Passkeys (FIDO2) in Microsoft Entra ID: phishing-resistant sign-in for SMEs

When an attacker intercepts your password live and uses it in the same second, a classic second factor often helps only so much. This is precisely the pattern we have seen more and more frequently in phishing incidents over the past few years: the employee types their password into a convincingly fake login page, hands over the code they received via SMS or authenticator app, and the attacker is in. The second factor was present — it simply made no difference.

This is not a theoretical risk. By 2025/2026, phishing is no longer a clumsy newsletter full of typos. It is professional, scalable and increasingly AI-assisted. Reverse-proxy toolkits such as Evilginx capture the password and the session token in real time. The target is almost always identity: the Microsoft 365 account, the mailbox, in the worst case an admin account. This is exactly where passkeys come in — and in Microsoft Entra ID they can be introduced pragmatically for small and medium-sized businesses.

What passkeys (FIDO2) actually are

A passkey is a credential based on the FIDO2 standards (more precisely WebAuthn and CTAP2). Instead of transmitting a password that is stored on the server and can be intercepted in transit, a passkey uses asymmetric cryptography: a private key lives on the device and never leaves it. At sign-in the service sends a random challenge, the authenticator signs it with the private key, and Entra ID verifies the signature using the matching public key.

In everyday terms that means:

• No password in transit — and therefore nothing to be harvested on a fake page.
• Sign-in via biometrics or PIN directly on the device (fingerprint, face recognition, device PIN).
• No code to type or pass on — the classic weak point of SMS and OTP methods disappears entirely.

The distinction matters: a passkey is not the same as a push notification in the authenticator app. An approved push can still be defeated through MFA fatigue or real-time phishing. Passkeys cannot — and that is exactly what makes the difference.

Why passkeys are phishing-resistant

The decisive mechanism is origin binding. A passkey is firmly tied to the relying party, that is, to the genuine domain of the service (for Microsoft 365 that is login.microsoftonline.com). The authenticator releases its signature only to precisely this counterpart. If an employee ends up on a rebuilt phishing page under a different domain, the authenticator simply refuses to cooperate. There is nothing the user could hand over by mistake.

Three properties together create phishing resistance:

• Origin-bound: secrets go only to the correct, cryptographically verified counterpart — not to a visually identical copy.
• No reusable secret: there is no password and no SMS code that could be stolen, phished or coaxed out via social engineering.
• Strong composability: combined with Conditional Access, you can enforce that certain resources are reachable only with phishing-resistant authentication.

The pragmatic view: for most SMEs the biggest lever is not switching every account at once, but first making the admin accounts and the Microsoft 365 logins phishing-resistant. That alone dramatically reduces the risk of business email compromise — hijacked mailboxes, forged invoices, redirected payments.

Where passkeys deliver the most for SMEs

Not every account is equally critical, and an even rollout across all 40 staff on day one is rarely sensible. In our projects we typically prioritise by damage potential:

1. Admin accounts first — Entra administrators, server access, firewall and backup consoles. A compromised admin account is the most expensive case imaginable.
2. Microsoft 365 for all mailbox users — email, Teams, SharePoint. This is where the BEC risk sits.
3. Remote access — VPN, RDP gateways, external portals. Anything reachable from outside.
4. HR and finance — wherever invoices are approved and payments are triggered.
5. Standard users as phase two — once processes and support are running smoothly.

This risk-based approach has a pleasant side effect: you see fast impact at the most critical points without the support desk collapsing under a wave of queries on day one.

Rollout plan: from pilot to production

To keep the migration from ending in chaos, it ideally runs in waves. A proven sequence:

• Assess the current state: which MFA methods are active? Which devices are in use, and which of them are managed (Intune)? Which Conditional Access policies already exist?
• Define a pilot group: the IT team plus a few key users. Clear support channels for the first phase are essential — who helps when registration stalls?
• Configure authentication strength: in Entra ID you use authentication strengths to require phishing-resistant methods for specific resources, coupled to Conditional Access.
• Define a fallback: at least one secured emergency account (break-glass account) must exist, documented and tested.
• Roll out in waves by role — accompanied by short five-to-ten-minute training snippets showing how sign-in will work from now on.

Do not forget break-glass. As soon as you enforce strict policies, you absolutely need an emergency account that is excluded from those policies but secured especially well (a complex password plus a FIDO2 security key, stored in a safe, with sign-ins monitored). Forget this and you can lock yourself out of your own tenant when it matters most — that is not a theoretical scenario, it happens regularly in practice.

Do you need new hardware for this?

Not necessarily. Passkeys can be used in several ways, and the right one depends on roles, devices and security requirements:

• Device-bound passkeys via the Microsoft Authenticator app on the smartphone — the lowest-barrier entry point for the bulk of the workforce.
• Platform authenticators such as Windows Hello for Business on managed laptops.
• Hardware security keys (FIDO2 sticks such as YubiKey or Token2) — the most robust option for admin and high-risk roles, and for break-glass accounts.

For an SME a mix is common: the authenticator app for most people, hardware keys for the few critical accounts. The cost of a handful of security keys bears no relation to the damage from a single successful BEC attack.

From practice: an SME in the region

A mid-sized business in the Traunstein/Bad Reichenhall area approached us after several phishing incidents. The picture was typical: increased risk from a lot of remote work, inconsistent MFA methods, no clear view of who signs in and how. We first standardised the MFA landscape and unified it through Conditional Access, then set up a pilot group for passkeys, enforced phishing-resistant sign-in for the admin accounts and rounded it off with a short awareness block for staff.

The result was not a glossy security concept but something more important: significantly reduced login risk at the critical points and clearly documented, traceable processes for identity and access. It is exactly this combination of IT security consulting and clean implementation that turns passkeys from buzzword into real protection.

What passkeys do not do

An honest assessment belongs here: passkeys are a very strong building block — but they are a building block, not a complete package. They protect identity. They do not replace patch management, the backup concept, endpoint protection or staff awareness. A device hanging on the network with outdated software and no malware protection remains a weak point, however secure the sign-in is.

That is why we always consider identity in the context of the wider infrastructure. Conditional Access only reaches its full effect when device health, network segmentation and backup are also in good shape — topics we factor in as part of IT consulting and digitalisation and when building a clean network infrastructure. Passkeys are then not the end but the first and most effective step towards a zero-trust approach that stays affordable and operable for an SME.

The next step

If you are not sure where your Microsoft 365 sign-in stands — which MFA methods are in use, whether admin accounts are sufficiently protected, whether there is a tested emergency access — then a compact identity and phishing-resilience check is the sensible place to start. We assess the current state, identify the most critical gaps and deliver an actionable plan for phishing-resistant authentication, tailored to your roles, devices and operational reality. Pragmatic, SME-ready, and without reports that end up in a drawer.

---