What is phishing-resistant MFA?

Phishing-resistant multi-factor authentication uses credentials that are cryptographically bound to a specific website and cannot be intercepted, replayed, or entered on a fake login page. In practice that means FIDO2 hardware security keys or device-based passkeys built on the WebAuthn standard. It does not include text-message codes, authenticator-app one-time codes, or push-approval prompts, all of which can be phished or fatigued out of a user. CISA classifies hardware-backed FIDO2 as the gold standard for phishing-resistant authentication.

Does cyber insurance require hardware security keys in 2026?

Most carriers require multi-factor authentication on every privileged account, remote access path, email account, and cloud administration interface as a baseline condition of coverage. Higher-tier policies and renewals for healthcare-adjacent operators increasingly require phishing-resistant MFA, meaning FIDO2 hardware keys or passkeys, specifically on privileged and remote-access accounts. Major carriers have updated their underwriting questionnaires to ask about phishing-resistant authentication, and the answer can affect both premium and coverage limits.

Is SMS or app-based MFA enough for cyber insurance?

For general staff accounts, most carriers still accept authenticator apps and sometimes text-message codes as a floor. For privileged accounts, administrator logins, and remote access, carriers increasingly reject SMS-based MFA because it can be defeated by SIM-swap and interception attacks, and many now treat app push-approval as insufficient as well. A senior living operator relying only on text-message codes for administrator access should expect that to be flagged at renewal.

What happens if we attest to controls we do not actually have?

Cyber insurance applications are sworn statements. If a claim is filed and forensic review reveals that an attested control, such as phishing-resistant MFA on administrator accounts, was not actually in place at the time of the incident, the carrier can deny the claim. This is the most expensive failure mode because the operator pays premiums for years and then receives nothing when a breach occurs. Accurate attestation, backed by documented evidence, is now part of the control itself.

Back to Insights

Cyber Insurance Now Requires Phishing-Resistant MFA: What Senior Living Operators Need to Know

Cyber insurance now requires phishing-resistant MFA for senior living operators

June 24, 2026 · Tech for Senior Living

If your community renews its cyber insurance this year, the application will ask a question it did not ask before: do you require phishing-resistant multi-factor authentication on privileged and remote-access accounts? For 2026 renewals, carriers have moved that control from a preference to a requirement, and the wrong answer now affects your premium, your coverage limits, and in some cases whether you get a policy at all.

This is not a small clarification. It is a different security control than the text-message codes most senior living communities turned on a few years ago, and closing the gap takes lead time. The operators who learn about it during the renewal call are the ones who get the price increase. For a full picture of how coverage is changing, see our cyber insurance guide for senior living.

What "Phishing-Resistant" Actually Means

Multi-factor authentication is not one thing. It is a spectrum, and carriers have started grading where you sit on it.

Ordinary MFA sends a one-time code to a phone by text message, or asks a user to approve a push notification in an app. Both can be defeated. Text codes are vulnerable to SIM-swap and interception attacks. Push prompts can be fatigued out of a tired employee at 11 p.m., or relayed through a fake login page in real time. The U.S. Cybersecurity and Infrastructure Security Agency classifies these as better than nothing but explicitly inadequate for high-value accounts.

Phishing-resistant MFA closes that hole. It uses a credential that is cryptographically tied to the real website and cannot be entered on a fraudulent one, even if a user is tricked into trying. In practice that means a FIDO2 hardware security key, the kind that plugs into a USB port or taps over NFC, or a device-based passkey built on the same WebAuthn standard. The UK's National Cyber Security Centre reaches the same conclusion: hardware-backed authentication is the recommended type for accounts that matter.

Why Carriers Made the Change

The cyber insurance market spent two years softening. That is over. Industry analysts report premiums climbing again in 2026 after ransomware losses forced harder underwriting, and carriers have responded by tightening the controls they require before they will write a policy.

Identity is at the top of that list. The large majority of breaches still begin with a stolen or phished credential, and ransomware crews increasingly target administrator accounts because those accounts can disable backups and encrypt an entire environment. A carrier that requires phishing-resistant MFA on privileged access is removing the single most common entry point for the claims it pays. Major carriers including Beazley and AIG have updated their questionnaires to ask specifically about phishing-resistant authentication for privileged and remote access.

Why This Hits Senior Living Harder

Senior living communities are covered entities under HIPAA, and they handle resident health information across clinical workstations, electronic health record platforms, and connected devices. That combination puts you in the healthcare-adjacent category underwriters scrutinize most. Three realities make the new requirement especially pointed for senior living.

You hold protected health information, so the bar is higher. Underwriters apply stricter expectations to any operator handling electronic PHI, often asking for MFA on every entry point, encrypted offline backups, and a signed business associate agreement for every vendor that touches resident data. A community that meets the general small-business floor can still fall short of the healthcare standard.

Portfolio operators carry multiplicative exposure. An operator running five communities on shared infrastructure and a single administrative identity does not have one gap if phishing-resistant MFA is missing. It has the same gap repeated five times, and a single compromised administrator credential can move laterally across every community. The same standardization that makes a portfolio efficient also concentrates the risk, which is why disciplined operators treat standardized IT as a value driver across the portfolio.

The renewal is now an audit. The application is a sworn statement. If you attest to a control you do not actually have, and a forensic review after a breach reveals the gap, the carrier can deny the claim outright. That is the worst outcome of all: years of premiums paid, and nothing when the incident finally lands. This is the same documentation discipline OCR is already demanding, a pattern we covered in why cyber insurance just got harder to get.

What to Do Before Your Renewal

Phishing-resistant MFA is a procurement and deployment project, not a switch. Give yourself the lead time.

Inventory your privileged accounts. List every administrator login, every remote-access path, and every cloud admin console. These are the accounts carriers care about first, and the ones that do the most damage when stolen.
Grade your current MFA honestly. Text-message codes on an administrator account is a fail. App push-approval is increasingly a fail for privileged access. Hardware keys and passkeys are a pass. Be honest now, because the carrier will be honest later.
Deploy hardware keys to privileged and remote users. Start with the accounts that can disable backups or reach resident data. FIDO2 keys are inexpensive per user and deploy in a structured rollout over days, not months.
Document the deployment as evidence. Keep a record showing which accounts are protected by phishing-resistant MFA and when it was enforced. That record is what turns an attestation into a defensible one.
Find your renewal date and work backward. If your policy renews in the fall, the work starts now. Walking into the renewal with the control already in place is the difference between a routine renewal and a price shock.

The Bottom Line

Phishing-resistant MFA is no longer an advanced control reserved for banks and federal agencies. For senior living operators it is becoming the price of admission to cyber coverage, and the carriers have made the renewal application the place they check. The operators who treat it as a deliverable, deployed and documented before the renewal call, keep their coverage and their premium. The ones who treat it as a surprise pay for the lesson. A named security officer who owns the renewal is how the strongest operators stay on the right side of that line, and it is one reason a defensible security posture protects the whole community, not just the insurance policy.