How phishing-resistant authentication *actually* stops attacks

Phishing toolkits like Evilginx are now commonplace in red-teaming exercises, making it easy to simulate real-world phishing scenarios. But when these attacks run up against phishing-resistant authentication, the failure, while desired, is often not well understood. Perhaps we nod and say “of course it failed – there’s a keypair!”, but what actually happened under the hood?

In this session we’ll explore what makes phishing-resistant authentication, well, phishing-resistant. We’ll first walk through a successful authentication flow against Entra ID, stepping through the flows and the cryptographic components. Then, we’ll launch Evilginx, walk through a phishing scenario, and analyze why auth breaks – not just that it does. This talk will help defenders and security practitioners understand the inner workings of phishing-resistant authentication, reinforcing why it’s so difficult to bypass, and why organizations must prioritize it’s adoption.