%20(2).png?width=300&height=65&name=VERSION%201_MCOE%20Branding%20Mockups%20(6)%20(2).png "MCOE Home")
Nicole Walker
10 min read
FIDO2 and Passkeys Make MFA Phishing-Resistant in Microsoft 365
Most of the Microsoft 365 accounts compromised in the last 18 months had MFA enabled at the time of the attack.
Most of the Microsoft 365 accounts compromised in the last 18 months had MFA enabled at the time of the attack.
Phishing-as-a-service kits like Evilginx and EvilProxy have made session token theft accessible enough that it no longer requires a sophisticated attacker. A threat actor does not need your password or your MFA code. They need the token Microsoft issues after you successfully authenticate, and standard MFA does nothing to protect it.
The fix already exists in your tenant. FIDO2 passkeys and Windows Hello for Business are available today and architecturally designed to close the gap that standard MFA leaves open. The question is not whether to deploy them. It is knowing which method fits which user group, how to roll it out without disrupting access, and how to enforce it through Conditional Access once enrollment is complete.
Why MFA Does Not Stop Session Token Theft in Microsoft 365
Standard MFA protects the moment of sign-in. It does not protect the session token Microsoft issues once authentication is complete. That token is what phishing proxies are designed to steal.
Phishing-resistant authentication methods close this gap at a structural level. The authentication process is bound to a specific physical device through cryptographic keys that cannot be extracted or replicated. There is nothing passing through the browser for a proxy to intercept.
The three phishing-resistant options available in Microsoft 365 are FIDO2 security keys, Windows Hello for Business, and Microsoft Authenticator in FIDO2 passkey mode. All three use the same underlying FIDO2 standard. Where they differ is in how the credential is stored and what hardware is required. That is what determines which option fits which deployment scenario.
How FIDO2 Protects Microsoft 365 Against Phishing Attacks
FIDO2 is an open authentication standard developed by the FIDO alliance. Microsoft Entra ID supports it natively, and it is the foundation for passkey-based authentication across the Microsoft 365 platform.
When a user registers a FIDO2 credential, a cryptographic key pair is generated. The private key is stored on the physical device or security key. The public key is registered with Microsoft Entra ID. During authentication, Microsoft sends a challenge to the device. The device signs that challenge with the private key and returns the signed response. Microsoft verifies the signature using the stored public key and grants access.
Because the private key never leaves the device, a phishing proxy has nothing to intercept. Even if a user lands on a convincing fake login page, the authentication challenge from that page will not match the registered tenant. The FIDO2 device will not respond to it. That is what makes this method fundamentally resistant to phishing rather than just incrementally harder to exploit.
When to Use FIDO2 Passkeys vs Hardware Security Keys in Microsoft 365
There are two primary ways to deploy FIDO2 in Microsoft 365, and they serve different use cases.
Hardware security keys such as YubiKey or similar FIDO2-certified tokens store the cryptographic key on a dedicated physical device that connects via USB or NFC. The key is isolated on hardware purpose-built for this function, which makes this the strongest available option. Hardware keys are well suited for admin accounts, privileged roles, and any user whose account represents a high-value target. The tradeoff is cost and the operational work of distributing and managing physical devices across a user population.
Passkeys via Microsoft Authenticator store the FIDO2 credential on a user's mobile device using the device's secure enclave, such as Apple's Secure Enclave or Android's Trusted Execution Environment. Authentication is completed by unlocking the phone with biometrics or a PIN. Microsoft rolled out passkey support in Microsoft Authenticator in 2024, and group-based passkey profile configuration became available in 2025. That makes this the more scalable option for rollouts beyond privileged accounts.
For global admins and finance leads who are actively targeted, hardware keys provide stronger isolation. For executives or department heads, Microsoft Authenticator passkeys offer a deployable path without hardware logistics.
How Windows Hello for Business Protects Microsoft 365 Without Additional Hardware
Windows Hello for Business meets the phishing-resistant standard using hardware most organizations already have. It stores a device-bound cryptographic key in the device's Trusted Platform Module (TPM) chip and uses biometrics or a PIN to unlock it for authentication. The private key never leaves the TPM.
For organizations with managed Windows endpoints enrolled in Intune, this means phishing-resistant authentication is available without purchasing security keys or changing user workflows significantly. The configuration work involves enabling Windows Hello for Business through Intune policy and confirming TPM 2.0 is active on enrolled devices.
This makes it a strong starting point for organizations that want phishing-resistant authentication at scale across their Windows fleet before expanding to passkeys or hardware keys for higher-risk accounts and other authentication workflows.
Which Microsoft 365 Accounts Should Get FIDO2?
Phishing-resistant MFA does not need to reach every user at once to reduce risk meaningfully. Start with the accounts attackers prioritize.
Tier 1: Immediate priority
- Global administrators
- Privileged role administrators (Security Administrator, Exchange Administrator, Conditional Access Administrator)
- Break glass accounts
- Accounts with access to financial systems, wire transfer workflows, or vendor payment processes
Tier 2: Near-term priority
- Executive leadership
- Finance and accounting teams
- IT and help desk staff who manage password resets and MFA re-enrollment, as these accounts are frequent social engineering targets
Tier 3: Broader rollout
- All remaining users, prioritized by department risk profile
A compromised global admin account gives an attacker broad tenant access. A compromised finance account puts payment workflows directly at risk. Those two categories drive the majority of BEC impact and should be the first to move off standard MFA.
How to Set Up FIDO2 Authentication in Microsoft Entra ID
FIDO2 is not enabled by default. It requires configuration in the Microsoft Entra admin center before users can register credentials.
- Sign in to the Microsoft Entra admin center and navigate to Protection > Authentication methods > Policies
- Select FIDO2 security key from the authentication methods list
- Set the method to Enabled > Under Target, assign specific groups or enable tenant-wide.
- Configure key restriction settings to limit enrollment to approved FIDO2 device models if your environment requires it
- Save the policy
For passkey deployment through Microsoft Authenticator, navigate to Protection > Authentication methods > Microsoft Authenticator and enable the passkey (FIDO2) option. Assign it to the target group and configure the passkey profile settings to define permitted device platforms.
Once the policy is active, users in the assigned groups can register credentials through the My Security Info portal at mysignins.microsoft.com.
Configuring Conditional Access Policies for Phishing-Resistant MFA
Enabling FIDO2 makes it available. Enforcing it through Conditional Access makes it required.
Start with a policy targeting admin role groups. Set the grant control to require authentication strength and select phishing-resistant MFA as the required level. Microsoft Entra ID's authentication strength feature, generally available since 2023, allows policies to specify exactly which methods satisfy the requirement rather than accepting any form of MFA.
For the broader user population, a tiered approach works well. Require phishing-resistant MFA for privileged roles and high-risk groups first. Set standard MFA with number matching as the baseline for everyone else. Expand the phishing-resistant requirement to additional groups as passkey enrollment grows.
Before switching any policy to enforcement, run it in report-only mode first. Review sign-in logs to identify accounts that would be blocked, complete enrollment for those accounts, then enable enforcement. Admins who are not yet enrolled in a qualifying method will be locked out if the policy goes live before they are set up.
Which Microsoft 365 License Do you Need for FIDO2 and Phishing-Resistant MFA?
Licensing requirements depend on how far you need to take enforcement.
FIDO2 registration and use is available with Microsoft Entra ID Free, which is included in every Microsoft 365 subscription. No additional licensing is required to enable and use FIDO2 credentials.
Authentication strength policies in Conditional Access require Microsoft Entra ID P1, included in Business Premium, E3, and E5. Without it, you cannot enforce phishing-resistant MFA specifically through policy.
Risk-based policies in Entra ID Protection that automatically require phishing-resistant MFA when suspicious activity is detected require Microsoft Entra ID P2, included in E5, Defender Suite, or available as an add-on.
For most organizations, Business Premium covers everything needed to enable FIDO2, enforce it through Conditional Access, and deploy Windows Hello for Business through Intune.
Building Toward a Phishing-Resistant Microsoft 365 Tenant
Standard MFA stops the majority of credential-based attacks and remains a non-negotiable baseline for every user. But it is not the finish line for accounts that carry real risk.
FIDO2 passkeys and Windows Hello for Business are available now. The Conditional Access enforcement is well-documented. The operational considerations around recovery and help desk process are manageable with planning. The Sourcepass MCOE works with organizations to assess their current authentication posture, identify which accounts need phishing-resistant MFA first, and build a rollout plan that fits their environment.
14 min read
Microsoft 365 BEC Attacks Succeed Because of These Configuration Gaps
The average BEC attack costs organizations over $125,000. Most of them succeed not because defenses were bypassed, but because the right controls...
9 min read
What is Microsoft 365 E7 and How Copilot Cowork Fits
Microsoft has introduced Microsoft 365 E7 as a new top‑tier enterprise license designed for organizations moving beyond AI experimentation. E7,...