Demystifying Microsoft
Why Hackers Hate Passkeys: Microsoft FIDO2 Explained with Dom Kirby
June 30, 2026
FIDO2 and passkeys are redefining identity security by moving beyond vulnerable shared secrets. In this episode, Nathan Taylor of Sourcepass MCOE and Dom Kirby of Pax8 explain why traditional MFA methods like SMS and TOTP are failing against modern adversary-in-the-middle attacks. They touch upon hardware-backed cryptography and provide a roadmap for IT leaders to deploy phishing-resistant authentication across their organizations without overwhelming users.
Nathan Taylor from Sourcepass MCOE and Dom Kirby from Pax8 dive into the evolution of identity security, moving from simple passwords to advanced phishing-resistant authentication. As you know, traditional multi-factor authentication like SMS and six-digit codes is increasingly vulnerable to sophisticated token-stealing and adversary-in-the-middle (AITM) attacks. 

Dom explains how the FIDO2 standard uses public-key cryptography to ensure mutual authentication, effectively neutralizing these common threats by verifying the domain before any exchange occurs.

The discussion addresses the practicalities of a corporate rollout. They compare the high-security benefits of physical YubiKeys against the emerging ease of use provided by device-bound passkeys in the Microsoft Authenticator app. For IT leaders, the focus is on risk management and staging deployments through user tranches rather than a one-size-fits-all approach. By leveraging existing tools like Windows Hello for Business and Microsoft Entra ID, organizations can significantly harden their security posture against today's most prevalent digital threats.

What You’ll Learn:
About the Guest:
Dom Kirby is the Senior Director of Professional Services at Pax8, where he leads a team supporting MSP partners worldwide. His work is grounded in a simple belief: technology only matters when it creates meaningful outcomes for people and businesses. By aligning strategy, people, and process, Dom helps partners grow, gain efficiencies, and strengthen cyber resilience.

About the Host:
Nathan Taylor is the Senior Vice President and Global Microsoft Practice Leader at Sourcepass, where he leads the Sourcepass Center of Excellence for Microsoft. His work is grounded in a simple idea: Microsoft should not be complicated. By removing complexity, confusion, and frustration from the Microsoft ecosystem, Nathan helps organizations focus on outcomes while getting the most from their Microsoft investment.

Episode Highlights:
[00:03:00] The Vulnerability of Modern MFA 
SMS and TOTP were major improvements over passwords, but they no longer suffice against modern session-stealing techniques. Dom highlights how actors exploit these mediums, making phishing-resistant methods a necessity rather than an option for modern businesses.

[00:05:00] Anatomy of an Adversary-in-the-Middle Attack 
These attacks work by placing a reverse proxy between the user and the legitimate service to steal session tokens. Once an attacker has this token, they can bypass MFA entirely because the service believes the user has already authenticated.

[00:11:00] The Core Logic of FIDO2
 
FIDO2 replaces shared secrets with proof of possession and mutual authentication to ensure both parties are who they claim to be. This open standard, backed by industry giants, ensures that authentication only happens with the legitimate domain.

[00:15:00] Moving Toward Approachable Passkeys 
Passkeys simplify the FIDO2 experience by using biometrics on mobile devices instead of requiring separate physical hardware. This shift makes a high-level security approachable for the average user while maintaining the same underlying cryptographic protections.

[00:24:00] Staging Your Security Rollout 
Deploying phishing-resistant MFA should be phased in, starting with high-privilege administrators and executive teams. This risk-based approach allows IT teams to identify edge cases and legacy applications that might not yet support modern authentication.

[00:26:00] Scaling FIDO2 for Service Providers Scaling hardware-backed security across multiple client tenants presents unique hurdles for technicians who traditionally used shared accounts. Nathan and Dom discuss using GDAP and PIM/PAM as better alternatives to maintain security without the risk of "golden tickets" leaving with former employees.

Episode Resources:
If you are ready to move your organization toward a phishing-resistant future and want to discuss your strategy with one of our Microsoft problem solvers, reach out to us here: https://sourcepassmcoe.com/demystifying-microsoft-contact 

Dominic Kirby on LinkedIn 
Nathan Taylor on LinkedIn

Quotes

Demystifying Microsoft is handcrafted by our friends over at: fame.so