Your company is designing a secure access strategy for a SaaS application that supports SAML 2.0. You need to enforce phishing-resistant authentication. Which THREE of the following methods meet the requirement?
Phishing-resistant hardware-based authentication.
Why this answer
FIDO2 security keys (Option B) are phishing-resistant because they use public-key cryptography and are bound to a specific web origin, preventing credential reuse on fake sites. The WebAuthn protocol ensures the private key never leaves the device, and the hardware key provides strong multi-factor authentication that cannot be intercepted or relayed.
Exam trap
The trap here is that candidates often confuse 'multi-factor' with 'phishing-resistant,' assuming any second factor (like push notifications or SMS) is sufficient, but only FIDO2, passkeys, and certificate-based authentication meet the strict definition of phishing resistance per NIST AAL3.