Why FIDO2 and Passkeys are the New MFA Standard for Microsoft 365

How FIDO2 and Passkeys Stop Modern Microsoft 365 Identity Attacks

In this episode of the Demystifying Microsoft podcast, host Nathan Taylor sits down with Dom Kirby, CISSP, SSCP, to walk through how FIDO2 and passkeys fit into a modern Microsoft 365 security strategy. The discussion covers the evolution from passwords to passkeys, how adversary-in-the-middle attacks work in the wild, how Windows Hello for Business uses FIDO2, and what a real world deployment looks like.

What is FIDO2 and Why Was it Created?

FIDO2 is an open authentication standard developed by the FIDO Alliance. The Alliance's largest sponsors include Microsoft, Google, and Apple, which is rare alignment among the three. 

It was built to replace shared secrets like passwords with hardware backed cryptography. Instead of telling a service their secret, the user's device proves possession of a private key. The key itself never leaves the device. This is called proof of possession.

Proof of possession pairs with mutual authentication, meaning the device and the service verify each other before any credential exchange happens. This results is an authentication method that resists phishing, replay, and proxy based interception.

What is the Difference Between FIDO2 and a Passkey?

FIDO2 is the standard. A passkey is a FIDO2 credential. The underlying protocol is WebAuthn, and the credential behaves the same whether it lives on a YubiKey, in Microsoft Authenticator, in iCloud Keychain, or in a password manager.

Passkeys come in two forms. Device bound passkeys never leave the device that created them. Syncable passkeys sync across a user's devices through an encrypted vault. 

Microsoft currently treats device-bound passkeys in Microsoft Authenticator as the default model for work and school accounts. Syncable passkey support is arriving through preview features. 

How do Adversary-in-the-Middle Attacks Steal Microsoft 365 Tokens?

AITM attacks use a reverse proxy that sits between the user and the real Microsoft login page. The proxy serves an exact copy of the sign-in experience, including the user's organizational branding.

The user enters credentials and completes MFA. Microsoft issues a valid session token. That token is captured by the proxy and replayed by the attacker to access mail, files, and other resources as the user. MFA shows as satisfied in the logs. 

Open source toolkits and prebuilt phishing kits have made attacks inexpensive and widely available. Microsoft has reported a steady year over year increase in AITM activity across its telemetry.

How does FIDO2 Prevent Token Theft and AITM Attacks?

FIDO2 defeats AITM at the protocol level. The credential is bound to the legitimate Microsoft domain, so a passkey registered for login.microsoftonline.com will not respond to an authentication request from a proxy domain. That holds true even if the proxy is forwarding traffic to Microsoft in real time. The authentication never completes against the attacker's infrastructure, so there is no token to capture.

Pairing FIDO2 with conditional access policies that require compliant or hybrid joined devices adds a second layer. The token itself becomes useless without the validated device context.

What is Windows Hello for Business and How Does It Use FIDO2?

Windows Hello for Business turns a Windows endpoint into a FIDO2 authenticator using the device's TPM chip. When a user signs in with a PIN or biometric, the TPM unlocks a private key that authenticates to Entra ID using the same cryptographic model as a hardware security key. 

The PIN is not a password. It stays local to the device, never syncs to the cloud, and only works in combination with the physical hardware. That combination is what makes the sign-in a true two factor authentication event under NIST guidance.

For organizations already running Entra ID joined devices and Intune managed endpoints, Windows Hello for Business is one of the lowest effort wins in the FIDO2 category. It is generally enabled by default in modern tenants.

How Should IT Teams Roll Out FIDO2 and Passkeys in Microsoft 365?

FIDO2 enforcement works best as a phased deployment because user risk, access level, and device posture vary widely across an organization. A staged rollout grouped by user tranches keeps enforcement realistic without disrupting day-to-day operations. 

Which Users Should Get Physical Security Keys?

Privileged accounts are the strongest candidates for physical security keys such as YubiKeys. That includes global admins, security admins, and any account with broad tenant access. The cost is modest compared to the value of a compromised admin account. Physical keys can be stored in a safe rather than carried, which fits well for break glass scenarios. 

Public facing leaders, executives with board level access, and finance personas also warrant physical keys. They are the highest value impersonation targets. 

When do Device Bound Passkeys in Microsoft Authenticator Make Sense?

For the broader workforce, device-bound passkeys in Microsoft Authenticator deliver FIDO2 protection without the logistics of issuing and replacing hardware. The credential stays on the phone, uses the device biometrics or PIN, and communicates with Entra ID over a secure channel. 

What About Frontline and Lower Risk Users?

Tiered conditional access can keep frontline or lower risk users on Microsoft Authenticator push with number matching while FIDO2 rolls out elsewhere. Network location policies, such as requiring sign-in from a trusted office IP, can add a compensating control during the transition. 

How do you Enforce FIDO2 in Microsoft 365?

Enforcement happens through Entra ID authentication methods policies and conditional access. The authentication methods blade needs to be migrated to the modern experience, and FIDO2 needs to be enabled. A conditional access policy can then require phishing resistant authentication for the target groups. A break glass account with documented recovery procedures should always sit outside the policy. 

What are the Microsoft Licensing Requirements for FIDO2 and Passkeys?

FIDO2 and passkeys are available to every Microsoft 365 tenant, including tenants on free Entra ID. There is no premium SKU required to turn it on.  

Conditional access is the mechanism for enforcing phishing resistant authentication across user groups and applications. It requires Entra ID P1, which is already included in Microsoft 365 Business Premium, Microsoft 365 E3, and Microsoft 365 E5. That covers most environments serious about Microsoft Cloud security posture.

Hybrid Microsoft Solutions and Hybrid IT environments that mix on premises and cloud identity can still use FIDO2 for cloud authentication. Windows Hello for Business handles device sign-in on the endpoint side. That keeps the security model consistent across the hybrid footprint.

Strengthen Microsoft 365 Identity with Sourcepass MCOE

Phishing resistant authentication is now the baseline for protecting Microsoft 365 identities against token theft and adversary-in-the-middle attacks. Password plus push no longer holds the line. The right FIDO2 deployment plan depends on user tranches, conditional access design, and how the environment already uses Entra ID, Intune, and Defender. 

Have questions about your Microsoft licensing or identity hardening strategy? The Sourcepass Center of Excellence for Microsoft helps IT teams design, deploy, and enforce FIDO2 and passkey policies across Microsoft 365. The guidance is tailored to the tenant's licensing, user mix, and risk profile. Reach out to talk through where FIDO2 fits in your environment.

Subscribe to the Demystifying Microsoft podcast for more conversations on Microsoft licensing, security, and the Microsoft Cloud Ecosystem. New episodes break down what is changing in Microsoft 365, Azure, and the broader Microsoft stack so IT teams can make confident decisions without the marketing noise.