An enterprise is deploying a multi-factor authentication (MFA) solution. The security team requires a factor that is resistant to phishing and does not rely on shared secrets. Which of the following MFA types BEST meets this requirement?
FIDO2 uses public-key cryptography and is phishing-resistant.
Why this answer
FIDO2/WebAuthn uses public-key cryptography, with the private key stored on the device, and the protocol is designed to be phishing-resistant by binding credentials to the origin. TOTP/HOTP rely on shared secrets and are vulnerable to phishing. Hardware tokens like YubiKey can implement FIDO2.
Biometrics are a factor but not inherently phishing-resistant alone.