Why New Zealand Should Move Past SMS and Push MFA in 2026

Multi-factor authentication has been the backbone of New Zealand's account-security advice for almost a decade. CERT NZ has rightly championed it; banks have made it mandatory; most government services require it. But the MFA most organisations have deployed — SMS codes, app-generated TOTP codes, and push notifications — is increasingly being defeated in the wild. In 2026, phishing-resistant MFA is no longer a luxury for high-security environments; it is the baseline for any organisation that handles money, personal information, or customer trust.

How attackers defeat traditional MFA

The dominant technique is adversary-in-the-middle (AiTM) phishing. The attacker stands up a reverse-proxy phishing site — using kits like Evilginx, Tycoon 2FA, or Mamba 2FA — that perfectly mirrors the legitimate login page. The victim enters their username, password, and MFA code; the proxy relays each in real time to the genuine service and captures the resulting session cookie. Once the attacker has the session cookie, they no longer need the password or the MFA code: they are logged in as the user, often for hours or days. Push-approval MFA fares no better; users habituated to tapping 'Approve' will approve a malicious login they did not initiate, especially when the prompts arrive at 8.55 a.m.

What 'phishing-resistant' actually means

Phishing-resistant MFA refers to authentication methods that are cryptographically bound to the legitimate website's origin. The two practical options are FIDO2 security keys (YubiKeys, Feitian keys, Google Titan keys) and passkeys (the same FIDO2 standard, but with the private key stored in a phone, laptop, or password manager rather than a separate hardware token). Both work the same way at the protocol level: the browser checks the actual origin of the page before signing the authentication challenge. A reverse-proxy phishing site at 'login-microsft0nline.com' simply cannot complete the handshake, regardless of what the user types.

Why passkeys are the right default for most NZ organisations

Hardware security keys are excellent but operationally heavy: they cost money, get lost, need provisioning, and create a support burden. Passkeys solve most of these problems by using devices employees already carry. Microsoft Entra ID, Google Workspace, Okta, and most leading SaaS now support passkeys natively. iCloud Keychain, Google Password Manager, 1Password and Bitwarden all sync passkeys across devices, removing the lost-key problem. For most NZ organisations the right strategy in 2026 is: passkeys as the default, hardware keys for administrators and high-risk roles, and traditional MFA only as a transitional fallback with conditional-access policies that flag its use.

Conditional access: the policy layer that makes it real

Deploying passkeys without policy is half a solution. The other half is conditional access (Entra), context-aware access (Google), or equivalent policy engines in your IdP. The right baseline blocks legacy authentication entirely, requires phishing-resistant MFA for administrators and finance roles, requires compliant or managed devices for access to sensitive applications, and treats sign-ins from anonymising VPNs and high-risk locations as elevated risk. None of this is exotic; all of it is configuration, not new spend.

What about staff who don't have a smartphone?

This is the most common objection and it has a simple answer: hardware security keys. A NZ$60 FIDO2 key, issued at induction and replaced if lost, gives a frontline worker in a warehouse, factory, or healthcare ward the same protection as the executive team — without requiring a personal device. Many NZ organisations are now pairing this with a small kiosk-mode PC for shift workers to enrol passkeys to a managed device.

Migration path for an organisation of 200 people

A realistic plan looks like this: month one, audit current MFA coverage and identify any accounts still using SMS only; month two, enable passkey registration alongside existing MFA, and run an awareness campaign; month three, mandate phishing-resistant MFA for all administrators and finance staff via conditional access; month four, expand the mandate to all staff with a clear deadline; month five, deprecate SMS and push MFA except as recovery factors. Total project cost for a 200-person organisation: typically under NZ$20,000 in licensing and a handful of weeks of administrator time. Total cost of one successful AiTM phishing attack on the CFO: typically much, much more.

How Haumaru helps

We run phishing-resistant MFA migrations as fixed-scope engagements for New Zealand organisations, including conditional access policy design, helpdesk runbooks, and a phishing-simulation campaign before and after to demonstrate the impact. Get in touch at contact@haumaru.ltd or call +64 22 423 0494.