Multi-factor authentication was sold as the cure for phishing, and for a while it was. Then real-time proxy phishing, push-bombing, and SIM swaps caught up. The 2022 breaches at Twilio and Uber — and the Cloudflare attack that failed — were the field test. A threat-model walk through why only origin-bound MFA survives, and how to deploy it.
Webauthn
-
Phishing-Resistant MFA: Why Everything Short of FIDO2 Is Living on Borrowed Time -
Passkeys and FIDO2 Explained Passkeys are the closest thing to a real password replacement the industry has ever shipped, and they finally hit broad consumer rollout in 2024-2026. We walk what a passkey actually is under the hood, the WebAuthn and CTAP protocol stack, the sync model that initially scared security professionals, platform versus roaming authenticators, and the honest case for moving off passwords.
-
Passkeys and WebAuthn in Practice: A Developer's Complete Guide A ground-up technical walkthrough of WebAuthn and passkeys — how the cryptography actually works, the registration and authentication ceremonies in detail, a working SimpleWebAuthn implementation, attestation demystified, fallback strategy, and the UX traps that derail production deployments.