Why is SMS or TOTP-based MFA considered weaker than passkeys, and what makes an authentication factor phishing-resistant?

technical-conceptual · Mid level · cloud-devops-security

What the interviewer is really asking

Test current authentication knowledge — understanding that shared-secret MFA is phishable via adversary-in-the-middle, and what property of FIDO2/WebAuthn (origin binding, key never leaving the device) actually defeats phishing.

What to say

What to avoid

Example answers

Strong: After a phishing campaign captured an engineer's TOTP through an AitM proxy and got a short-lived session, we moved all admin and production access to WebAuthn passkeys on hardware keys. Because the passkey signs a challenge bound to our real domain and the private key never leaves the key, the same proxy attack now fails — the look-alike origin can't get a usable signature. We kept TOTP as the fallback for low-risk apps and killed SMS as a factor entirely.

Weak: SMS codes are fine for MFA because the attacker would also need the user's password, and two factors is enough.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.