Passkeys + Phishing-Resistant Auth in Entra: Your 2026 Migration Playbook

Passwords have had a very long run. For a while, adding MFA felt like the big security win — and it was. Moving users away from password-only sign-in made a huge difference. But attackers have adapted. Phishing kits are sharper, fake login pages are more convincing, and session token theft has made “I approved MFA” less comforting than it used to be. 

That’s why the next identity conversation is not just “do we have MFA?” It’s “is our authentication actually resistant to phishing?” 

This is where passkeys and phishing-resistant authentication in Microsoft Entra start to matter. 

Why Standard MFA Is No Longer Enough 

Multi-factor authentication was the right answer for its time. But attackers have adapted faster than most organisations have. The core problem is Adversary-in-the-Middle (AiTM) attacks. Rather than stealing a password, these toolkits sit between the user and the real service, capturing live session tokens in real time. MFA is bypassed completely — not cracked, just circumvented. 

Key statistics: 

1. AiTM phishing attacks bypassing MFA surged 146% in 2024. (Axis Intelligence / Brightdefense, 2026) 

1. Microsoft reported over 10,000 AiTM attacks per month targeting its users in 2024. (Microsoft Digital Defense Report) 

1. 79% of business email compromise incidents in 2024–2025 involved victims who had correctly implemented MFA. (FRSecure IR Data) 

1. 88% of attacks on basic web applications involved stolen credentials. (Verizon DBIR 2025) 

1. 89% of security professionals still believe MFA provides complete protection — a dangerous misconception. (GetAstra, 2026) 

Not all MFA is equal. SMS and push-notification MFA can be intercepted or socially engineered. Phishing-resistant methods cannot. 

What Makes Passkeys Phishing-Resistant 

Passkeys change the sign-in model at a fundamental level. Instead of relying on a password that can be typed, reused, stolen, or phished, the user authenticates with a cryptographic credential tied to their device, security key, or supported authenticator. 

The mechanism is built on the FIDO2/WebAuthn standard. When a passkey is created, a private–public key pair is generated on the user’s device. The private key never leaves that device. When the user signs in, the device cryptographically signs a challenge from the real service. A fake login page cannot capture and replay this — the signature is mathematically bound to the legitimate domain. 

This is why AiTM kits fail against passkeys. Traditional phishing intercepts your password or OTP and replays it immediately. With a passkey, there is nothing to replay. The signature is unique per sign-in, per domain, and per device. 

Adoption and outcome statistics: 

1. Passkeys now account for 62% of all authentication challenges, based on a sample of one million transactions in 2025. (Authsignal, May 2025) 

1. More than 1 billion people have activated at least one passkey globally. (FIDO Alliance, 2025) 

1. FIDO2/passkey logins grew over 60% across major platforms in 2025. (DeepStrike, 2026) 

1. Passkeys achieve a 93% login success rate, outperforming passwords and OTPs. (Authsignal, December 2025) 

1. Passkey implementations reduce credential-related support calls by up to 70% and cut login times by around 30%. (ID Dataweb, 2025) 

1. 75% of devices were already passkey-ready as of mid-2025. (Corbado State of Passkeys, 2025) 

Passkeys in Microsoft Entra ID: What Is Happening Right Now 

For organisations already using Microsoft Entra ID, this is no longer a future roadmap item. Microsoft has made passkey support generally available in 2026, and the platform changes are arriving whether tenants are prepared or not. 

Key Entra updates in 2026 

1. Passkey general availability (March 2026): Microsoft Entra ID promoted passkey authentication to GA, supporting both synced passkeys (stored in Apple Keychain, Google Password Manager, 1Password) and device-bound passkeys locked to hardware security keys or a device’s TPM chip. 

1. Automatic Passkey Profiles migration: Beginning March 2026, Microsoft started automatically enabling Passkey Profiles and shifting registration campaigns toward passkey enrolment. Tenants that have not configured passkey profiles may be automatically migrated to Microsoft’s default settings by May 2026 — which may not match your security requirements. 

1. Entra passkeys on Windows devices (April–June 2026): Microsoft is rolling out passkey support for phishing-resistant sign-in from Windows devices, with general availability expected mid-June 2026. This covers corporate, personal, and shared devices, with admin controls via Conditional Access and Authentication Methods policies. 

1. Conditional Access Optimisation Agent: Now in public preview, this agent supports passkey adoption campaigns — assessing device and user readiness, generating deployment plans, and automatically enforcing Conditional Access policies once users are ready. Currently targeted at privileged administrator roles. 

1. NIST mandate (SP 800-63-4, July 2025): The US National Institute of Standards and Technology finalised guidelines requiring phishing-resistant MFA options at AAL2 — not as an option, but as a requirement. Syncable passkeys now officially qualify as AAL2 authenticators. 

Action required now: If your Entra tenant has not configured Passkey Profiles before May 2026, Microsoft will apply its own defaults. This may enable synced passkeys for your entire organisation — including high-privilege accounts — without your explicit control. Configure your profiles and attestation requirements before the auto-migration applies. 

Your 2026 Migration Playbook 

A good rollout is not a big-bang replacement. It is staged, tested, and explained properly. The goal is to make strong authentication feel normal, not to create another friction-heavy security initiative that users work around. 

Phase 1 — Assess: Understand your baseline 

1. Audit current MFA methods across the organisation 

1. Identify SMS and voice-based MFA dependencies 

1. Check device readiness (75%+ of devices are now passkey-ready) 

1. Review existing Conditional Access policies for gaps 

1. Tools: Entra ID Protection, Authentication Methods report 

Phase 2 — Profile: Design your passkey profiles 

1. Build a profile matrix: privileged users, regulated users, general workforce, shared device scenarios 

1. Decide whether synced passkeys are acceptable per group 

1. Set attestation requirements per profile 

1. Tools: Authentication Methods > FIDO2 > Passkey Profiles 

Phase 3 — Pilot: Start with highest-risk accounts 

1. Begin with executives, finance, HR, IT admins — accounts attackers target most 

1. Run with real users, real devices, and real applications 

1. Validate registration, sign-in, recovery, and helpdesk handling 

1. Tools: Registration campaigns, targeted enrolment 

Phase 4 — Enforce: Require phishing-resistant auth 

1. Use Conditional Access Authentication Strengths to require phishing-resistant MFA for sensitive resources 

1. Enforce for admin roles first 

1. Remove SMS and voice MFA where possible 

1. Before enabling enforcement, ensure all affected admins have registered passkeys. Use Temporary Access Pass to bootstrap registration where needed. 

Phase 5 — Sustain: Protect the ongoing model 

1. Document break-glass processes before enforcement begins 

1. Challenge shared accounts — do not carry them forward into the new model 

1. Review and right-size privileged role assignments 

1. Disable legacy authentication protocols 

1. Tools: PIM, Named Locations, Legacy auth block policies 

Protecting administrator roles first 

Microsoft explicitly recommends requiring phishing-resistant MFA for all administrator roles in Entra, including Global Administrator, Privileged Role Administrator, Security Administrator, and Conditional Access Administrator. Using Privileged Identity Management (PIM) alongside passkeys allows you to require MFA at role activation — not just at sign-in — for the highest-risk accounts. 

Passkeys Are Not a Silver Bullet — Here Is What Else Matters 

Passkeys are a very strong piece of the identity puzzle. But they are part of a broader identity uplift. Deploying passkeys into a poorly managed identity environment will not fix the underlying problems. 

1. Messy Conditional Access: Passkeys enforce strong sign-in, but if your Conditional Access policies have gaps — unmanaged devices with no controls, missing named locations, no sign-in risk policies — attackers will probe those gaps instead. 

1. Over-assigned privileged roles: Passkeys protect the door. If too many people hold Global Admin or equivalent, the value of that protection is reduced. Review privileged role assignments regularly and use PIM for just-in-time access. 

1. Legacy authentication still enabled: Legacy authentication protocols bypass Conditional Access entirely. Block them. There is no version of a modern identity posture that tolerates open legacy auth. 

1. Unmanaged and shared devices: Synced passkeys stored in a cloud provider can be exposed if the device or password manager account is compromised. For privileged users, prefer device-bound passkeys that cannot be copied. 

Why Act Now: The Business Case 

Many organisations already own the Microsoft Entra capability. They are not waiting for a technology purchase decision — they are waiting for a clear identity roadmap and someone to help execute it. 

Business case statistics: 

1. Average cost of a phishing-driven breach: $4.88 million (IBM Cost of a Data Breach, 2025) 

1. 92% of Microsoft employee productivity accounts now use phishing-resistant MFA. (Microsoft Secure Future Initiative, April 2025) 

1. 75% of devices are already passkey-ready. (Corbado State of Passkeys, 2025) 

1. Passkey implementations reduce authentication failures by 30% or more. (ID Dataweb, 2025) 

1. The global passwordless authentication market is projected to reach $86.35 billion by 2033, up from $18.36 billion in 2024. (Straits Research) 

The migration does not need to disrupt operations. It needs to be staged, tested, and communicated properly. Users need to know what is changing, why it matters, and what they need to do. Service desks need to be ready. Break-glass processes need to be documented before enforcement begins. 

Key Takeaway 

MFA is still important — but not all MFA is equal. AiTM attacks bypassed standard MFA in 79% of business email compromise cases in 2024–2025. Passkeys and phishing-resistant authentication in Microsoft Entra are the right response: they are cryptographically bound to the real service, cannot be intercepted mid-session, and already work on 75% of devices. Organisations should start moving their most sensitive users and applications toward phishing-resistant authentication now, before attackers force the issue. 

For Oreta customers, this is where the conversation becomes practical. Many organisations already own the Microsoft capability but need help turning it into a clear identity roadmap. What should be protected first? Which authentication methods should be allowed? How should admin roles be handled? What does the migration look like for real users? That is exactly what we help with. 

References 

1. Authsignal. World Passkey Day: The State of Passkeys in 2025 (May 2025). https://www.authsignal.com/blog/articles/world-passkey-day-the-state-of-passkeys-in-2025 

1. SQ Magazine / DeepStrike. Password Statistics 2026: Credential Theft, MFA, and the Passkey Tipping Point. https://sqmagazine.co.uk/password-statistics/ 

1. Verizon. 2025 Data Breach Investigations Report (DBIR). https://www.verizon.com/business/resources/reports/dbir/ 

1. Yubico. 2025 Global State of Authentication Survey (September 2025). https://www.yubico.com/blog/2025-global-state-of-authentication-survey-a-world-of-difference-in-cybersecurity-habits/ 

1. ID Dataweb. Passkeys vs. OTP: Why 2025 Is the Tipping Point for Phishing-Resistant MFA (August 2025). https://www.iddataweb.com/passkeys-vs-otp-2025/ 

1. Authsignal. Passwordless Authentication in 2025: The Year Passkeys Went Mainstream (December 2025). https://www.authsignal.com/blog/articles/passwordless-authentication-in-2025-the-year-passkeys-went-mainstream 

1. FIDO Alliance. Passkey Index 2025. https://fidoalliance.org/passkey-index-2025/ 

1. Microsoft Learn. Microsoft Entra Releases and Announcements — What’s New. https://learn.microsoft.com/en-us/entra/fundamentals/whats-new 

1. BleepingComputer. Microsoft to Roll Out Entra Passkeys on Windows in Late April (April 2026). https://www.bleepingcomputer.com/news/microsoft/microsoft-to-roll-out-entra-passkeys-on-windows-in-late-april/ 

1. 4sysops. Microsoft Entra March 2026: Passkeys GA, Backup Preview, and Hybrid Security Fix (April 2026). https://4sysops.com/archives/microsoft-entra-march-2026-passkeys-ga-backup-preview-and-hybrid-security-fix/