MFA and Phishing-Resistant Authentication
How to plan an MFA rollout and move to phishing-resistant authentication with passkeys and FIDO2 in Microsoft Entra ID.
MFA alone is no longer enough
Multifactor authentication remains the single most effective defense against account compromise, but not all MFA is equal. Methods based on SMS and one-time codes can be intercepted or bypassed by phishing and approval-fatigue attacks, where the user is bombarded with prompts until they approve by mistake.
The goal of a mature strategy is to reach phishing-resistant authentication, where the credential is bound to the device and the legitimate domain, making theft by trickery technically infeasible.
The strength spectrum of methods
Not all factors offer the same protection. It helps to know the hierarchy:
| Method | Phishing resistance | Recommended use |
|---|---|---|
| SMS / voice | Low | Temporary fallback only |
| TOTP code | Medium | Better than SMS, still vulnerable |
| Push with number matching | Medium-high | Broad corporate use |
| Passkeys and FIDO2 | High | Target standard, especially admins |
| Windows Hello for Business | High | Managed devices |
| Certificate / smart card | High | Regulated environments |
Planning the rollout
Deploying MFA across the organization requires planning to avoid friction and support tickets. A pragmatic roadmap:
- Start with administrators. Privileged accounts are the most valuable target and should use phishing-resistant methods from the outset.
- Enable number matching. Turn on number matching in the authenticator app to neutralize fatigue attacks.
- Register methods ahead of time. Use registration campaigns so users enroll their factors before mandatory enforcement.
- Enforce via Conditional Access. Instead of legacy per-user settings, require MFA through Conditional Access policy.
- Offer controlled fallback. Keep a secure recovery method, avoiding sole reliance on SMS.
- Communicate clearly. Explain the why, the when and the how to users, with supporting material.
Passkeys and FIDO2 in practice
Passkeys represent the state of the art in authentication. They use public-key cryptography: the private key never leaves the device and authentication is bound to the service's real domain, which prevents a fake site from capturing the credential.
Key benefits:
- No password to steal or reuse. The private key stays protected on the device or security key.
- Domain binding. A phishing site simply cannot request the correct credential.
- Fast experience. Unlock with biometrics or PIN, no codes to type.
Entra ID supports passkeys on FIDO2 security keys and, increasingly, device-bound passkeys. The recommendation is to start by requiring FIDO2 or Windows Hello for Business for administrators and expand progressively.
Reducing password dependence
The long-term path is the passwordless journey. It shrinks the attack surface by removing the secret that can be phished, guessed or leaked. Typical steps include enabling Windows Hello for Business, distributing FIDO2 keys, promoting the authenticator app as the primary method and, finally, removing passwords from the sign-in flow where possible.
Mistakes to avoid
- Relying solely on SMS, which is the weakest method.
- Enabling MFA without a prior registration campaign, causing a flood of tickets.
- Forgetting to protect account recovery flows, which become the weak link.
- Not requiring stronger methods for the very accounts that are privileged.
Key takeaways
- MFA is essential, but weak methods like SMS should be fallback only.
- Enable number matching to block approval-fatigue attacks.
- Prioritize passkeys, FIDO2 and Windows Hello for Business for administrators.
- Enforce MFA through Conditional Access, not legacy per-user settings.
- Move toward passwordless authentication to shrink the attack surface.
RHC, a Microsoft CSP provider, supports the planning and execution of MFA rollouts and passwordless journeys with minimal operational impact.
Frequently asked questions
Read next
Ready to do more with Microsoft?
Talk to an expert and discover how to optimize licensing, security and productivity.