infrastructure.
How Secfense helps
This is where Secfense comes in.
Secfense provides a no-code MFA and passwordless layer that can be deployed across all applications, modern and legacy, without modifying source code. With Secfense, organizations can:
- Enforce phishing-resistant MFA (passkeys, FIDO2/WebAuthn) across every app
- Deploy gradually, starting with high-risk systems
- Maintain business continuity with zero disruption to users
- Centralize authentication policies and audit logs for regulatory reporting
Explore how Secfense helped BNP Paribas and UNIQA deploy phishing-resistant authentication at scale, without rewriting a single application.
Conclusion
Phishing-resistant MFA is no longer a “best practice.” It is the new compliance baseline.
Organizations that continue relying on passwords or SMS-based MFA face growing risks: not just of breaches, but of non-compliance penalties, failed audits, and regulatory action.
Secfense enables a secure, compliant path forward by bridging the gap between modern MFA requirements and the reality of legacy infrastructure.
Next step: Schedule a call with our team to see how Secfense can help your organization meet phishing-resistant MFA requirements without disruption.
Antoni Sikora 