Federal Zero Trust

Josef Kamara, CPA, CISSP, CISA · Updated May 6, 2026 · 1 minute read

Phishing-Resistant MFA

Multi-factor authentication that, by protocol design, prevents an attacker from impersonating the legitimate verifier and capturing or relaying the authenticator output. CISA names FIDO2/WebAuthn and PIV/CAC smart cards as the gold-standard mechanisms. OMB Memorandum M-22-09 requires phishing-resistant MFA for federal civilian executive branch staff, contractors, and partners and explicitly directs agencies to discontinue authentication methods that fail to resist phishing, including SMS one-time codes, voice calls, and push notifications without number matching. The shift is from MFA exists to MFA an attacker cannot phish.

The Authority Brief

One compliance analysis per week from Josef Kamara, CPA, CISSP, CISA. Federal and private compliance, written for practitioners.