Phishing-Resistant MFA: FIDO2 and Passkey Deployment at Scale

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Adversary-in-the-middle frameworks like evilginx3, Tycoon 2FA, and Mamba 2FA have industrialized session token theft. Any MFA factor that produces a one-time code or a push approval can be relayed through a reverse proxy and the resulting session cookie replayed against the legitimate tenant. Microsoft Threat Intelligence and Mandiant have both reported that the majority of business email compromise incidents in the past 18 months started with an AiTM kit, not a password reuse attack.
FIDO2 (WebAuthn) and the passkey extension built on it remain the only widely deployed authentication factors that cryptographically bind the assertion to the origin (Relying Party ID). The browser refuses to release the assertion to a lookalike domain, which collapses the AiTM business model. The remaining work is operational: picking hardware, rolling out without breaking line-of-business apps, and closing the legacy-auth side doors that attackers will pivot to once interactive sign-in is hardened.
This guide assumes you have Entra ID P1 or P2, or Okta Identity Engine, and that you can enforce policy at the identity provider rather than per-application. If you cannot, fix that first; everything below depends on it.
Why TOTP and Push Are No Longer Acceptable Factors
TOTP shared secrets are phishable by definition: anything the user can type into a real site can be typed into a fake one. Push-based MFA adds a usability problem (push fatigue, documented in the Uber 2022 breach) and still loses to AiTM because the push approval grants a session cookie that the proxy harvests. Number matching, introduced in Microsoft Authenticator in 2023, mitigates fatigue but does nothing against evilginx; the user types the number into the real Microsoft Authenticator app while the attacker's proxy holds the corresponding session. Voice call and SMS are out of scope; SS7 interception and SIM swap have been weaponized since at least 2017. The only categories that resist AiTM are platform authenticators bound to a device (Windows Hello for Business, Apple platform passkeys, ChromeOS device-bound), roaming FIDO2 authenticators (YubiKey, Feitian, Token2), and certificate-based authentication tied to a TPM. Treat anything else as a stepping stone. Set a hard deadline (12 to 18 months) after which all interactive sign-in must use one of these factors and write the deadline into your identity policy now so procurement and HR can plan around it.
Hardware Selection: YubiKey 5 vs FIDO2-Only vs Platform Authenticators
YubiKey 5 series (5C NFC, 5Ci, 5 Nano) supports FIDO2, PIV smartcard, OATH-TOTP, OpenPGP, and static password. The multi-protocol support is useful if you also need smartcard logon for legacy Windows or PIV for federal contracts, but it costs roughly $50 to $75 per token. FIDO2-only keys from Token2 (i3-PIN-Plus, around $20) or Feitian (BioPass, around $40) are sufficient for pure WebAuthn use cases and let you afford two tokens per user (primary plus backup), which is the only sane operational model. For users with managed devices, platform passkeys are essentially free: Windows Hello for Business backed by TPM 2.0, Apple platform passkeys synced through iCloud Keychain (or device-bound via managed Apple ID with Advanced Data Protection considerations), and Android device-bound passkeys via Google Password Manager. Mix the inventory: hardware keys for admins, contractors without managed endpoints, and break-glass; platform passkeys for the general workforce. Order keys with the firmware version that supports FIDO2 CTAP 2.1 minimum, which is required for enterprise attestation in Entra ID.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Passkey Configuration in Entra ID and Okta
In Entra ID, navigate to Protection > Authentication methods > Policies and enable Passkey (FIDO2). Set Enforce attestation to Yes if you want to restrict to a known AAGUID list (collect the AAGUIDs of your purchased keys; Yubico publishes theirs at yubico.com/support/aaguids). Set Enforce key restrictions to Yes and paste the allowed AAGUIDs. Disable Self-service registration for non-pilot users initially and use Temporary Access Pass (TAP) to bootstrap registration; TAP is a time-limited single-use code that you generate via the admin portal or the Microsoft Graph API endpoint /users/{id}/authentication/temporaryAccessPassMethods. In Okta, go to Security > Authenticators and add WebAuthn; under FastPass, enable device-bound enrollment and require Touch ID or Windows Hello at the device level. Create an Authentication Policy that requires Possession factor: Hardware protected and User presence for all admin app assignments. For both IdPs, disable security questions and SMS as recovery factors; replace recovery with a helpdesk-issued TAP or Okta Verify push to a previously enrolled device with a 24 hour validity.
Breaking Legacy Authentication Without Breaking the Business
Legacy auth protocols (SMTP AUTH, IMAP, POP3, MAPI over HTTP with basic auth, ActiveSync with basic auth, legacy SharePoint, legacy Skype for Business) do not support modern auth and therefore cannot enforce MFA at all. In Entra ID, run the sign-in log query: SigninLogs | where ClientAppUsed in ('Other clients','IMAP4','POP3','SMTP','Exchange ActiveSync','Authenticated SMTP') | summarize count() by UserPrincipalName, ClientAppUsed, AppDisplayName for the last 30 days. Expect surprises: scan-to-email multifunction printers, Salesforce data loader connectors, custom Python scripts, line-of-business apps with embedded credentials. Build a remediation backlog by service owner with a 90 day deadline. For each, the fix is one of: migrate to OAuth2 with a service principal and certificate auth, move to Microsoft Graph with application permissions, or retire. Once the backlog is below 5% of identified accounts, set the Conditional Access policy: Users = All, Cloud apps = All, Client apps = Other clients, Grant = Block. Stage the rollout by department and use report-only mode for two weeks before enforcement. Disable SMTP AUTH at the mailbox level with Set-CASMailbox -SmtpClientAuthenticationDisabled $true.
Rollout Sequencing and Exception Workflow
Sequence the deployment in five waves. Wave 1: Global Admins, Privileged Role Administrators, and break-glass accounts. Issue two hardware keys per admin (stored in separate physical locations), enforce FIDO2 in Conditional Access for the AzureAD/Microsoft Admin Portals app group, and document recovery for the break-glass accounts (two keys in two safes, monitored for sign-in events). Wave 2: Tier 0 service operators (AD admins, identity engineers, security operations). Wave 3: developers and engineers with production access. Wave 4: finance, legal, and executives (high-value BEC targets). Wave 5: general workforce. For each wave, run a two-week enrollment window with TAP-based self-service, then flip the Conditional Access policy from report-only to enforce. Build an exception process for users who legitimately cannot use FIDO2: shared workstations in manufacturing, kiosks, accessibility constraints. Document the compensating control (typically certificate-based auth via TPM with strict device compliance) and review exceptions quarterly. Keep the exception list under 2% of the workforce; if it grows beyond that, the problem is process, not technology.
Monitoring for MFA Bypass and Enrollment Abuse
Attackers who cannot phish through FIDO2 will try to enroll their own authenticator on a compromised account, or downgrade the user to a weaker factor. In Entra ID sign-in logs, hunt for AuthenticationDetails containing authenticationMethod = 'Password' followed within minutes by a successful authenticationMethod = 'Mobile app notification' from a previously unseen device. Build a Sentinel analytics rule on AuditLogs for OperationName in ('Update user', 'User registered security info', 'Admin reset user password') where the actor is the user themselves and the IP is foreign or anonymizer. Alert on any Conditional Access policy modification (OperationName = 'Update conditional access policy') outside of change windows. Monitor the StrongAuthenticationMethods attribute via Microsoft Graph for users where the method count drops; legitimate users add factors, attackers remove them. In Okta, watch System Log events user.authenticator.update and user.mfa.factor.deactivate with a query in the Okta Workflows or a Splunk Okta TA. Pipe all of this into your SIEM with a 12 month retention floor; BEC investigations routinely look back 6 to 9 months for initial access.
The bottom line
Phishing-resistant MFA is no longer a project; it is the new baseline. Pick your hardware, enable WebAuthn in your IdP, attestation-pin the AAGUIDs, and burn down legacy auth on a hard 90 day clock. Do not let perfect rollout sequencing delay the privileged-account wave: admins are the highest-value targets and the smallest population, so they should be on hardware keys within 30 days of starting this project.
Measure success by the percentage of interactive sign-ins that used a phishing-resistant factor (Entra ID exposes this via the Authentication methods activity report) and by the count of legacy auth events trending to zero. When both metrics hit target, you have removed the single most common initial access vector from your environment.
Frequently asked questions
Are synced passkeys (iCloud Keychain, Google Password Manager) acceptable for enterprise use?
For the general workforce, yes, provided you accept the trust model: the passkey is synced through a consumer cloud and is recoverable via the user's Apple ID or Google account. For Tier 0 admins and break-glass accounts, no. Use device-bound hardware keys with enterprise attestation so the credential cannot leave the physical token. Microsoft and Okta both support distinguishing synced vs device-bound passkeys in Conditional Access via the authentication strength feature.
How do we handle users who lose both hardware keys?
Build a helpdesk recovery workflow that requires video verification (live call, photo ID, manager attestation) before issuing a Temporary Access Pass. The TAP should be one-time-use, valid for 1 hour, and require the user to register a new FIDO2 credential immediately. Never use security questions or SMS for recovery. Track recovery events as a security metric; if any single user triggers recovery more than twice a year, audit their workflow because something is wrong (shared accounts, lost keys to social engineering, or a hostile actor probing helpdesk).
What about applications that do not support modern auth?
Three options in priority order. First, replace the application; in 2026 the inventory of apps that genuinely cannot federate is small. Second, front the application with an identity-aware proxy (Entra ID Application Proxy, Cloudflare Access, Zscaler Private Access) that enforces FIDO2 at the proxy and then passes a header or Kerberos ticket to the backend. Third, isolate the application to a privileged access workstation and require strict device compliance plus certificate auth as the compensating control. Document the residual risk and review it every six months.
Do we still need a password if every sign-in uses a passkey?
Operationally no, and Entra ID supports fully passwordless accounts via the Authentication methods policy. In practice most organizations keep a password as a recovery factor for one to two years post-rollout while edge cases are flushed out. If you keep the password, enforce a 64 character minimum, disable rotation, and block sign-in with password as the sole factor via Conditional Access (require an additional FIDO2 factor or block entirely). Long passwords plus FIDO2 is a credible interim state; short rotating passwords plus FIDO2 is worse than just FIDO2.
How does FIDO2 interact with VPN and legacy on-prem apps?
Modern VPN clients (Cisco AnyConnect with SAML, Palo Alto GlobalProtect with SAML, FortiClient with FortiAuthenticator OIDC) all support federating to Entra ID or Okta, which lets the IdP enforce FIDO2. For legacy on-prem apps using Kerberos or LDAP, federate them via Entra ID Application Proxy or Active Directory Federation Services with WebAuthn-as-MFA, or front them with a ZTNA gateway. For raw RDP, enable Windows Hello for Business with cloud Kerberos trust, which gives you a TPM-backed credential that satisfies the FIDO2 trust model without requiring users to touch a hardware key for every RDP hop.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
