Insights

Updated for 2026. Originally published 2019.

TL;DR: MFA, Phishing-resistant MFA and passkeys for Microsoft 365

• Multi-factor authentication (MFA) should be enabled for every Microsoft 365 account. It remains one of the most effective baseline controls for reducing account compromise caused by stolen or guessed passwords.
• But MFA is now the minimum, not the end goal. Some MFA methods can be worked around by modern phishing techniques, including adversary-in-the-middle (AiTM) attacks that steal authenticated sessions.
• Best practice today is to implement MFA everywhere, then move towards phishing-resistant MFA, such as passkeys (FIDO2), and pair it with well-designed Conditional Access controls.

Why multi-factor authentication (MFA) is a non-negotiable in 2026

MFA remains one of the most effective baseline controls for protecting Microsoft 365 accounts. When it’s configured properly, it dramatically reduces the risk of an attacker logging in using a stolen password.

However, best practice has evolved. MFA is now the minimum standard. If you want stronger protection against modern phishing (and you should) your business should be moving towards phishing-resistant MFA, with passkeys being one of the most effective ways to achieve that in Microsoft 365.

Even if you already use MFA, it’s worth reading on. There are gaps that can remain if you haven’t addressed them properly and the case for passkeys has never been stronger.

What is MFA?

Passwords have proliferated across our online lives. They’re required for most websites and web applications you use. As you know, this can be quite the headache. No one enjoys clicking the “forgotten password” link and having to reset it for the umpteenth time.

Then we realised how insecure passwords were, and the more diligent of us moved to multiple passwords of higher complexity.

However, no matter how complicated your passwords are, there is always the threat of brute force and password spray attacks, phishing emails catching users out, or a breach involving a company your details are registered with. Before you know it, your details could be for sale on the dark web.

If you want to check whether an email address has appeared in known breaches, Have I Been Pwned is still a useful place to start.

This is where MFA comes in.

MFA allows you to add a second form of identity verification to your accounts in addition to your password. Your password is the thing you know. The second form of verification must be something unique that you have (for example your phone or a FIDO2 security key) or something that you are (for example a biometric such as your fingerprint).

This means that even if your password details fall into the hands of an attacker, they can’t get into your accounts without something unique to you like your mobile phone or fingerprint.

Traditional MFA methods: what to rely on and what to avoid

Traditionally, MFA systems generate a unique code each time you attempt to log in. For example, you enter your password and then you’re prompted to enter a code sent to your phone via SMS, or generated in an authenticator app.

While SMS MFA is better than having nothing at all, it’s not something your business should rely on long term. SIM swap attacks leave you vulnerable, and SMS is easier to intercept or socially engineer than app-based methods.

A more secure and widely used approach is the Microsoft Authenticator app, which can prompt the user to approve a sign-in directly on their device.

In recent years that approach has been tightened up too. Basic approve/deny push notifications can be abused through “MFA fatigue” (push spam), so best practice now includes number matching and extra context in the push prompt — making approvals more intentional and harder to social engineer.

Even with these improvements, it’s worth being clear about the limit:

• Push notification MFA reduces risk.
• Push notification MFA is not phishing-resistant.
• Push notification MFA does not, by itself, stop AiTM attacks that steal sessions.

Having any MFA enabled is still better than none; MFA will stop many attacks that simply rely on stolen credentials. But it won’t stop everything.

Phishing-resistant MFA: what it is and why it’s needed

As more organisations adopted MFA, attackers had to evolve. One of the most significant examples is adversary-in-the-middle (AiTM) phishing attacks.

AiTM attacks work by stealing the user’s authenticated session after they’ve successfully signed in with MFA. The attacker captures the session cookie (i.e. the token that proves the user has already authenticated) and reuses it to access the account without needing credentials or MFA at all.

This is the reason MFA alone is no longer sufficient, and why phishing-resistant MFA is now the target.

For a detailed explanation of AiTM and the practical mitigations available in Microsoft 365, read our guide: AiTM phishing attacks: what they are and how to protect against them.

We’ve also seen first-hand how fast these attacks can move. In a recent incident we supported for a customer, a user clicked a convincing link, the attacker gained a valid session within minutes and then attempted to access cloud files and set mailbox rules to hide their activity. Rapid response actions by the Chorus Cyber Security Operations Centre (CSOC) (e.g. revoking sessions and disabling the account) prevented deeper escalation.

So what makes MFA phishing-resistant?

Phishing-resistant MFA methods work by cryptographically binding the authentication to a specific device and origin. This means a remote attacker can’t intercept or replay the authentication, even if they trick the user into visiting a fake login page.

The methods that qualify as phishing-resistant MFA include:

• Windows Hello for Business
• Passkeys (FIDO2)
• FIDO2 hardware security keys (e.g. YubiKey)
• Certificate-based authentication

Standard methods such as SMS, voice calls, and Microsoft Authenticator push notifications, even with number matching, do not qualify as phishing-resistant.

MFA for Microsoft 365

If your company uses Microsoft 365, implementing MFA is the critical first step.

Microsoft 365 accounts are extremely common targets. It doesn’t matter if you work for a small business or a global corporation. Attackers attempt logins at scale because so many organisations run Microsoft 365.

A common starting point is Microsoft Authenticator for users (installed on an employee’s work or personal phone), whichever they’ll have available when logging in.

In most environments, the next step is to use Microsoft Entra ID (the identity service previously known as Azure Active Directory) to manage authentication methods and policies centrally.

• For organisations that want a quick baseline, Microsoft’s Security Defaults provide a simple starting point.
• For organisations that need more control, Conditional Access is where you tune enforcement, exceptions, and stronger requirements.

User experience

At Chorus, we know strong security can still offer a good user experience.

When users sign in using traditional MFA, they may be prompted to confirm the sign-in on their phone. Done well, MFA becomes routine, predictable, and quick. But it can still cause friction for some users.

Reducing MFA prompts

Best practice today is to reduce friction using Conditional Access in a controlled way — using signals such as device compliance, device join state, and named locations where appropriate. The legacy “trusted IPs” setting is not recommended as a general control by Microsoft.

The best user experience is the most secure one: Passkeys

Passkeys offer an excellent user experience and are phishing-resistant. Sign-ins become a fingerprint, Face ID, or device PIN. No passwords or codes to copy. For most users, it’s faster and simpler than anything they’ve used before.

Employee buy-in

IT managers are often concerned about pushback from employees who are asked to install a work-related app on their personal device.

Education is key in this scenario. Explain why MFA or passkeys are being enforced and what problem they solve. A compromised Microsoft 365 account can give an attacker access to email, files, internal comms, and often other connected systems. The impact can be financial, operational, and reputational.

When it comes to security, everyone must play a part and not just IT. A simple message that tends to land well:

• Strong authentication is there to protect the business.
• It also protects the individual user from being impersonated.

Passkeys should be your preferred option

So, hopefully it’s clear at this point that MFA is the minimum and Passkeys are now the preferred, better option.

Passkeys remove passwords entirely and rely on cryptographic credentials stored securely on a device. They require user presence verification (e.g. a biometric or device PIN) and are designed to be phishing-resistant.

There are two reasons this is so important:

• There is nothing useful to steal and replay in the way a password can be stolen.
• Passkeys prevent common remote phishing approaches, including many scenarios that rely on tricking users into handing over credentials.

The most accessible starting point for most Microsoft 365 organisations is Windows Hello for Business, which is easy to deploy in most cases. The user experience is better as it removes passwords and doesn’t require a mobile phone, authenticator app or any MFA device at all (e.g. security key, token etc.).

For mobile devices, passkeys in the Microsoft Authenticator app reached general availability in early 2025. Users can register a passkey directly from the app, and admins enable support through Entra ID’s authentication methods policy with no additional hardware required.

For a practical guide to how passkeys work and how to deploy them in Microsoft environments:

• Passkeys explained and the road to a passwordless future
• Setting up passkeys in Microsoft 365

A sensible rollout approach:

• Ensure MFA is deployed for every user as the baseline.
• Prioritise passkeys for higher-risk users first — admins, finance, senior leadership.
• Move remaining users to passkeys as onboarding and support processes are confirmed.
• As more services support passwordless sign-in, extend passkeys beyond Microsoft 365.

Don’t forget legacy authentication protocols

MFA and passkeys only protect you if all access paths support them.

This has historically included older Office clients that didn’t use modern authentication, and mail protocols such as IMAP, SMTP, and POP. Microsoft removed Basic Authentication from most Exchange Online protocols (IMAP, POP, EWS, EAS, MAPI) back in late 2022. One key exception is SMTP AUTH for client submission, which is being phased out through 2026-27 and disabled by default for existing tenants at end of December 2026, with final removal to be announced in the second half of 2027.

In practice, many environments still carry legacy dependencies, third-party integrations, or older devices that haven’t been reviewed since the 2022 changes. Blocking legacy authentication and confirming what’s still in use is a worthwhile part of securing Microsoft 365 properly.

Cyber Essentials: MFA is now mandatory for cloud services

If your organisation holds or wants to work towards Cyber Essentials certification, the April 2026 update to version 3.3 directly affects your MFA requirements.

The two most significant changes for Microsoft 365 users:

1. Cloud services are now formally in scope: The updated standard defines a cloud service as any on-demand, scalable service accessed via an account and used to store or process organisational data. Microsoft 365 unambiguously falls within this definition and cloud services can no longer be excluded from scope.
2. MFA is mandatory where available:If a cloud service supports MFA, whether natively, via SSO, or as a paid add-on, it must be enabled for all users and administrators. Failure to configure MFA where it’s available is now an automatic fail, not just a major non-compliance.

For most organisations using Microsoft 365, this means MFA (or passkeys etc.) must be enabled across the board. There should be no excuses and exceptions for user convenience or difficulty of rollout.

Prioritising Entra SSO for any compatible systems access can reduce the need to manage separate credentials and MFA for each of them, standardising security and enforcing robust authentication. If passkeys are required for authentication, this can extend robust phishing-resistant authentication across your various cloud services where Entra SSO is enabled.

For more detail on the April 2026 changes and how Microsoft technologies help you meet them:

• Key changes to Cyber Essentials: April 2026
• Achieving Cyber Essentials with Microsoft technologies

Next steps: A simple plan to secure your Microsoft 365 authentication in 2026

Make sure MFA coverage is complete

• Every user, every admin, every access path
• Block legacy authentication protocols

Improve MFA quality

• Reduce reliance on SMS
• Enable number matching and context for push prompts
• Train users to deny and report suspicious prompts

Reduce exposure to AiTM and session theft

• Tighten Conditional Access policies
• Require compliant or registered devices where possible
• Monitor for suspicious sign-ins and inbox rule creation

Move to phishing-resistant MFA and passkeys

• Start with higher-risk users
• Implement passkeys as the phishing-resistant default where possible
• Extend across the organisation once onboarding is confirmed