Phishing Is No Longer a Volume Problem — It Is a Quality Problem
For most of the past decade, phishing defence in Algeria has been a filter-and-train problem: block the obvious Nigerian lookalikes, warn staff about misspelled sender domains, rotate passwords every 90 days. That model is breaking. Generative AI has removed the two signals that used to expose phishing — bad grammar and awkward context — and added two new weapons on the attacker side: flawless localisation into French and Arabic, and voice-cloned phone calls that impersonate a known executive.
A recent industry analysis from StrongestLayer argues that AI now generates roughly 82.6% of phishing emails and that enterprise security teams can no longer rely on linguistic heuristics to separate legitimate mail from attacks. ZeroThreat’s 2026 round-up of deepfake and AI phishing statistics adds that deepfake-related incidents rose sharply in the first half of 2025, with business email compromise (BEC) now frequently paired with a follow-up voice call that sounds exactly like the CFO. UK managed-services provider Sharp has published a useful field description of what they call hyper-realistic phishing and deepfake attacks in 2026, including fake Microsoft Teams meetings used to steal session cookies.
Passwords and SMS one-time codes do not stop any of this. They are exactly the credentials an AI phishing kit is designed to harvest. The defensive answer is to remove the phishable secret from the equation — which is what FIDO2 and passkeys do.
What “Phishing-Resistant” Actually Means
The US Cyber Security Institute defines phishing-resistant MFA as authentication where the user cannot be tricked into handing the second factor to an attacker. In practice that narrows the field to two technologies:
- FIDO2 security keys — small USB/NFC devices (YubiKey, Token2, Feitian) that use public-key cryptography bound to the origin domain. Even if a user types the one-time code into a fake site, the key will refuse to sign because the domain does not match.
- Passkeys — the consumer-friendly version of FIDO2, stored in the device’s secure enclave and synced through Apple, Google, or Microsoft accounts. The user experience is a face scan or fingerprint; there is no code to intercept.
Everything else — SMS OTP, email OTP, push-approval without number matching, TOTP codes in an authenticator app — is classified as phishable. These are all useful as a step up from a bare password, but none of them is the right answer for privileged accounts or high-value consumer transactions in 2026.
Advertisement
The Three-Tier Playbook for Algerian Organisations
A realistic rollout in Algeria’s current stack does not try to replace SMS OTP overnight. It tiers defences by who the user is and what the transaction is worth.
Tier 1 — Privileged administrators (hardware keys, mandatory). Domain admins, cloud console access, developer GitHub accounts, payment-gateway back-office logins, ERP super-users. These accounts should require a FIDO2 hardware key as the only allowed second factor, with no SMS fallback. The population is small — typically under 5% of staff — so procurement cost is contained. Budget roughly 50 to 80 USD per user for two keys each (one primary, one backup). This tier eliminates the single most damaging attack: credential theft that escalates to ransomware deployment.
Tier 2 — Consumer-facing customer logins (passkeys, opt-in then default). Mobile banking, e-commerce accounts, telco self-service portals. The goal is to offer passkeys as an enrolment option today, make them the default for new customers in six months, and retire SMS OTP for high-value transactions (transfers above a threshold, card-not-present international payments) in 12 to 18 months. Passkeys work on every recent Android and iOS device; the ARPCE-regulated telcos already ship devices that support them natively.
Tier 3 — Everyone else (risk-based step-up MFA). For ordinary staff logins, internal SaaS, and low-value customer sessions, use adaptive MFA that only challenges when the risk score spikes — new device, impossible-travel geography, access outside working hours, unfamiliar IP range. When a challenge fires, the step-up should be a push-with-number-matching or a passkey, not a raw SMS code.
This tiering matches what Japanese and European regulators are already recommending, and it is deployable on Microsoft Entra, Google Workspace, Okta, and Keycloak — the four identity platforms most Algerian medium-sized firms already use.
Local Realities That Shape the Rollout
Several Algeria-specific factors change the default vendor playbook:
- Device fragmentation. A significant share of the workforce still uses entry-level Android phones that may not support platform passkey sync. The rollout plan must include a physical security key fallback for these users, not an SMS fallback.
- Cross-border transaction risk. Algerian e-commerce and fintech firms take a disproportionate share of their fraud from BEC attacks originating outside the country. Phishing-resistant MFA on finance and procurement staff is the single highest-ROI control.
- French/Arabic localisation of phishing lures. AI-written phishing in both languages is now indistinguishable from real internal mail. Security awareness training alone is no longer a compensating control; treat it as hygiene, not defence.
- Regulatory wind. ARPCE and the Banque d’Algérie have not yet mandated phishing-resistant MFA, but global regulators have moved — institutions that wait for local mandate will be behind schedule when it arrives.
A 90-Day Starter Plan
Organisations that want to move this quarter without waiting for a formal strategy document can run a focused 90-day programme:
- Days 1-30: Inventory privileged accounts. Purchase FIDO2 hardware keys (two per admin). Enable passkey enrolment as an option on the customer identity platform.
- Days 31-60: Enforce hardware keys on all privileged logins, disable SMS/email OTP fallback for these accounts. Turn on risk-based step-up policies for ordinary staff.
- Days 61-90: Run a controlled phishing simulation, including an AI-generated French lure and a voice-cloned “CFO” call, and measure how many users click, share codes, or approve push prompts. Publish the result internally as the new baseline.
The measurable outcome at day 90 is that credential phishing against privileged accounts has a realistic cost of effectively zero, and the organisation has the evidence it needs to justify the next budget cycle.
Frequently Asked Questions
What is the difference between a passkey and a FIDO2 security key?
Both use the same underlying FIDO2 cryptography. A passkey is stored in a phone or laptop’s secure enclave and unlocked with biometrics; a FIDO2 security key is a small physical device (USB or NFC) that you carry. Passkeys are better for consumers, physical keys are better for privileged administrators who need a backup they can lock in a safe.
Is SMS OTP still acceptable for Algerian banks in 2026?
It is acceptable as a minimum baseline but no longer sufficient for high-value transactions or administrative access. Global regulators — including Japan’s FSA and European banking authorities — have formally stated that SMS and email OTP are not adequate against current phishing techniques. Algerian banks should plan to retire SMS OTP for large transfers and privileged logins before an explicit local mandate arrives.
Where should an Algerian SME start if it has a budget for only ten hardware keys?
Inventory privileged accounts and rank them by blast radius. The top ten are almost always: two domain admins, the ERP super-user, the payment-gateway admin, two cloud console admins, the developer with push access to production, the finance director, the CEO, and the backup-system operator. Buy two keys per person (one primary, one backup) and enforce hardware-key-only MFA on those accounts first — that single step blocks the most expensive breach scenarios.
