What are the Best Phishing-Resistant MFA Solutions for Internal Environments?

We shifted to FIDO2 security keys and Windows Hello for Business in our hybrid AD setup, which massively improved our phishing resistance. FIDO2 keys like YubiKeys are specifically designed to be phishing-resistant, as they won't authenticate on fake pages due to domain binding. For the broader user base, we pushed Windows Hello, which integrates well with Azure AD and limits password exposure. The biggest hurdle was user adoption and logistics—explaining the need to switch from traditional apps was time-consuming, and managing hardware key distribution was a challenge. Just make sure you have a solid recovery process in place before a wide rollout.

We’re using a mix of Windows Hello and Microsoft Authenticator Passkeys with device attestation. It offers a good balance of convenience and security for our environment.

If you're looking to enforce MFA at the network level too, consider using Global Secure Access. It’s a solid solution to complement your MFA strategy.

FIDO2/WebAuthn hardware keys, like YubiKey and Google Titan, are the best choice for phishing resistance. They won't authenticate on a lookalike domain because they sign an origin-bound challenge. Microsoft Entra also supports FIDO2 natively, making it a great fit for conditional access requirements on VPN and modern internal apps. For anything legacy that can't use FIDO2, Windows Hello for Business is a fantastic alternative since it binds the authentication to the device, removing the risk of replay attacks. A pro tip: provide the initial users with two keys each to avoid momentum-killing delays caused by lost or broken keys.

Our setup is built on YubiKeys and Windows Hello for Business, integrating smart card certs for admin accounts and FIDO2 for cloud-only accounts, plus Windows Hello for synced users. It’s really streamlined our access without compromising security.