Microsoft Solutions Partner|Modern Work · Azure · Security · Business Apps
hello@rhcsolutions.com·+1 (212) 555-0142
Security

MFA and Phishing-Resistant Authentication

How to plan an MFA rollout and move to phishing-resistant authentication with passkeys and FIDO2 in Microsoft Entra ID.

·8 min
Microsoft Defender
72%
Secure Score
Recent alerts
Suspicious sign-in blocked
MFA pending · 2 users
Endpoints protected

MFA alone is no longer enough

Multifactor authentication remains the single most effective defense against account compromise, but not all MFA is equal. Methods based on SMS and one-time codes can be intercepted or bypassed by phishing and approval-fatigue attacks, where the user is bombarded with prompts until they approve by mistake.

The goal of a mature strategy is to reach phishing-resistant authentication, where the credential is bound to the device and the legitimate domain, making theft by trickery technically infeasible.

The strength spectrum of methods

Not all factors offer the same protection. It helps to know the hierarchy:

Method Phishing resistance Recommended use
SMS / voice Low Temporary fallback only
TOTP code Medium Better than SMS, still vulnerable
Push with number matching Medium-high Broad corporate use
Passkeys and FIDO2 High Target standard, especially admins
Windows Hello for Business High Managed devices
Certificate / smart card High Regulated environments

Planning the rollout

Deploying MFA across the organization requires planning to avoid friction and support tickets. A pragmatic roadmap:

  1. Start with administrators. Privileged accounts are the most valuable target and should use phishing-resistant methods from the outset.
  2. Enable number matching. Turn on number matching in the authenticator app to neutralize fatigue attacks.
  3. Register methods ahead of time. Use registration campaigns so users enroll their factors before mandatory enforcement.
  4. Enforce via Conditional Access. Instead of legacy per-user settings, require MFA through Conditional Access policy.
  5. Offer controlled fallback. Keep a secure recovery method, avoiding sole reliance on SMS.
  6. Communicate clearly. Explain the why, the when and the how to users, with supporting material.

Passkeys and FIDO2 in practice

Passkeys represent the state of the art in authentication. They use public-key cryptography: the private key never leaves the device and authentication is bound to the service's real domain, which prevents a fake site from capturing the credential.

Key benefits:

  • No password to steal or reuse. The private key stays protected on the device or security key.
  • Domain binding. A phishing site simply cannot request the correct credential.
  • Fast experience. Unlock with biometrics or PIN, no codes to type.

Entra ID supports passkeys on FIDO2 security keys and, increasingly, device-bound passkeys. The recommendation is to start by requiring FIDO2 or Windows Hello for Business for administrators and expand progressively.

Reducing password dependence

The long-term path is the passwordless journey. It shrinks the attack surface by removing the secret that can be phished, guessed or leaked. Typical steps include enabling Windows Hello for Business, distributing FIDO2 keys, promoting the authenticator app as the primary method and, finally, removing passwords from the sign-in flow where possible.

Mistakes to avoid

  • Relying solely on SMS, which is the weakest method.
  • Enabling MFA without a prior registration campaign, causing a flood of tickets.
  • Forgetting to protect account recovery flows, which become the weak link.
  • Not requiring stronger methods for the very accounts that are privileged.

Key takeaways

  • MFA is essential, but weak methods like SMS should be fallback only.
  • Enable number matching to block approval-fatigue attacks.
  • Prioritize passkeys, FIDO2 and Windows Hello for Business for administrators.
  • Enforce MFA through Conditional Access, not legacy per-user settings.
  • Move toward passwordless authentication to shrink the attack surface.

RHC, a Microsoft CSP provider, supports the planning and execution of MFA rollouts and passwordless journeys with minimal operational impact.

#MFA#Phishing-resistant#Passkeys#FIDO2#Entra ID

Frequently asked questions

It can, but only as a temporary fallback. SMS is vulnerable to SIM swapping and interception, so the recommendation is to move to an authenticator app with number matching or, ideally, phishing-resistant methods like FIDO2 and passkeys.

Ready to do more with Microsoft?

Talk to an expert and discover how to optimize licensing, security and productivity.