This article is an update to my original 2023 post on the importance of MFA (https://msendpointmgr.com/2023/01/17/why-multi-factor-authentication-is-important/). A lot has changed since then -- Microsoft is now _mandating_ MFA, and passkeys have evolved from the "cool new thing" to "the only right thing" Let's dive into what's new-ish and why your employees' personal phones are not the privacy nightmare they think they are.

Remember when MFA was a "best practice" and "highly recommended"? Those days are over. Microsoft has officially moved from gentle suggestions to mandatory enforcement as part of their Secure Future Initiative. And honestly? As an IT admin who's been advocating for stronger authentication for over 20 years, this mandate is overdue. The challenge now isn't deciding whether to implement MFA or not -- it's how to deploy phishing-resistant methods efficiently.

PHASE 1 enforcement hit the Azure Portal, Microsoft Entra admin center, and Intune admin center with full enforcement back in March 2025. If you're an admin who hasn't set up MFA yet... well, hope you like dealing with the Data Protection Team at MS Support and have all the time in the world. PHASE 2 kicked in October 2025 and now covers Azure CLI, PowerShell, and all those Infrastructure as Code tools you've been automating with. The good news? Read operations don't require MFA -- only Create, Update, and Delete operations. So your monitoring scripts can breathe easy. (https://learn.microsoft.com/en-us/entra/identity/authentication/concept-mandatory-multifactor-authentication?tabs=dotnet#:~:text=Read%20operations%20won%27t%20require%20MFA.)

The Microsoft 365 Admin Center hits full enforcement on February 9, 2026 -- that's next month. If you're not ready, now's the time to get moving (Or opt-in for an extension until July!). Even if YOU have MFA setup -- how about a billing admin or what not?

If you've been following this blog, you know I've been banging the FIDO2 drum since 2019 (https://msendpointmgr.com/tag/fido2/). Back then, it was all about hardware security keys and convincing skeptical IT teams that passwordless wasn't just a fantasy. Well, the fantasy is now reality -- and it lives in your pocket and on extensions like 1Password and is rebranded under the term Passkeys.

There are two flavours of passkeys you need to understand:

These are the consumer-friendly option. Your passkey gets encrypted and synced across your devices via cloud services like iCloud Keychain, Google Password Manager, 1Password, or Dashblane. Lost your phone? No problem -- your passkey is waiting for you on your new device as soon as you restore from backup.

The trade-off? Organizations can't cryptographically verify which device created the credential (no attestation support). For most scenarios, this is perfectly fine. For your CFO's account that authorizes wire transfers? Maybe not.

These are the enterprise security team's dream. The private key is generated and stored entirely within the device's secure hardware -- Secure Enclave on Apple devices, TPM on Windows, TEE on Android. It never leaves. Ever. Not even encrypted. If someone steals your phone, they still can't extract the passkey. If you lose your phone, that passkey is gone forever (which is why you need backup authentication methods and maybe SSAR (https://msendpointmgr.com/2025/12/30/self-service-account-recovery-ssar/)).

The advantage? Full attestation support. Your organization can verify exactly which authenticator created the credential, its firmware version, and its FIDO certification level. This is how you enforce policies like "only passkeys created on FIPS 140-3 compliant authenticators can access sensitive resources."

Here's something that doesn't get talked about enough: Microsoft Authenticator is the ONLY major authenticator app that supports device-bound passkeys.

Let me repeat that, because it's important.

Google Authenticator? TOTP only -- not even a passkey manager. Google Password Manager? Synced passkeys only. 1Password? Synced. Bitwarden? Synced. Apple Keychain? Hardware-generated but synced.

Microsoft Authenticator? DEVICE-BOUND ONLY.

This is a deliberate design choice for organizations with strict security requirements. Your passkey credentials cannot be synced, shared, exported, or recovered. They live and die with the device. For regulated industries -- finance, government, healthcare -- this is exactly what compliance teams have been asking for and why I personally swear by the MS Authenticator app!

And before you ask: yes, Microsoft Entra ID (the identity platform) supports _both_ types. You can use device-bound passkeys through Microsoft Authenticator AND allow synced passkeys through third-party providers. Best of both worlds, depending on your risk appetite.

Now that you understand Microsoft Authenticator's technical advantages, let's address the deployment challenge no documentation covers: getting users to actually install it on their personal devices.

As an IT admin, you're about to face the most common deployment roadblock: employee resistance to using personal devices for work authentication. When companies don't provide corporate phones, this conversation becomes inevitable.

Here are the objections your users will raise:

These concerns stem from psychology, not facts. Your job is to communicate the technical reality clearly and compassionately. Here's some ammunition you need for those conversations.

Arm yourself with these facts when addressing privacy concerns. Microsoft Authenticator does NOT give IT departments access to:

Be transparent with users about what limited data your organization receives for work/school accounts only when they authenticate and tell them these facts:

"That's it dear Employee. Your employer cannot remote-wipe your personal photos. They cannot read your WhatsApp messages. They cannot see that you've been doom-scrolling social media during meetings. (They might suspect it, but Authenticator won't tell them.)"

Here's your strongest argument when users push back: passkeys on their personal phone actually provide MORE PRIVACY than traditional authentication. Help them understand this counter-intuitive truth:

With password-based authentication, your organization's servers log every detail of the sign-in: password hash verification, device fingerprint, network information, behavioral patterns. The authentication happens on _organizational_ servers.

With passkeys, the cryptographic verification happens locally on _the user's_ device. Your servers only receive a signed challenge -- they never see the user's biometric, PIN, or private key. The device proves identity without revealing _how_ it knows the user is legitimate.

Once you've addressed these privacy concerns with users, the deployment itself is remarkably straightforward thanks to self-enrollment capabilities.

One of the most underappreciated aspects of passkeys in Microsoft Authenticator is the self-enrollment capability. Your users can set up passkeys 100% ON THEIR OWN SMARTPHONE, without any IT intervention whatsoever -- literally, they can do the whole process just on the phone without even having access to a normal desktop.

Requirements are simple: iOS 17+ or Android 14+ (15 recommended), Microsoft Authenticator installed, and you must have enabled "Allow self-service set up" for Passkey (FIDO2) in Entra ID.

The process takes about two minutes: (https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-register-passkey-authenticator?tabs=iOS)

Done. No IT tickets. No "please come to the office so we can set up your security key." No shipping hardware tokens internationally. Just a person, their phone, and two minutes of their time.

For organizations struggling with MFA adoption, this is the unlock.

Of course I have simplified this a bit and there are many complex technicalities to unravel due to the combination of policies one can have in a Microsoft Tenant. But if you are an Admin trying to test this, here are some quick steps (Make sure you have migrated to the new Authentication Methods Policy) (https://msendpointmgr.com/2023/03/06/migrating-to-authentication-methods/):

The process is incredibly simple and quick! If any Conditional Access settings block it, you'll need to address those. Also, note that the test user doesn't need to have Authenticator authentication method policy enabled even though we're using the Authenticator app to mint a Passkey. That applies only to Push message MFA and Passwordless (PSI)!

Since I like sharing my learnings: Here is how my tenant authentication methods policies blade looks. So it is possible just to have Passkeys as the only authentication and still be productive.

It depends on your security requirements. For most workforce users in non-regulated environments, synced passkeys offer a good balance of security and usability (no lockout on device loss). For privileged accounts, regulated industries, or scenarios requiring attestation, device-bound passkeys in Microsoft Authenticator are the way to go.

Yes! Microsoft Entra ID supports both. You can configure policies that require device-bound passkeys for admins while allowing synced passkeys for general users (Requires opt-in to the Public Preview at this time).

The passkey is gone. This is why you need backup authentication methods or Self-Service Account Recovery (SSAR) (https://msendpointmgr.com/2025/12/30/self-service-account-recovery-ssar/) configured. Or someone with access has to help you on-board a new key.

It's better than nothing, but Microsoft has deprecated SMS and voice calls as recommended methods due to SIM-swapping vulnerabilities among other crazy hacks (https://youtu.be/wVyu7NB7W6Y?t=798)... Move to app-based authentication or passkeys when possible.

Hardware security keys (like YubiKeys) or the newer, less talked about QR Code login (https://learn.microsoft.com/en-us/entra/identity/authentication/concept-authentication-qr-code), are your answer. They provide Passwordless auth without requiring a smartphone. Budget for them (Or use the free QR code thingy if possible).

Document the business requirement, provide alternatives (hardware security keys for those who qualify), and escalate persistent refusals to management. This should be a business policy decision, not an IT decision. Your role is to implement the technical solution and provide education -- not to negotiate individual exceptions. I would love to hear their excuses/fears in the comments section, so we can help each other with persuasive arguments.

Yes, WINDOWS HELLO FOR BUSINESS (WHFB) is absolutely a passkey provider and has been since Windows 11, version 22H2. While Microsoft's authentication portfolio can be complex to navigate, WHfB represents a mature, enterprise-ready implementation.

According to Microsoft's documentation (https://learn.microsoft.com/en-us/windows/security/identity-protection/passkeys/), Windows Hello offers native passkey support that's DEVICE-BOUND and protected by TPM (Trusted Platform Module) hardware. When you create a passkey with Windows Hello, it's stored locally on your Windows device and protected by the same biometrics or PIN you use to unlock your PC. These credentials never leave your Windows device -- that's about as device-bound as it gets!

PLATFORM SPECIFICITY: Windows Hello for Business is an excellent passkey implementation with enterprise-grade security features, but it's exclusively for Windows devices. For organizations with heterogeneous environments, this limitation matters.

Since this article aims to help a wider audience understand passkeys across multiple platforms (iOS, Android, macOS, Linux, and yes, even those weirdos still running ChromeOS), we're focusing on cross-platform solutions like Microsoft Authenticator, 1Password, and other providers that work regardless of your OS.

HOWEVER, if your organization is Windows-centric and you want the ultimate in device-bound passkey security, Windows Hello for Business deserves serious consideration. Microsoft reports that "nearly a million passkeys are registered every day" through Windows Hello, indicating significant enterprise adoption among Windows-centric organizations and sign-ins are "eight times faster and nearly three times more successful" compared to passwords.

BOTTOM LINE: WHfB is solid if you're all-in on Windows. For everyone else juggling multiple platforms, stick with the cross-platform options we've covered in this article.

When I wrote the original MFA article in 2023, passkeys were promising but not quite ready for enterprise primetime. Now they are -- and now, with Microsoft's mandatory MFA enforcement already in effect for most admin portals, you no longer have the luxury of doing Conditional Access excludes. Passkeys offer the smoothest path to compliance that actually improves security rather than just checking a box.

The personal phone resistance is real, but it's based on fear rather than facts. Part of your job as an IT architect is to communicate these facts clearly and compassionately to both management and end users. Position Authenticator not as surveillance software, but as a privacy-enhancing security tool that happens to reside on users' personal devices.

_Originally published on MSEndpointMgr.com (https://msendpointmgr.com/2026/01/10/passkeys-personal-phone-mfa-update/)_