FIDO2 and passkeys are redefining identity security by moving beyond vulnerable shared secrets. In this episode, Nathan Taylor of Sourcepass MCOE and Dom Kirby of Pax8 explain why traditional MFA methods like SMS and TOTP are failing against modern adversary-in-the-middle attacks. They touch upon hardware-backed cryptography and provide a roadmap for IT leaders to deploy phishing-resistant authentication across their organizations without overwhelming users.
Nathan Taylor from Sourcepass MCOE and Dom Kirby from Pax8 dive into the evolution of identity security, moving from simple passwords to advanced phishing-resistant authentication. As you know, traditional multi-factor authentication like SMS and six-digit codes is increasingly vulnerable to sophisticated token-stealing and adversary-in-the-middle (AITM) attacks.
Dom explains how the FIDO2 standard uses public-key cryptography to ensure mutual authentication, effectively neutralizing these common threats by verifying the domain before any exchange occurs.
The discussion addresses the practicalities of a corporate rollout. They compare the high-security benefits of physical YubiKeys against the emerging ease of use provided by device-bound passkeys in the Microsoft Authenticator app. For IT leaders, the focus is on risk management and staging deployments through user tranches rather than a one-size-fits-all approach. By leveraging existing tools like Windows Hello for Business and Microsoft Entra ID, organizations can significantly harden their security posture against today's most prevalent digital threats.
What You’ll Learn:
- Why traditional MFA, like SMS and TOTP, is no longer sufficient against AITM attacks
- How FIDO2 uses mutual authentication to prevent domain-spoofing and token theft
- The difference between physical security keys and mobile-based passkeys
- How to leverage Windows Hello for Business as a phishing-resistant authenticator
- Strategic ways to stage a FIDO2 rollout using user tranches
- Solutions for scaling hardware-backed security in MSP and service desk environments
About the Guest:
Dom Kirby is the Senior Director of Professional Services at Pax8, where he leads a team supporting MSP partners worldwide. His work is grounded in a simple belief: technology only matters when it creates meaningful outcomes for people and businesses. By aligning strategy, people, and process, Dom helps partners grow, gain efficiencies, and strengthen cyber resilience.
About the Host:
Nathan Taylor is the Senior Vice President and Global Microsoft Practice Leader at Sourcepass, where he leads the Sourcepass Center of Excellence for Microsoft. His work is grounded in a simple idea: Microsoft should not be complicated. By removing complexity, confusion, and frustration from the Microsoft ecosystem, Nathan helps organizations focus on outcomes while getting the most from their Microsoft investment.
Episode Highlights:
[00:03:00] The Vulnerability of Modern MFA
SMS and TOTP were major improvements over passwords, but they no longer suffice against modern session-stealing techniques. Dom highlights how actors exploit these mediums, making phishing-resistant methods a necessity rather than an option for modern businesses.
[00:05:00] Anatomy of an Adversary-in-the-Middle Attack
These attacks work by placing a reverse proxy between the user and the legitimate service to steal session tokens. Once an attacker has this token, they can bypass MFA entirely because the service believes the user has already authenticated.
[00:11:00] The Core Logic of FIDO2
FIDO2 replaces shared secrets with proof of possession and mutual authentication to ensure both parties are who they claim to be. This open standard, backed by industry giants, ensures that authentication only happens with the legitimate domain.
[00:15:00] Moving Toward Approachable Passkeys
Passkeys simplify the FIDO2 experience by using biometrics on mobile devices instead of requiring separate physical hardware. This shift makes a high-level security approachable for the average user while maintaining the same underlying cryptographic protections.
[00:24:00] Staging Your Security Rollout
Deploying phishing-resistant MFA should be phased in, starting with high-privilege administrators and executive teams. This risk-based approach allows IT teams to identify edge cases and legacy applications that might not yet support modern authentication.
[00:26:00] Scaling FIDO2 for Service Providers Scaling hardware-backed security across multiple client tenants presents unique hurdles for technicians who traditionally used shared accounts. Nathan and Dom discuss using GDAP and PIM/PAM as better alternatives to maintain security without the risk of "golden tickets" leaving with former employees.
Episode Resources:
If you are ready to move your organization toward a phishing-resistant future and want to discuss your strategy with one of our Microsoft problem solvers, reach out to us here: https://sourcepassmcoe.com/demystifying-microsoft-contact
Quotes
- "Basically, what we're saying is we no longer need a secret to be told to the recipient or the authorizer. That's not what we do anymore. We're simply saying we need proof of possession in the cryptography world or proof that you know a secret without telling me the secret."
- "That YubiKey knows that credential for Microsoft is for microsoft.com. If badguy.com asks for that token, it doesn't have a token for that. It has nothing to do. The authentication can never finish because the two parties have an established trust."
- "Windows Hello for Business has two models. In the cloud model, it's the FIDO key, and they're using the TPM on your computer. It turns the entire laptop or device into a security key. It is two factor authentication because I have physical possession of the device, and I can unlock it with my face or my PIN."
- "Password, they never will, but passwords have to go. There will always be a password somewhere. Your network router is gonna have a password. But passwords are bad. They are not a good measure anymore."
- "Go to your Google accounts. Don't have a passkey. Go to your Apple does it. Microsoft personal accounts. Ironically, you can do it everywhere except for your bank. You could probably enroll a passkey, and they'll catch up someday."