This article presents a comprehensive, theory-driven, and practice-oriented analysis of contemporary web authentication schemes with the explicit aim of proposing an integrated framework that reconciles competing goals of security, phishing resistance, organisational usability, and enterprise scalability. Drawing strictly from the provided literature — spanning foundational cryptography, comparative evaluations of authentication schemes, empirical analyses of credential-related incidents, standards for authorization, modern second-factor mechanisms, and practical incident-cost estimations — the study synthesises prior work to form an explanatory architecture and evidence-based recommendations. The abstracted framework emphasises layered defenses combining public-key cryptography, phishing-resistant multi-factor approaches, behavioural and organisational controls that address compliance costs, and pragmatic deployment patterns guided by standards such as OAuth 2.0 and FIDO2-inspired paradigms. The core contributions are (1) a conceptual model that maps attack surfaces to mitigation families grounded in canonical cryptographic principles (Diffie & Hellman, 1976) and subsequent protocol work; (2) an expanded taxonomy of usability-security tradeoffs informed by empirical usability studies and compliance-budget literature (Brooke, 1995; Beautement et al., 2008; Ciolino et al., 2019); and (3) a decision framework for enterprises to prioritise interventions based on breach cost data and incident vectors (IBM, 2024; Verizon, 2024; Thomas et al., 2017). The article concludes with detailed operational recommendations, limitations of current approaches, and directions for future research that balance rigorous security with real-world constraints on adoption and human behaviour. The paper is intended to serve researchers, security architects, and policy makers seeking a consolidated, evidence-based route to transition modern enterprises toward phishing-resistant and scalable identity assurance. (Maximum 400 words). (Bonneau, 2012; Diffie & Hellman, 1976; IBM, 2024; Lang et al., 2016).

Authentication, Phishing-Resistance, FIDO2, OAuth 2.0

J. Bonneau, C. Herley, P. C. van Oorschot and F. Stajano, "The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes," 2012 IEEE Symposium on Security and Privacy, San Francisco, CA, USA, 2012, pp. 553-567. Available: https://ieeexplore.ieee.org/document/6234436

IBM Security, "Cost of a Data Breach Report 2024," IBM, Jul. 2024. Available: https://www.ibm.com/reports/data-breach

D. Hardt, Ed., "The OAuth 2.0 Authorization Framework," IETF, RFC 6749, Oct. 2012. Available: https://tools.ietf.org/html/rfc6749

W. Diffie and M. Hellman, "New directions in cryptography," IEEE Transactions on Information Theory, vol. 22, no. 6, pp. 644-654, November 1976. Available: https://ieeexplore.ieee.org/document/1055638

K. Thomas et al., "Data breaches, phishing, or malware?: Understanding the risks of stolen credentials," Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 1421-1434. Available: https://dl.acm.org/doi/10.1145/3133956.3134067

Verizon, "2024 Data Breach Investigations Report," Verizon, June 2024. Available: https://www.verizon.com/business/resources/reports/dbir/

J. Lang, A. Czeskis, D. Balfanz, M. Schilder and S. Srinivas, "Security Keys: Practical Cryptographic Second Factors for the Modern Web," in Financial Cryptography and Data Security, Berlin, Heidelberg: Springer Berlin Heidelberg, 2016, pp. 422-440. Available: https://doi.org/10.1007/978-3-662-54970-4_25

Adam Beautement, M. Angela Sasse, and Mike Wonham. "The Compliance Budget: Managing Security Behaviour in Organisations." New Security Paradigms Workshop, NSPW ’08, Lake Tahoe, California, USA, September 2008. ACM.

"Bridging Identity Assurance Gaps: Integrating FIDO2 and Certificate-Based Authentication for Phishing-Resistant, Scalable Enterprise Security." International Journal of Data Science and Machine Learning, 5(02), 9-24, 2025. https://doi.org/10.55640/ijdsml-05-02-02

Clement Bellet, Jan-Emmanuel De Neve, and George Ward. "Does Employee Happiness Have an Impact on Productivity?" Management Science, 70(3):1656–1679, May 2023.

John Brooke. "SUS: A Quick and Dirty Usability Scale." Usability Evaluation in Industry, 189, 1995.

Alladean Chidukwani, Sebastian Zander, and Polychronis Koutsakis. "A Survey on the Cyber Security of Small-to-Medium Businesses: Challenges, Research Focus, and Recommendations." IEEE Access, 10:85701–85719, August 2022.

Stéphane Ciolino, Simon Parkin, and Paul Dunphy. "Of Two Minds about Two-Factor: Understanding Everyday FIDO U2F Usability through Device Comparison and Experience Sampling." Symposium on Usable Privacy and Security, SOUPS ’19, pages 339–356, Santa Clara, California, USA, August 2019. USENIX.

European Council. "Top Cyber Threats in the EU." www.consilium.europa.eu/cyber-threats-eu, as of June 10, 2025.

Cybersecurity and Infrastructure Security Agency (CISA). "Implementing Phishing-Resistant MFA," 2023. www.cisa.gov/phishing-resistant-mfa, as of June 10, 2025.

Anupam Das, Joseph Bonneau, Matthew Caesar, Nikita Borisov, and XiaoFeng Wang. "The Tangled Web of Password Reuse." Symposium on Network and Distributed System Security, NDSS ’14, San Diego, California, USA, February 2014.