Interactive security checklist

Phishing-Resistant MFA Readiness Checker

Score MFA maturity across SMS risk, app-based MFA, passkeys, FIDO2/WebAuthn, admin protection, recovery flows, legacy protocols, monitoring, and human-risk controls.

Passkeys / FIDO2Admin protectionRecovery flowsLegacy protocol risk

Checklist completion0%

Coverage0%

Who and what is protected by MFA, including workforce, critical apps, contractors, and exception handling.

How much of your workforce is required to use MFA?

Include employees, contractors, remote users, and business-critical SaaS users.

No consistent MFA requirement Pilot or limited departments only Most workforce users are covered All workforce users are covered

Where is MFA enforced?

Attackers often target email, VPN, SaaS, admin portals, and the identity provider itself.

Not enforced on important systems Email or VPN only Most cloud and remote-access apps Identity provider, SaaS, email, VPN, and admin portals

Are contractors, vendors, and third-party administrators included?

External users can become weak access paths if they are exempt from strong identity controls.

No / unknown Some external users are covered All external users and third-party admins are covered

Are MFA exceptions formally approved and time limited?

Permanent exceptions, shared accounts, and unreviewed bypass groups are common MFA failure points.

No formal exception process Tracked but not consistently reviewed Time-limited, approved, and reviewed

Method Strength0%

How resistant your authentication methods are to phishing, push fatigue, credential theft, and real-time proxy attacks.

What is your strongest commonly used MFA method?

Choose the strongest method most protected users actually use, not only a method enabled in settings.

Passwords only or unknown SMS or voice code TOTP app or basic push Number matching / verified push with anti-fatigue controls Passkeys, FIDO2/WebAuthn, security keys, or CBA

How far have passkeys or FIDO2/WebAuthn been rolled out?

Phishing-resistant methods use cryptographic authentication that resists fake login pages and replay attacks.

Not planned yet Roadmap or small pilot Privileged users only Admins and high-risk users Broad workforce rollout with enforcement

If push MFA is used, are anti-fatigue controls enabled?

Number matching, context display, rate limits, and suspicious prompt reporting reduce push-bombing risk.

No push controls / unknown Some controls enabled Number matching, context, rate limits, and reporting are enabled

Do high-risk users have hardware-backed or device-bound authenticators?

Examples include FIDO2 security keys, smart cards, Windows Hello for Business, platform credentials, or managed passkeys.

No / unknown Available but not required Required for some high-risk users Required for all high-risk users

Admin Protection0%

Whether privileged users, emergency accounts, and sensitive sessions receive stronger authentication controls.

Are administrator accounts protected with phishing-resistant MFA?

Privileged identity compromise can defeat many downstream controls.

No / unknown Admins use ordinary MFA Some admin roles use phishing-resistant MFA All privileged roles require phishing-resistant MFA

Are break-glass accounts protected and monitored?

Emergency accounts need strong protection, strict ownership, and alerting without blocking recovery during a real outage.

No documented break-glass process Accounts exist but monitoring is weak Accounts are documented, monitored, and tested

Is privileged access managed with session and approval controls?

Strong MFA should be paired with least privilege, just-in-time access, approvals, and privileged session controls.

No privileged access process Manual approvals or reviews only JIT access, approvals, logging, and reviews are in place

Do sensitive actions require step-up or risk-based authentication?

Examples include impossible travel, new device, high-risk sign-in, admin console access, and financial workflow approval.

No step-up rules Basic conditional access rules Risk-based and action-based step-up is enforced

Recovery & Enrollment0%

How safely users register, reset, replace, and recover authenticators without creating a help-desk bypass risk.

How secure is authenticator enrollment?

Weak first-time enrollment can let an attacker register their own authenticator after stealing a password.

Self-service enrollment with password only Some extra checks for high-risk users Strong proofing or trusted bootstrap is required

How are MFA resets and recovery requests verified?

Attackers often target help desks, recovery flows, and fallback channels instead of the primary MFA method.

Informal or password-based reset Documented checks but inconsistent evidence Strong verification, approval, evidence, and audit trail

Do users have safe backup authenticators?

Backup methods reduce lockouts but should not downgrade users to weak SMS, voice, or help-desk shortcuts.

No backups or weak SMS fallback only Backups exist for some users Safe backups are required and tested

Are lost devices, offboarding, and authenticator changes handled quickly?

Authenticator lifecycle controls should remove old devices, revoke sessions, and respond quickly to employment or device changes.

Manual / inconsistent Documented but not automated Automated and audited lifecycle controls

Legacy Exposure0%

Whether old protocols, unmanaged service accounts, token weaknesses, and logging gaps create MFA bypass paths.

Are legacy authentication protocols blocked?

Legacy mail, basic auth, old VPN, and older protocols may bypass MFA entirely.

No / unknown Some legacy protocols blocked Legacy authentication is inventoried, blocked, and monitored

Are service accounts and automation accounts controlled?

Non-human accounts often cannot use MFA, so they need least privilege, secret rotation, workload identity, or stronger compensating controls.

Unmanaged or unknown Inventory exists but controls are inconsistent Owned, least-privileged, rotated, and monitored

Are sessions, refresh tokens, and unmanaged devices controlled?

Strong login controls can still fail if attackers steal sessions or use unmanaged devices without reauthentication.

No controls / unknown Basic session duration controls Risk-based session, token, and device controls

Are MFA events logged and alertable?

Monitor failed prompts, suspicious resets, new authenticator registration, impossible travel, and admin sign-ins.

No useful MFA logging Logs exist but alerts are limited Centralized logs and meaningful alerts

Governance & Human Risk0%

Policies, metrics, training, testing, and ownership that keep MFA controls effective after rollout.

Is there a formal phishing-resistant MFA roadmap?

A roadmap should define target methods, priority users, device readiness, exception handling, communication, and migration phases.

No roadmap Draft roadmap or informal plan Approved roadmap with owners and milestones

Do users receive training on MFA fatigue, recovery fraud, and passkeys?

Human-risk controls remain important because attackers still use social engineering against push prompts and help desks.

No focused training Basic awareness only Role-based training and support playbooks

Are MFA settings, exceptions, and privileged assignments reviewed regularly?

MFA posture drifts when bypass groups, admin roles, and weak methods are not reviewed.

No recurring review Annual or ad hoc review Monthly or quarterly review with evidence

Do leaders see MFA readiness metrics?

Useful metrics include phishing-resistant adoption, admin coverage, weak method usage, reset volume, exceptions, and legacy-auth attempts.

No executive metrics Some operational metrics Board-ready MFA posture metrics

Are MFA bypass and recovery scenarios tested?

Tabletops and purple-team tests can reveal weak reset paths, token theft exposure, and social-engineering gaps.

Not tested Tested once or informally Tested regularly with improvements tracked

Are SaaS and identity vendors assessed for phishing-resistant MFA support?

MFA maturity depends on the platforms you rely on, including support for SSO, WebAuthn/FIDO2, logs, and conditional access.

No vendor assessment Critical vendors only Standard vendor and procurement requirement

Your MFA readiness result

Answer the checklist to begin.

Not started

Answer the checklist to generate your score, maturity band, and action plan.

Top priorities

Answer the checklist to reveal prioritized recommendations.

30 / 60 / 90-day action plan

Your action plan will update after you answer the checklist.

Need a stronger MFA roadmap?

Use your result to plan passkeys, FIDO2, admin enforcement, and recovery-flow improvements.

Request an MFA Readiness Review

How this MFA readiness score works

This tool uses a 100-point weighted checklist to estimate how mature an organization’s MFA program is. It gives more value to broad enforcement, phishing-resistant methods, administrator protection, safe recovery flows, legacy protocol reduction, monitoring, and governance.

Score bands

0–39: High exposure — urgent MFA coverage and bypass-risk work needed.
40–59: Basic maturity — MFA exists but weak methods or gaps remain.
60–74: Developing maturity — good progress with remaining high-risk areas.
75–89: Advanced — strong program with targeted improvements.
90–100: Phishing-resistant ready — maintain, test, and continuously improve.

Privacy note

The checker runs in the visitor’s browser. It does not send answers to Cybersecurity Time, your WordPress database, or any external API.

Useful internal resources

Phishing-resistant MFA FAQ

What is phishing-resistant MFA?

Phishing-resistant MFA uses cryptographic authentication methods, such as passkeys, FIDO2/WebAuthn security keys, smart cards, or certificate-based authentication, to reduce fake login pages, stolen codes, push fatigue, and real-time proxy attacks.

Is SMS MFA phishing resistant?

No. SMS is better than password-only access, but it can be exposed to phishing, SIM swap, interception, and social engineering. This checker treats SMS as a low-maturity method and recommends stronger options.

Does this checker store visitor answers?

No. Scoring runs locally in the browser. The plugin does not store or transmit visitor answers unless you separately add your own contact form or analytics outside this plugin.

Is this a formal security audit?

No. It is an educational readiness tool for awareness, prioritization, and planning. A formal audit requires evidence review, interviews, configuration validation, and environment-specific testing.

Reference guidance: CISA MFA guidanceNIST SP 800-63BFIDO Alliance PasskeysW3C WCAG 2.2

Built by Cybersecurity Time as an educational readiness tool. It is not a formal audit, legal opinion, or compliance certification.

Phishing-Resistant MFA Readiness Checker

Phishing-Resistant MFA Readiness Checker helps you check whether your MFA is truly protecting your accounts or only giving basic security.

Many businesses use MFA, but weak methods can still be attacked. SMS codes can be stolen, push approvals can be misused, and weak recovery settings can let attackers bypass strong login controls.

Why This Tool Helps

Not all MFA is equal. SMS is better than no MFA, but passkeys, FIDO2 security keys, and WebAuthn-based login offer stronger phishing-resistant protection.

This checker reviews important areas such as MFA coverage, app-based MFA, passkeys, FIDO2, admin protection, recovery flows, human-risk awareness, and legacy login exposure.

What to Fix First

Start with your most important accounts: email, WordPress admin, hosting, domain registrar, cloud tools, finance systems, and administrator accounts.

Then reduce SMS dependency, improve recovery rules, disable old login methods, and train users not to approve suspicious MFA prompts.

Phishing-Resistant MFA Readiness Checker — MFA security scoring tool

Related Tools

Trusted Resources

FAQs

What is this tool?

It is a simple checker that helps review MFA maturity, passkeys, FIDO2 readiness, admin protection, recovery flows, and legacy login risks.

Is SMS MFA enough?

SMS MFA is better than no MFA, but it is not the strongest option.

Are passkeys phishing-resistant?

Yes. Passkeys are designed to reduce phishing risk by using cryptographic sign-in instead of reusable passwords or codes.

Is this a compliance audit?

No. It is an educational readiness checker, not a formal audit or certification.