Why Your Organization Should Invest in FIDO2 and Passkeys in Entra ID
Passwords are the weakest link in enterprise security. FIDO2 security keys and passkeys in Microsoft Entra ID offer a phishing-resistant alternative that eliminates credential theft entirely.
The Password Problem Is Getting Worse
Every major breach in the last five years shares a common thread: compromised credentials. Despite billions spent on password policies, complexity rules, and rotation schedules, passwords remain the number one attack vector for enterprise environments.
Microsoft's own data tells the story clearly — over 99.9% of compromised accounts did not have multi-factor authentication enabled, and even accounts with traditional MFA (SMS, phone call) are increasingly targeted by adversary-in-the-middle phishing attacks.
The question is no longer whether to move beyond passwords, but how fast you can get there.
What Are FIDO2 Security Keys and Passkeys?
FIDO2 security keys are physical hardware tokens (like YubiKey or Feitian) that use public-key cryptography to authenticate. There is no shared secret, no password hash stored server-side, and nothing to phish.
Passkeys are the evolution of FIDO2 — they use the same cryptographic principles but are stored on your device (laptop, phone) and synced securely via your platform (Windows Hello, Apple iCloud Keychain, Android). No separate hardware needed.
Both are natively supported in Microsoft Entra ID as authentication methods.
Why This Matters for Your Organization
1. Phishing Resistance
Traditional MFA methods — SMS codes, authenticator push notifications, even TOTP — can all be intercepted by sophisticated phishing toolkits like Evilginx. FIDO2 and passkeys are cryptographically bound to the domain, making phishing mathematically impossible. The key will simply not respond to a fake login page.
2. Zero Credential Theft
There is no password to steal. No hash to crack. No token to replay. The private key never leaves the device or security key. Even if an attacker has full access to your Entra ID tenant data, they cannot extract anything useful for authentication.
3. Better User Experience
Users tap a key or use biometrics (fingerprint, face). No typing passwords. No waiting for SMS codes. No approving push notifications. Login takes 2-3 seconds. Help desk calls for password resets drop significantly.
4. Conditional Access Integration
FIDO2 and passkeys integrate directly with Conditional Access policies in Entra ID. You can require phishing-resistant MFA for:
- Admin portal access
- Sensitive applications
- High-risk sign-ins (as detected by Identity Protection)
- Device registration and enrollment
5. Compliance and Regulatory Alignment
Frameworks like NIS2, CIS Controls, and NIST 800-63B are increasingly recommending or requiring phishing-resistant authentication. Deploying FIDO2 positions your organization ahead of regulatory requirements.
Implementation Approach
A successful FIDO2/passkey rollout in Entra ID follows a structured approach:
- Assess — Audit current authentication methods and identify high-risk user groups (admins, executives, finance)
- Pilot — Enable FIDO2 as an additional method for IT and security teams first
- Expand — Roll out to broader user groups with clear communication and training
- Enforce — Use Conditional Access authentication strength policies to require phishing-resistant MFA for sensitive scenarios
- Monitor — Track adoption via Entra ID sign-in logs and authentication methods activity
Key Entra ID Configuration
- Enable FIDO2 security keys in Authentication methods policy
- Configure Authentication strengths (built-in "Phishing-resistant MFA" or custom)
- Apply via Conditional Access — start with admin roles, expand to all users
- Consider Temporary Access Pass for onboarding users who don't yet have a key
The Cost Equation
A YubiKey costs around 500-700 SEK per unit. Compare that to:
- Average cost of a single phishing incident: hundreds of thousands of SEK
- Help desk cost per password reset: 200-500 SEK
- Productivity loss from MFA friction: hours per employee per year
The ROI is clear within months, not years.
Our Recommendation
Start with your highest-risk users — Global Admins, Privileged Role Administrators, and finance teams. Deploy FIDO2 security keys, enforce via Conditional Access authentication strengths, and measure the impact.
Then plan a broader passkey rollout for all employees using Windows Hello for Business and cross-platform passkeys. The goal is simple: make phishing impossible, not just unlikely.
Haggeburger helps organizations design and implement phishing-resistant authentication strategies in Microsoft Entra ID. Get in touch to discuss your roadmap.