If you already enabled Multi-Factor Authentication (MFA), congratulations—you’ve moved from “front door wide open” to “front door locked.”
Unfortunately, attackers noticed… and now they’re ringing the doorbell a lot.
Modern phishing campaigns don’t just steal passwords—they try to bypass or abuse MFA with tricks like:
- MFA prompt spam (“push bombing”) — hoping someone hits Approve just to make the buzzing stop
- Phishing kits that proxy logins in real time — stealing session tokens
- SIM swaps / SMS interception — because SMS is basically “security by postcard”
The next step for many businesses is phishing-resistant MFA and passkeys.
What “Phishing-Resistant MFA” Actually Means
Phishing-resistant MFA is designed so that even if a user is tricked into visiting a fake login page, the attacker can’t replay the authentication and get in.
The best-known options include:
- FIDO2 / WebAuthn security keys (USB/NFC keys)
- Platform authenticators (Windows Hello, Touch ID, etc.) using passkey-style credentials
Think of it like this:
- SMS codes: “Tell me the secret number I texted you.”
- Push approvals: “Tap the button if you meant to sign in.”
- Passkeys / FIDO: “Prove you have the right key for this exact website.”
Attackers hate that last one. (And we love to see it.)
Passkeys: The “No More Passwords” Upgrade (Without the Chaos)
Passkeys are a modern sign-in method built on public‑key cryptography. In plain English:
- There’s no password to steal.
- The “secret” stays on your device (or secure provider).
- Logging in usually looks like Face ID / fingerprint / PIN.
If your users can unlock their phones, they can use passkeys.
Yes, that means Karen from Accounting can be more secure than a 12‑character password with three exclamation points.
Why MSP Customers Should Care (Right Now)
Because identity is still the easiest entry point.
When a threat actor gets access to email or a cloud identity, the playbook is depressingly predictable:
- Invoices and payment redirects (BEC)
- Mailbox rules and data theft
- Lateral movement into SharePoint / Teams / file sync
- “Just one admin account” turning into a very bad week
Phishing-resistant MFA and passkeys raise the cost for attackers dramatically—often enough that they move on to someone easier.
A Practical Rollout Plan That Won’t Cause a Ticket Avalanche
Here’s the “do it like an MSP” approach—secure first, then scale.
1) Start with admins and high-risk accounts
- Global admins, billing admins, anyone with VPN/RMM access
- Require phishing-resistant methods first (security keys / Windows Hello/passkey-capable flows)
2) Reduce the “Approve” button problem
If you use push MFA today, tighten it up:
- Turn on number matching (when available)
- Disable “remember MFA forever” where it’s risky
- Educate users: If you didn’t start the login, don’t approve it.
(MFA prompts should be treated like unexpected “Are you awake?” texts at 2am.)
3) Introduce passkeys in phases
- Pilot with a small group (IT + a few power users)
- Validate device readiness (Windows Hello, managed mobile devices, supported browsers)
- Document a simple “how to enroll” flow and include it in onboarding
4) Get account recovery right (seriously)
Passkeys are great—until someone loses a phone and their patience.
- Confirm recovery options for each user (backup methods, helpdesk verification steps)
- Use strong identity proofing for resets
- Log and alert on recovery events
5) Measure and improve
Track:
- MFA challenges by method
- “Denied push” events
- Account lockouts and recovery requests
- Any accounts still using SMS (these are your “please phish me” accounts)
The Bottom Line
Traditional MFA is still far better than passwords alone—but phishing-resistant MFA and passkeys are where identity security is heading.
At Collett Systems, we help MSP customers:
- choose the right authentication methods,
- roll them out without breaking workflows,
- and reduce the real-world risk of account takeover.
If you want a plan tailored to your environment (Microsoft 365, line-of-business apps, VPN/RMM, and compliance needs), contact us.