Can Switching to FIDO2 Enhance Security Without Upgrading My Microsoft 365 Package?

I'm working at a small company with fewer than 15 employees, utilizing Microsoft 365 Business Premium, Intune, and Apple Business Manager. We're committed to keeping our security measures up-to-date, but I've noticed that the fixes we need often go beyond what our current package includes. Unfortunately, our budget is tight, and it's unlikely we'll get to upgrade to the E5 licensing level anytime soon. I've communicated the risks of not being up to date, and while my team acknowledges this, they're also acutely aware of the cost implications.

Given the recent security breaches affecting companies like M&S and Coop, I'm considering whether adopting FIDO2 authentication for all employees could be a more budget-friendly solution than seeking complex package upgrades. In my thinking, this could help mitigate risks like token theft and man-in-the-middle attacks, since an attacker would need a physical key to get past the 2FA. I also assume that if an account is intercepted, the enforcement measures for FIDO2 would halt any unauthorized access, as long as employees don't approve suspicious logins.

If an employee loses their key, I believe I can remove their MFA settings and rely on the phone app MFA as a backup. We're still new to this technology, so I'd love to hear if this idea holds water or if there are critical flaws I might be overlooking. Also, when I mention 'packages', I'm referring to add-ons to our M365 Business Premium account, like Entra ID P2.