Share
Author
In this article
In 2026 most organisations have rolled out some form of MFA by now. The next question the cyber underwriter tends to ask is: “Is your MFA solution phishing-resistant?” And it can come as a rude awakening for some that the default solution, Microsoft Authenticator push, in its default configuration, is not.
The Australian Signals Directorate added phishing-resistant MFA to the Essential Eight at Maturity Level 2 in November 2023. Cyber insurers are now splitting premium and coverage scope heavily between organisations with phishing-resistant authentication in place and those still on push or OTP.
Most AU mid-market organisations finished their MFA rollout two or three years ago and reasonably considered the project done. But, with CISA and the ASD now classifying push and OTP as legacy authentication, that work needs an upgrade. This blog walks through the transition from push to FIDO2 and passkeys across both managed and BYOD Microsoft 365 environments.
Just a note before we start, if you’re just looking to build the foundation for your business, we won’t cover MFA basics here. For foundational setup, see our MFA implementation best practices piece.
Over coffee chats with CIO’s and CISO’s, we’ve seen the MFA question come up more and more this year, and that trend seems to be driven by insurance and AI concerns. So if you only have 2 minutes, have a read below about what’s changed and what to do.
In Brief:
- ASD and CISA now classify SMS, TOTP, and Microsoft Authenticator push as legacy MFA. Phishing-resistant MFA is required at Essential Eight Maturity Level 2 for privileged accounts and sensitive data repositories (added November 2023).
- Cyber insurers, including Marsh, Aon, and Gallagher, are now splitting premium and coverage scope between organisations with phishing-resistant authentication in place and those still relying on push or OTP.
- Two phishing-resistant paths cover the Microsoft 365 estate: FIDO2 hardware security keys for admins, finance, executives, and shared workstations; device-bound passkeys via Windows Hello for Business, Microsoft Authenticator, and Apple Face ID or Touch ID for managed laptops and BYOD.
- Conditional Access authentication strength in Entra ID is the enforcement lever. It is available on Business Premium and Entra ID P1, with no P2 uplift required.
- A typical 100-seat AU mid-market rollout takes 10 to 14 weeks across five reversible phases: pilot, dual-run, high-risk role enforcement, broad staff migration, and legacy decommission.
And if you need ammunition for the board, going from “we have MFA” to “we have phishing resistant MFA” for insurance and the ASD is all it should take, that’s the whole pitch. It’s really just an awareness problem from here. Read on to get the full-picture.
Why Push and OTP MFA Are Now Classified as Legacy
If we were writing this article two or three years ago, push would have been the cornerstone recommendation of a MFA strategy. But today, the harsh reality that mid-market businesses have to come to terms with, is that push is in all likelihood going to be reclassified out of their next insurance renewal, because in-practice it already has been.
Today, phishing-resistant MFA sits in addition to, not as a replacement for, traditional MFA.
Legacy methods that can be intercepted, replayed, or socially engineered include SMS, TOTP authenticator apps such as Google Authenticator or Microsoft Authenticator in OTP mode, and Microsoft Authenticator push. Three attack vectors explain the shift.
Adversary-in-the-middle (AiM) proxies, typically built with Evilginx-style kits, sit between the user and Microsoft’s real login page. The victim enters credentials and approves a push, unaware they are being attacked. Microsoft issues a session token to the proxy. The attacker then signs into the victim’s account using that token.
MFA fatigue takes a different angle. After compromising a password, the attacker repeatedly attempts to sign in, generating a flood of push notifications to the user’s mobile. It can happen, just like life happens, people can be in a stressful situation, on the train where a notification is a minor annoyance that just needs to go-away. Eventually, tired or distracted, the user approves one to make the prompts stop.
SIM swap. Telco social engineering is rife, and in 2026 a phone number should not be treated as a security factor at all.
Phishing-resistant MFA closes these gaps through public-key cryptography tied to the origin of the login page. When a user registers a FIDO2 credential or passkey, the device generates a keypair: the private key never leaves the device, and the public key is registered with Entra ID. At sign-in, the device signs a challenge that includes the current origin (such as login.microsoftonline.com).
A fake page at a different origin will never receive a valid signed response, and no credential is transmitted in a form an attacker can replay. The result: AiM proxies break, fatigue prompts disappear, SIM swap becomes irrelevant, and credential stuffing has nothing to target.
For Australian organisations this maps directly to Essential Eight Maturity Level 2, which requires a phishing-resistant MFA for access to important data repositories and privileged accounts.
For most mid-market businesses, that means the Microsoft 365 tenant itself. It is also the identity-pillar key control inside a broader Zero Trust architecture, the posture AU regulators, insurers, and enterprise customers increasingly expect mid-market suppliers to demonstrate. One distinction worth flagging: phishing-resistant is not the same as passwordless. A TOTP login is passwordless but not phishing-resistant.
When the board asks “isn’t this the work we did 2 years ago?” explain, threat actors have moved, your insurance has or will move and MFA has to move with them, its less forward-thinking than pure risk-mitigation in the present cyber threat landscape.
Two Phishing-Resistant Paths in Microsoft 365
Microsoft 365 tenants have two phishing-resistant options. Same tenant. Different fit based on role, device and risk.
For the highest assurance, use FIDO2 hardware security keys (such as YubiKey or other FIDO2-enabled devices). Microsoft recognises FIDO2 keys and certificate-based authentication as the phishing-resistant methods natively supported by the Conditional Access authentication strength policy in Entra ID.
These are well suited to administrators, finance and executive roles, and shared workstations. Per-unit pricing currently sits in the AUD $85 to $145 range GST inclusive, with availability through a number of Australian resellers within two to three weeks. Run a mixed set: USB-A, USB-C and NFC keys for the iPhone tap experience. For high-risk users, keep a backup key stored separately, it prevents lockout if the primary key is lost.
The software path is device-bound passkeys. Windows Hello for Business uses the TPM on a managed laptop as a FIDO2 authenticator. Microsoft Authenticator on iOS and Android now supports FIDO2 passkeys as a Generally Available feature on both platforms. On iOS, Apple Face ID and Touch ID-backed passkeys feel native, with one biometric step to unlock. That combination covers BYOD without additional hardware spend.
We have seen synced passkeys (iCloud Keychain, Google Password Manager) accepted for the Essential Eight and most AU general insurer approaches, although assurance is lower because the credential is replicated across a user’s devices.
The major broking groups (Marsh, Aon, and Gallagher) have, to date, preferred a device-bound approach for privileged accounts. A typical mid-market portfolio uses hardware keys for admins and high-risk users, Windows Hello for managed laptops, and Authenticator passkeys for BYOD.
Essential Eight ML2 and Cyber Insurer Requirements
The ACSC updated the Essential Eight at ML2 in November 2023 to require phishing-resistant MFA for sensitive data stores, privileged user accounts, and elevated privilege actions.
Published commentary from Marsh, Aon, and Gallagher through 2023 and 2024 confirms the questions insurers are now asking at renewal: “Does the organisation use MFA for all user environment access?” and “Is the MFA solution phishing-resistant?” For organisations that have stopped at “MFA enabled” rather than the phishing-resistant factor, coverage scope is reduced, retentions increased, or premium loadings applied.
Financial services readers should note APRA’s CPS 234 focus. Recent audits of financial services entities have identified phishing-resistant MFA for privileged access as a new minimum expectation.
Answering the questionnaire matters. A good response reads: “Our tenant enforces phishing-resistant MFA via Conditional Access authentication strength. Privileged and administrative accounts are provisioned with FIDO2 keys and device-bound passkeys.
Don’t get caught out on question 14 or 15 of that questionnaire when the broker pauses on the phishing-resistant line. It’s not the same environment it was 3 years ago, where “we have MFA” would get you by.
💡 Expert Insight: Ashish Srivastava, Head of Cybersecurity & Strategy
We have seen the questions shift to “what authentication methods are permitted in your Conditional Access policies?” and that is where organisations get caught, because FIDO2 is likely on privileged accounts but push and SMS are still permitted everywhere else.
The mistake follows from over-claiming on the questionnaire and then not being able to produce the authentication methods registration report on the renewal call.
With TechBrain’s vCISO service, we simplify this process and ensure client organisations stay continuously compliant with the requirements.
Pre-Migration Checklist
Every failed FIDO2 implementation has a “discovery gap.” Most of the painful mistakes could have been uncovered with a week of auditing.
Start with the methods users already have. The Entra ID authentication methods registration report (Entra admin centre, Protection, Authentication methods, User registration details) shows each user’s registered methods. A percentage of staff almost always show up with no MFA registered at all, despite the policy.
Review Entra ID sign-in logs for legacy authentication protocol activity over the last 30 days. On-prem Exchange connectors, older line-of-business apps, SMTP relay services, and legacy reporting tools all carry this risk.
For each, the choice is one of three: modernise or replace the application; use app passwords or service principals where possible; or scope a time-boxed Conditional Access exception with compensating controls and sign-off documentation. An undocumented exception is worse than no exception when it comes to producing insurer evidence.
Service accounts and break-glass accounts should not be migrated alongside regular users. They need a time-boxed exception process with documented controls, kept out of the standard rollout flow.
Each device type takes a different registration path: managed laptops, hybrid-joined devices, BYOD iOS, BYOD Android, shared workstations, and locked kiosks.
Conditional Access authentication strength requires Entra ID P1 or higher, which means Business Premium or Entra ID P1 minimum. Tenants on Business Basic need a licensing uplift, and licensing gaps are more common in mid-market than most IT managers expect. Finally, evaluate existing Conditional Access policies for conflicts with the new authentication strength requirement.
An “MFA required” policy will not auto-upgrade to “phishing-resistant MFA required.”
The Five-Phase FIDO2 Rollout
Mid-market migrations should run in phases. Flipping the tenant-wide policy from “push allowed” to “phishing-resistant required” overnight is the quickest way to a queue of angry executives on Monday morning.
Phasing doesn’t buy you additional safety, it buys you “peace of mind.” Organisational roadblocks can be just as damaging as the technical ones. With the ability to hit milestones without having to rollback previous states.
If your CIO is seeking a rapid deployment, ask if the helpdesk team can reasonably handle the disruption.
Each phase below is reversible, and the order prioritises the highest-risk accounts first.
Phase 1: Pilot (1 to 2 weeks). IT team plus key executive sponsors, 5 to 10 users. Enable FIDO2 keys and Microsoft Authenticator passkeys in the Entra Authentication Methods Policy for those users. Deploy Windows Hello for Business via Intune. Confirm 100% successful registration before moving on.
Phase 2: Dual-run (1 to 2 weeks). Roll out phishing-resistant credentials to the wider pilot group. Users continue signing in with either method while registration coverage grows. Most users will sign-up just to clear an email, the point is to get familiar (and regular users) in real-word use cases.
Phase 3: Enforce for high-risk roles (2 to 3 weeks). Apply the built-in Phishing-Resistant MFA authentication strength via Conditional Access. Target administrators and high-privilege roles first. Spend the first two to five business days in report-only mode to surface anyone who would have been blocked, then flip to enforcement.
Phase 4: Broad staff migration (4 to 6 weeks for 80 to 200 staff). Self-service registration is time-critical. End users need a closing date and a help-desk window.
Phase 5: Decommission legacy (1 to 2 weeks). Disable SMS, voice, and push methods. Subject to auditor guidance, retain TOTP as a time-limited fallback. Extract and retain the authentication methods registration report from Entra ID for insurer use, then schedule a quarterly identity policy review to prevent drift.
💡 Expert Insight: Ashish Srivastava, Head of Cybersecurity & Strategy
TechBrain rolls out FIDO2 quite regularly and uses a structured change management process, which keeps user and business impact contained during enforcement.
The phase that matters most is the move from registration to enforcement for privileged roles, and we manage it through a controlled report-only window where sign-in logs are reviewed, and exceptions are cleared before the policy flips.
Our delivery team handles the Conditional Access configuration, the admin account scoping, and the legacy application identification end-to-end, so the client’s IT team is not absorbing the operational load.
The outcome is a clean enforcement cutover with users authenticated, evidence captured, and the tenant ready for the next assessor or insurer review.
The most common scenario we see at this point is “can we see the policy on report for another month?” or “can we get an exec exemption just for the first month.” Crucial accounts will be crucial accounts, but renewal evidence won’t support itself in report-only mode, there has to be evidence for the whole rollout to result in more than lip-service.
ACSC ML2 assessors require enforcement, not just enablement. A Conditional Access policy in report-only mode does not satisfy ML2.
Handling the Hard Cases
Migrations work cleanly for around 80% of users. The remaining 20% sit in edge cases that need specific handling.
BYOD iPhone is the easiest path. Microsoft sends an email with a QR code the user scans; if the QR fails, a tap-to-register link covers the same flow. Microsoft Authenticator is already on most iPhones, so there is nothing extra to install. The whole process takes under two minutes.
iPhone onboarding is such a clean process we’re using it as a sanity check, use the “10% rule” if more than 10% of your staff on iPhones can’t complete migration without help, something else is wrong with the process (usually one of corp VPN, MDM conflict) it’s almost never a ‘user problem.’
BYOD Android is messier. Google Password Manager supports FIDO2 passkeys on modern Android, but the registration flow varies by Android version and OEM skin. Keep a small cache of hardware keys for users whose device does not handle the native flow cleanly. (Older Samsung One UI and any Xiaomi MIUI build will have recurring problems, reach for your hardware key!)
Shared workstations (lobby PCs, warehouse, mailroom, professional services hot desks) work well with hardware tokens that stay with the workstation, or are checked out at sign-in and returned at sign-out. This meets shared-device audit requirements for regulated industries such as healthcare without changing the user experience.
Communication framing matters. We saw a measurable lift in registration rates after rewording “Register your passkey” to “Five-minute secure sign-in setup, one click from this email.” Remote and interstate staff get self-service videos plus up to 15 minutes of help-desk time as needed. Executives and senior partners get a white-glove session to prevent escalations that would otherwise distract the rest of the rollout.
On the client where we measured it, the rewording moved 24-hour completion from 41% to 76%. Same audience, same week. A classic rule of thumb returns! Don’t trust a rollout email subject line that uses the word ‘register.’
Choosing the Right Phishing-Resistant MFA Solution
For most AU mid-market Microsoft 365 tenants, Entra ID’s native phishing-resistant capability is more than enough. Conditional Access enables per-user, per-device protection, with FIDO2 keys, Windows Hello for Business, and Microsoft Authenticator passkeys all supported natively. There is no need to integrate a third-party platform for the typical mid-market scenario.
For 50 to 500 seat tenants, evaluate depth of Microsoft 365 integration, Intune support for passkey registration policies, BYOD coverage on iOS and Android, and AU data residency for any platform processing identity signals.
Hardware key vendor selection is straightforward: form factor support, basic management for the purchaser, and at least one specialist Australian reseller. The big names are largely interchangeable for the core use case, so it usually comes down to pricing and licensing flexibility.
The two common failure modes: paying for a commercial passwordless platform when Entra ID native delivers the same outcome (over-engineering); and deploying passkeys without a Conditional Access enforcement policy, so legacy methods continue working in parallel (under-engineering). Honestly, lean towards overengineering and the worst case scenario isn’t on the balance sheet, it’s a hard ‘no’ during the broker’s audit and a 6-week “clean-up.”
How TechBrain Helps
TechBrain delivers phishing-resistant MFA as a fully managed service through our vCISO and Managed SOC offerings. As an ISO 27001 certified MSP, we own the strategic design and run the rollout 24/7 from our local Perth-based SOC, so the in-house IT manager is not buried in migration detail.
Our vCISO advisory lifts cyber posture and insurance readiness, with particular focus on Essential Eight uplift. Includes a phishing-resistant MFA roadmap, board-quality reporting on key indicators, and an annual evidence pack for cyber insurance renewals.
Managed SOC monitors identity signals and responds to failed FIDO2 sign-ins, legacy authentication attempts, AiTM activity, and high-risk sign-ins, all relative to the Conditional Access policies in place.
Phishing-Resistant MFA Migration service handles end-to-end deployment of FIDO2 and passkeys across managed and BYOD devices in your Microsoft 365 and Entra ID tenant, with Conditional Access authentication strength configured and legacy methods decommissioned.
Essential Eight ML2 Readiness Assessment provides a gap analysis against ML2 MFA requirements, a prioritised remediation roadmap, and an evidence pack for your insurer.
Every engagement is delivered by our ISO 27001 certified team, so controls, exceptions, and evidence are audit-ready by design.
Need a phishing-resistant MFA readiness assessment? Get a read on your readiness and a migration plan in hand for your next insurer renewal with the TechBrain vCISO team.
