Prevent Phishing with Mutual Authentication

Phishing is essentially a man-in-the-middle attack. The user is mis-directed, for example by social engineering or DNS-cache poisoning, to a fraudulent site. Because the user doesn't understand how to validate SSL certificates (and who does?), the trick works far too often. Efforts such as Extended Validation certificates are bound to fail in many cases because they rely on inconsistent visual aids and not strong cryptography. One-time passwords alone have also proven to be vulnerable to real-time MITM attacks. To prevent phishing consistently requires strong mutual authentication - validating the host to the user and the user to the host.