FIDO2 Keys Are the Cheapest MFA Upgrade Most Companies Aren't Doing

Cybersecurity

Yubikeys cost $50. Phishing-resistant MFA blocks credential stuffing, AiTM, and most account takeover paths. The hard part is operational, distribution, lost-key recovery, and IDP integration. Here's the rollout pattern that works.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 22, 2024 · 7 min read

Microsoft published research in 2023 showing that adversary-in-the-middle phishing kits had bypassed app-based MFA in roughly 11,000 organizations they tracked. Push-fatigue attacks against Microsoft Authenticator and Duo were a regular feature of intrusions throughout the year. SMS OTP has been broken since the SS7 disclosures in 2017 but is still the most common second factor in enterprise.

FIDO2 hardware keys fix this. They produce phishing-resistant authentication using public-key cryptography bound to the origin. A FIDO2 key cannot be tricked into authenticating to a lookalike domain because the browser refuses to send the assertion to a domain that doesn't match the registered origin. There is no code to type, nothing to forward, nothing to push-bomb.

Which Key to Buy

Yubico's Yubikey 5 series ($50-75) and Google's Titan ($30-50) are the two reasonable options for enterprise. Buy in lots of 100+ from authorized resellers. Yubikey 5C NFC works on USB-C laptops and Android phones over NFC. Yubikey 5 NFC is USB-A plus NFC. Most enterprises issue two keys per employee, one primary plus one backup stored somewhere safe.

Avoid sketchy Amazon-marketplace alternatives. Several brands have shipped keys with weak attestation, broken firmware update mechanisms, or no NFC. The $20 you save per key is not worth the integration headaches.

IDP Integration

Both Okta and Entra ID (formerly Azure AD) support FIDO2 as an MFA factor. Configuration is straightforward but has gotchas.

• Okta: enable FIDO2 (WebAuthn) in the authenticator settings, set up an authentication policy that requires it for high-risk apps, and configure the user enrollment flow
• Entra ID: enable FIDO2 security keys in Authentication methods policy, configure key restrictions by AAGUID if you want to restrict to specific vendors
• Both: configure attestation requirements, direct attestation gives you the AAGUID for vendor enforcement; none allows any key but loses vendor enforcement
• Both: make sure the legacy auth providers (basic auth, IMAP, SMTP) are disabled before enforcing, otherwise users bypass MFA

The AAGUID restriction matters. Without it, users can register a software authenticator (Windows Hello, macOS Touch ID, browser-based passkey) that doesn't have the same anti-phishing properties as a hardware key. Sometimes you want that flexibility, sometimes you don't. Pick a policy and document it.

Distribution

Mailing keys is the worst part of this project. We've seen three approaches work:

1. Centralized: ship keys to a central location, employees pick them up in person and self-enroll on a help-desk-supervised station, good security, slow rollout
2. Mailed with PIN: ship keys with a separate communication channel containing the enrollment PIN, okay for hybrid workforces but adds operational burden
3. Procurement-bundled: ship keys with the laptop at hire, enrollment is part of onboarding, clean process, only works for new hires unless you pair with a refresh cycle

Most mid-size enterprises end up combining all three. Bundle with new hires going forward, run waves of in-person enrollment events for existing staff, mail keys with PIN to remote employees.

Lost Key Process

This is where most FIDO2 deployments fail. If a key is lost on a Friday at 6pm, what does the employee do? Calling the help desk for a temporary access pass is the right answer, but the help desk needs a documented verification process that doesn't fall back to "answer the same security questions a phishing operator could answer".

The pattern that works: backup key requirement (everyone has two enrolled keys at all times), temporary access passes via Entra ID that are time-bound and single-use, and a manager-attestation flow for users who lost both keys. Manager attestation requires the manager to confirm the user's identity in a recorded video call before help desk issues a TAP. Slow but defeats phishing.

Measuring the Win

Track three metrics monthly: percentage of users with at least one FIDO2 key enrolled, percentage of authentications using FIDO2 vs other factors, and number of MFA-related help desk tickets. The first should climb to 80%+ over six months. The second should climb to 60%+ once you require phishing-resistant MFA for high-risk apps. The third should drop. We've seen 40-60% reductions in MFA tickets after FIDO2 rollouts because hardware keys don't get push-bombed, don't have SIM swap issues, and don't run out of battery.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.