For the authentication to work, Mark’s phone needed to cryptographically sign a challenge from the server. Crucially, this challenge is tied to the specific website domain (the "origin").
"No," Elena said, tapping her tablet. "Because of FastPass. You see, when you hit that fake site, they tried to relay your password to us. But because of the phishing-resistant auth, your phone refused to handshake with them. The cryptographic token wouldn't sign for a domain that wasn't ours." okta fastpass phishing resistant
His email pinged. The subject line read: For the authentication to work, Mark’s phone needed
But the attackers were persistent. They had spoofed the IP address to look like New Jersey. Let’s say they bypassed the location check. The phishing site prompted Mark to "Complete verification." For the authentication to work
He hit "Sign In."