Security Beyond MFA and Passkey
Identity Security • Continuous Authentication • Zero Trust

Security Beyond Passwordless Push, MFA, and Passkey (FIDO2)

"A very different cybersecurity reality demands more"

Securing enterprise and SME user access is quite different today by comparison to just a few years ago. As we move into 2026, passkeys and compliant MFA are finally taking hold across organizations of all sizes. But stronger authentication is changing attacker economics. With credentials better protected or absent altogether, adversaries are shifting to more profitable targets: the authenticated session itself. For both enterprises and SMEs, the new front-line in the cybersecurity war is protecting the session.

Continuous Authentication's Time is Now

Combating the attacker shift to targeting the session means adding the equivalent of user authentication to the session itself—authentication reevaluated and affirmed continuously, from login to logout, keeping the session secure every step of the way.

An excellent example of this need is the OAuth Consent Phishing attack outlined below. This attack remains fully effective whether an organization uses Passwordless Push, MFA, Passkey, or FIDO2, and it is exceptionally difficult to detect or mitigate. The attacker's objective is straightforward: hijack the session by redirecting the OAuth authorization flow to themselves.

OAuth Consent Phishing: A Step-by-Step Attack

  1. Attacker sends a convincing phishing email: "Review this urgent document," with a link to www.rnicrosoft.corn. Note the subtle substitution—.corn not .com.
  2. User clicks and sees a real Microsoft login page: This page is not fake. The user is redirected to the legitimate Microsoft.com domain for authentication. The passkey ceremony happens on the real site.
  3. User authenticates with passkey: Everything appears normal. Face ID or fingerprint verification proceeds without warnings—because the user is genuinely authenticating to Microsoft.
  4. Microsoft displays a consent screen: The prompt looks legitimate, because it is.
  5. Microsoft sends the authorization code to the attacker: Since the login was initiated from the attacker's phishing link, the OAuth flow redirects the valid authorization code directly to the attacker.
  6. The attacker now has full session control: With this token, the attacker can access email, files, cloud resources, AI agents, industrial control systems, or sensitive corporate data—whatever the user was granted permission to access.

Critical takeaway: The user followed all best practices. They used a passkey—the strongest no-cost authentication method available. They authenticated to the real Microsoft.com. The passkey ceremony worked exactly as designed. Yet the attacker succeeded. Intercepting the authorization code was unnecessary; it was delivered directly to them.

The Impact and Reason for Concern

Two equally critical risks must concern management and owners of every business or enterprise with remote online users:

  • Phishing resistance relies heavily on user training—yet even trained users remain 2–5% vulnerable.
  • OAuth 2 is the weak link, with little or no possibility of a fix in the near term.

OAuth consent attack opportunities are extensive. An estimated 58% of all user-initiated authentication incorporates OAuth:

  • Billions of OAuth-based OIDC authentications occurring daily are subjected to this low-effort, high-return attack.
  • Enterprise use is estimated at 70–95% of all authentications.
  • Social sign-in ("Login with Google/Facebook") or token-based APIs account for 50–80% of service provider logins.
  • Commercial AI Agent authentication dependencies are estimated at 40–80%.

Options to combat OAuth consent phishing attacks are few with marginal results absent continuous monitoring: incorporate Continuous Authentication, enhance user training, or adopt a Zero Trust posture. The first is by far the most effective.

Continuous Monitoring and Diagnostics (CDM)

CDM is a core concept of Zero Trust Architecture (ZTA) introduced by NIST. It is described as a set of processes used to discover and understand the basic components and actors in an organization's IT infrastructure. A brief list of CDM metrics directly relevant to session security includes:

  • Proximity metrics — evidence that the authenticated user remains in close physical proximity to the access device (secure BLE/UWB presence assertions, signal continuity, triangulated distance bounds).*
  • User interaction continuity metrics — indicators of active, human-driven engagement consistent with prior authenticated behavior (input cadence, gesture continuity, session liveness signals).
  • Device binding metrics — confirmation that the same bound authenticator device continues to participate in the session (cryptographic session binding, device identifiers, key continuity).*
  • Device integrity and posture metrics — runtime attestation signals indicating the device remains in a trusted state (OS integrity, jailbreak/root detection, policy compliance).
  • Environmental consistency metrics — corroborating context signals that detect anomalous changes (network characteristics, coarse 3D location drift (including vertical displacement within a building)).
  • Session continuity metrics — timing, sequence, and entropy indicators that detect session interruption, replay, or hijack attempts.
  • Risk and anomaly indicators — deviations from established baselines (unexpected device role changes, proximity loss during sensitive operations).

* Not available when using Passwordless Push or synced Passkey (FIDO2) authentication.

Continuous Authentication (CA)

CA is a focused variant of CDM. User authentication is a point-in-time assertion of identity using a phishing-resistant authenticator. Continuous Authentication provides ongoing assurance of user presence and session trust through continuous evaluation throughout the session lifecycle.

Continuous authentication extends the authentication ceremony to the whole of the resulting session. The metric processes of CA run on the devices the user employs—typically an access device (laptop) and an authenticator device (the user's cell phone).

CA as an extension of user authentication may begin following completion of the authentication ceremony. This is not optimal—one activity beginning once its predecessor completes leaves a gap of vulnerability. Better to transition seamlessly by starting CA on first sign of user intent to login. An OpenID Connect (OIDC) provider service is the ideal place to detect this intent, initiate the CA process, and close that gap entirely.

CA metrics are delivered to a Policy Decision Point (PDP) for policy-based evaluation and decision-making: maintain, elevate, restrict, or end the authenticated session. PDP outputs are then sent to Policy Enforcement Points (PEP) where they are applied.

Production of Continuous Authentication Metrics

Metric origination occurs on a device in the user's possession—typically a cell phone—and by an access device service (a laptop, for example), with the metrics of each securely transmitted to a cloud-based PDP for continuous evaluation.

Triadic trust networks between these endpoints insulate CA from adversary-in-the-middle (AiTM) attacks, in a manner analogous to Google's CaBLE model for authentication. A focus set of metrics well suited to implement CA includes:

  • Behavioral metrics derived from cell phone sensors—learned and evaluated using AI-based models capable of distinguishing user-specific patterns from anomalous activity. May include facial or fingerprint biometrics, 3-axis device orientation and movements at well-understood usage points such as login/logout, PIN code entry, and mobility.
  • 3D Location metrics evaluated relative to a three-dimensional reference point established at the time of authentication — latitude, longitude, and barometric altitude — rather than as absolute geolocation signals. This 3D geofence distinguishes floor-level position within a building, not just lateral proximity to an address. A person on floor 12 who moves to floor 3 registers a location anomaly; 2D geofencing would not detect this.
  • Authentication aging measured relative to the most recent successful multi-factor identity verification event.
  • Passive proximity metrics reflecting detection and recognition of the access device in proximity to the authentication device, commonly via Bluetooth-based signaling.
  • Active proximity metrics jointly developed by the cell phone app and access device service. The service requests the app to begin Bluetooth advertising a service-provided token; the metric is the result of detecting and verifying the advertised token.

The Importance of Device Proximity

Absentee authentication occurs when the user is not in physical proximity to the access device yet is allowed to perform successful authentications. When there is a separation—even briefly—there is no user verification, only performance of the ceremony. The result: a gap through which attacks such as OAuth consent phishing succeed.

Surprisingly, modern authentication frameworks such as Passkey with its cloud-synced private keys, and Passwordless Push, enable these high-risk behaviors. Where absentee authentication is unavoidable, Continuous Authentication becomes a requirement. Well-orchestrated CA neutralizes this risk, allowing continued use of preferred authentication methods.

References

  1. Justia Patents, Authentication method and system by use of triad network, 11/08/2016, Patent 10219154
  2. Kumar, Yaswanth, "IAM Protocols Demystified", 09/24/2025
  3. Van Goethem, Tom et al., "Evaluation on the privacy of OAuth authentication", Proceedings on Privacy Enhancing Technologies 2023
  4. Stytch, "Agent-to-agent OAuth: a guide for secure AI agent connectivity with MCP", 08/18/2025
  5. NIST, NIST SP 800-63B 4, 08/01/2025
  6. NIST, NIST SP 800-171 Rev. 3, 05/01/2024
  7. NIST, NIST SP 800-207 Zero Trust Architecture, 08/01/2020
  8. OpenID Foundation, "OpenID Connect", 12/24/2024
  9. OASIS OPEN, "eXtensible Access Control Markup Language", 23/01/2017
  10. FIDO Alliance et al., FIDO specifications and WebAuthn, 01/12/2025
  11. Sjouwerman, Stu, "KnowBe4 Report Reveals Security Training Reduces Global Phishing Click Rates by 86%", 05/13/2025
  12. CaBLE, "Cloud Assisted Bluetooth LE", Google LLC et al., 01/05/2022

Ready to Learn More About Continuous Authentication?

Request a demo to experience firsthand how AffirmedID Pulse adds CA to your Passkey ceremony.

  • AffirmedID Pulse — a privacy-compliant Continuous Authentication app and cloud service for integration with Passkey, FIDO2, and Passwordless Push.
  • AffirmedID Sentinel — a continuous active proximity detection and reporting service for Windows, MacOS, and Linux access devices.
  • AffirmedID Connect — an OpenID Connect (OIDC) provider cloud service with integrated Policy Enforcement Point (PEP).
  • AffirmedID Auth — an AAL3-compliant alternative Passkey (FIDO2) app for Android and iOS devices.
Request a Demo →

About the Author: Rick Hallock

Rick's introduction to cybersecurity began in 2000, when he was the target of a cyber-attack that resulted in significant personal and business losses. He later received formal training in cyber defense while working for a multinational cybersecurity firm. Since then, he has continued to deepen his expertise through independent research, earning multiple related patents. Today, he applies his software architecture and design background to the creation of the Affirmed Identity service, available at https://AffirmedId.com.

← Back to Blog