Salesforce supports phishing-resistant MFA using a physical security key (FIDO / WebAuthn). Most orgs just never turn it on.
The most popular brand of security key seems to be Yubikey by Yubico. It is a a small hardware device (like a USB stick or tag) that provides a strong, phishing-resistant second factor for logging into accounts, replacing SMS codes or apps by requiring you to physically present the device, often with a PIN or fingerprint, to verify your identity.
I attached a short PDF that walks through the lifecycle, step by step:
⚙️ Enabling security keys at the org level (Setup - Identity - Identity Verification)
⚙️ Registering a physical key on the user record
⚙️ What the browser prompts look like during registration
⚙️ What users see at login when the key is required
⚙️ How to remove or reset a key if needed
Where such physical security keys make practical sense? 🤔
👉 Call centers or secure facilities where phones are not allowed on the floor
👉 Admins and privileged Salesforce users
👉 Shared or locked-down workstations (which would also be restricted by IP)
👉 Environments where SMS or app-based MFA is operationally risky
This uses standard WebAuthn support built into modern browsers. No mobile app required. The user inserts the key and touches it when prompted.
It is recommended to issue at least two keys per privileged user (primary + backup) before enforcing MFA policies, and test recovery paths in advance.