Phishing-resistant multi-factor authentication

Why traditional MFA is no longer enough

Most multi-factor authentication (MFA) methods still depend on a user transmitting a secret—a code, a push notification response, a one-time password (OTP). That dependency is the vulnerability.

Adversary-in-the-middle (AiTM) attacks intercept authentication tokens in real time. A user can do everything right, respond to the prompt, complete the step, and still have their session hijacked mid-authentication.

Phishing-resistant MFA removes the human from the equation entirely. Authentication responses are cryptographically bound to a verified device. There is no secret to intercept. There is no step for an attacker to hijack.

The 2026 Verizon Data Breach Investigations Report found that 44% of AI-assisted initial access techniques used by threat actors were phishing-related. Attackers are getting better at this faster than users can keep up.

ManageEngine ADSelfService Plus delivers phishing-resistant MFA across your entire environment—cloud applications, Active Directory (AD) domains, on-premises machine logins, VPNs, and beyond—so attackers have no authentication layer left to exploit.

The coverage gap most organizations don't see

Microsoft Entra ID supports phishing-resistant authentication—but its coverage has two distinct limits, and most organizations are exposed on both.

Where Entra ID falls short

Several access points enterprises rely on every day fall entirely outside what Entra ID can protect with phishing-resistant MFA:

• Active Directory machine logins: Phishing-resistant MFA cannot be enforced at the Windows login screen for machines not joined to Azure AD.
• VPN authentication: Most VPN solutions don't support Microsoft Entra ID's phishing-resistant methods natively.
• Outlook Web App (OWA) access: On-premises Exchange deployments are outside Microsoft Entra ID's Conditional Access scope.

Even during MFA for Entra ID environments, the following factors leave room for improvement:

• Domain-level MFA granularity: Entra ID cannot apply authentication flows for domain membership, making it difficult to enforce stricter controls on privileged accounts in hybrid environments.
• Diverse authenticator support: Entra ID does not natively support authentication methods like Google Authenticator, RSA SecurID, and Duo Security for a layered MFA strategy.
• Multi-step authentication: Entra ID natively supports up to two authentication steps, with no built-in mechanism to chain additional factors beyond that, limiting organizations that require deeper layered verification for high-risk access scenarios.

For any organization with on-premises AD and Entra ID infrastructure, these gaps leave real attack surface unprotected.

Phishing-resistant MFA, across every access point

ADSelfService Plus enforces phishing-resistant Active Directory authentication at every layer of your environment. It also supports a thorough Entra ID MFA flow accounting for diverse user populations and high-risk access scenarios that require deeper verification.

• Endpoint authentication: Extend phishing-resistant MFA to Windows machine logins on AD-joined devices, not just application sign-ins. FIDO2 security keys, passkeys, and certificate-based authentication work at the endpoint—securing the access point most hybrid environments leave completely exposed.
• VPN and OWA access: Apply the same authentication strength to VPN connections and on-premises Outlook Web App that you apply to cloud applications. ADSelfService Plus bridges the gap between your AD infrastructure and your phishing-resistant MFA policy—uniformly, without exceptions.

Phishing-resistant authentication methods in ADSelfService Plus

• FIDO2 security keys: ADSelfService Plus supports FIDO2 security key authentication—including hardware keys like YubiKeys—across AD machine logins, VPN access, and application sign-ins. Public key cryptography binds authentication to the enrolled device; the private key never leaves it. No interceptable secret means no viable attack vector against AiTM attacks, credential stuffing, or phishing.
• Passkeys: ADSelfService Plus supports both synced and device-bound passkeys, built on the same PKI foundation as FIDO2. Synced passkeys move with users across devices. Device-bound passkeys stay tied to a single enrolled device for AD environments where credential portability introduces risk. Either way, no shared secret is ever transmitted.
• Certificate-based authentication (CBA): ADSelfService Plus supports X.509 certificate authentication on smart cards and virtual smart cards—binding credentials to a physical token that cannot be intercepted or replayed. For on-premises AD environments under strict compliance mandates, CBA aligns with the PIV standard in the US Government's Zero Trust guidance, and does so without cloud dependency.

Multiple authenticator support with a granular policy framework

ADSelfService Plus supports 20 authenticators including phishing-resistant FIDO2 security keys, passkeys, YubiKey, smart card-based certificate authentication, Google Authenticator, Duo Security, and more.

Most platforms force a tradeoff: phishing-resistant methods or authenticator diversity. ADSelfService Plus doesn't. You get the full range under a single policy framework—so you can enforce FIDO2 or CBA where the risk demands it and offer additional authenticator options where it doesn't—all configured from one place and applied consistently across your AD and cloud environments.

Authentication strength that adapts to risk

ADSelfService Plus includes built-in conditional access that adjusts authentication requirements automatically based on context: IP address, geolocation, business hours, and device trust. The same risk-based logic applies across AD-governed access points and cloud applications alike, without a separate conditional access engine or additional licensing.

Define exactly which authentication method combinations satisfy access requirements for different user populations. Scope policies to specific AD OUs and groups for granular control that maps directly to your existing directory structure. Apply phishing-resistant authentication strengths to high-risk roles. Tighten requirements automatically when access originates from outside a trusted network.

Benefits of deploying phishing-resistant MFA with ADSelfService Plus

• Defeat AiTM attacks by design: FIDO2-based authentication and certificate-based authentication are structurally immune to adversary-in-the-middle attacks. Authentication responses are cryptographically bound to the enrolled device and valid only for the specific session they were generated for, nothing is transmitted that can be intercepted or replayed.
• Close the hybrid coverage gap: Extend phishing-resistant MFA to the AD workloads and access points your cloud identity provider doesn't reach such as machine logins, VPNs, OWA, and on-premises resources—all without Azure AD join.
• Enforce stronger authentication where it matters most: Granular policy control scoped to AD OUs and groups, as well as Entra ID domains and groups, means you're not choosing between blanket enforcement and no enforcement.
• Deploy without lockout risk: ADSelfService Plus includes account-level safeguards that keep recovery access available throughout rollout. A misconfigured policy during deployment—even across complex hybrid AD environments—doesn't become an administrative lockout.
• Meet compliance requirements across your full environment: NIST SP 800-63B, PCI DSS, HIPAA, and Zero Trust mandates require phishing-resistant MFA coverage across your environment, not just your cloud footprint. ADSelfService Plus satisfies those requirements for the AD infrastructure and on-premises workloads that cloud-only tools leave out.
• Reduce authentication friction without reducing security: Contextual authentication with FIDO2 and passkeys is faster for users than OTPs or push notifications. Better security and a better sign-in experience aren't a tradeoff here.