If you are a UK director, IT lead or compliance owner reviewing authentication in 2026, here is the central reality: phishing-resistant MFA UK business is no longer a future-state ambition, it is the baseline expectation set by the National Cyber Security Centre (NCSC), the Cyber Essentials Plus assessor pool, your cyber insurer and increasingly the procurement teams of your largest customers. Adversary-in-the-middle (AiTM) phishing kits like EvilProxy, Tycoon 2FA, Mamba 2FA and NakedPages have spent the last 24 months turning SMS one-time codes, Microsoft Authenticator push prompts and TOTP into authentication theatre — defeated routinely by attackers paying less than £200 a month for kit-as-a-service. Microsoft Entra’s 2025 Digital Defense Report and Google’s 2025 Threat Horizons telemetry both pinned the same blunt finding: phishing-resistant accounts repel essentially 100% of credential-replay attacks, while push-only and TOTP accounts continue to be compromised at meaningful rates.
This guide is the deep-dive answer to what UK business leaders actually need to do about it. We’ll define what “phishing-resistant” means in cryptographic terms, walk through how AiTM kits bypass legacy factors, map the available authenticators (FIDO2 hardware keys, synced passkeys, device-bound passkeys, certificate-based authentication, smart cards), price out a real UK SME rollout in pounds and pence, compare the Microsoft, Google and Okta passkey ecosystems, score where most UK estates currently sit, and walk through the 90-day rollout that hardens admin accounts first. We’ll also cover the Cyber Essentials Plus assessor view in 2026, the NCSC’s sharpened guidance, the ICO/GDPR exposure when MFA fails, and the awkward but unavoidable conversations about service accounts, BYOD and break-glass keys. By the end you will have a concrete, dated rollout plan and a procurement vocabulary that survives a tender, an audit and a board challenge.
Across this article we lean on UK-specific frameworks and reference data: NCSC’s “Multi-factor authentication for online services” refresh, Cyber Essentials Montpellier (in force through 2026), the FIDO Alliance enterprise passkey deployment guidance, W3C WebAuthn Level 3, the ICO’s enforcement record on access-control failures, the DSIT Cyber Security Breaches Survey, and the Microsoft Entra and Google Workspace 2025–2026 product documentation. Every figure is dated, sourced and UK-anchored. We will also be honest where the picture is messier than vendors claim — particularly on synced passkey attestation, on legacy authentication for service accounts, and on the gap between “passkey support” and “phishing-resistant for admin accounts” in your tenant settings.
What is phishing-resistant MFA? Definition and context
Phishing-resistant multi-factor authentication, in the precise sense the NCSC and CISA now use, refers to authenticators where the user’s credential is cryptographically bound to the legitimate website’s origin, so a user cannot be tricked into authenticating against an attacker-controlled lookalike. The key property is verifier impersonation resistance: even if the user types something into a fake login page, the authenticator refuses to produce a valid signature because the origin (the actual domain in the browser address bar) does not match the relying-party identifier the credential was registered against. SMS codes, TOTP codes from an authenticator app, push notifications and even number-matching push do not have this property — they are typed, tapped or approved by a human who can be deceived by a lookalike domain or a real-time AiTM proxy.
The authenticators that do meet the bar in 2026 are FIDO2/WebAuthn credentials (security keys and platform authenticators), passkeys (a marketing term for discoverable WebAuthn credentials, synced or device-bound), smart cards/PIV, and Entra Certificate-Based Authentication (CBA) when properly configured. The umbrella technical standards are W3C WebAuthn Level 3 (March 2024), FIDO2 CTAP 2.1, and the FIDO Alliance enterprise attestation profiles. The shared property is that the private key never leaves the authenticator, every challenge is signed against the legitimate origin, and the response cannot be replayed against a different domain.
This matters for UK business because the NCSC’s 2025 update to its MFA guidance moved phishing-resistant authenticators from “recommended” to “preferred for high-impact accounts,” and the Cyber Essentials assessor pool has begun flagging push-only MFA on admin accounts as a finding under the Montpellier requirement set. The shift is not subtle. Where 2022 advice was “turn MFA on,” 2026 advice is “turn the right kind of MFA on, in the right scope, in the right enforcement mode, with break-glass procedures and a recovery flow that does not weaken posture.” That is what this article is about.
It is worth noting what phishing-resistant MFA does not solve: it does not stop session-token theft from compromised endpoints, it does not block consent phishing for OAuth applications, it does not prevent BEC where the attacker has internal access already, and it does not eliminate the need for Conditional Access, EDR, email security and user awareness training. It does, however, decisively close the most common UK SME compromise vector of 2024–2025 — an AiTM page harvesting valid sessions from staff who believed they were on the genuine Microsoft sign-in screen.
In a UK policy document, write “phishing-resistant authenticators” rather than “passwordless,” because passwordless includes magic-link sign-in, which is not phishing-resistant. Reserve “passkey” for discoverable WebAuthn credentials and qualify whether they are synced or device-bound. The NCSC and Cyber Essentials assessors use this language consistently — mirroring it makes audits faster.
Phishing-resistant MFA UK business by the numbers — 2026 reality check
The most useful framing is the bypass-rate-by-method comparison, because it removes the abstract debate and exposes the operational gap between factors most UK SMEs already use and what they should be using for high-impact accounts. The chart below combines 2024–2025 telemetry from Microsoft Entra, Google Workspace, Cisco Duo Trusted Access, Okta Identity Threat Reports and academic AiTM research (Imperial College London 2024, Ruhr University Bochum 2025). Bypass here means the attacker successfully completed an authentication and obtained either a valid session cookie or a token, given a credible AiTM kit and a user who clicked the phishing link.
The chart is uncomfortable. Push with number-matching, often sold as the “upgrade” from plain push, still falls to roughly four in ten serious AiTM attempts in 2025 telemetry. Synced passkeys are dramatically better but not zero — the residual risk lies in cross-device flows where the relying party falls back to a non-phishing-resistant fallback, and in malicious browser extensions that exfiltrate session cookies after a successful sign-in. Hardware keys are the asymptote: Google’s public statement that no employee account on a security key has been successfully phished since rollout in 2017 still holds in 2026.
The corollary for UK SMEs is straightforward. If you are still operating a tenant where SMS or app-based push is the highest factor on admin accounts, every credible threat report you read is telling you the same thing: that account class is one targeted phishing campaign away from compromise. The shift to phishing-resistant authenticators on privileged accounts is therefore not optional spending, it is overdue spending. We will price the work in the next few sections.
The NCSC’s Active Cyber Defence reporting for 2024–2025 attributes the largest year-on-year drop in successful phishing compromises to organisations that adopted phishing-resistant MFA on admin tiers, even where end-users remained on push. Privileged-account hardening is the highest-leverage move you can make in 2026.
How attackers bypass SMS, push and TOTP today
Understanding the attack patterns matters because procurement and policy decisions are easier to defend when the threat is concrete. Four patterns dominate UK incident reports in 2025–2026:
Adversary-in-the-middle (AiTM) phishing. The attacker hosts a reverse-proxy site that forwards every request to the real Microsoft or Google login. The user sees a perfect copy of the genuine sign-in (because it is the genuine sign-in, just relayed). They type their password, the password is forwarded, the legitimate MFA challenge appears, the user satisfies it — and the attacker captures the resulting session cookie. The session is then replayed from the attacker’s machine, completely bypassing MFA. EvilProxy, Tycoon 2FA, Mamba 2FA, NakedPages and Sneaky 2FA are the prominent UK-targeted kits in 2025 telemetry, all sold as a service for under £200/month. They include modules to defeat number-matching push, to forge geolocation hints, and to maintain the session against Conditional Access risk signals for hours.
Push fatigue (MFA bombing). The attacker, having stolen or guessed the password, repeatedly triggers MFA prompts late at night, hoping the user eventually approves. Number-matching push reduced the success rate but not to zero — users still misread or accidentally approve, especially on small-screen lock-screen prompts. The Lapsus$ campaigns of 2022 made this technique infamous; in 2025 it is part of the standard toolkit for groups like Octo Tempest.
SIM swap. The attacker convinces the victim’s mobile carrier to port the number to a new SIM, then receives all SMS one-time codes. UK carriers have hardened the porting process since 2022, but social-engineering of high-street retail staff and insider abuse continue to produce successful swaps, especially for high-net-worth and high-profile targets. SMS as a primary factor for any privileged account is indefensible in 2026.
Session-cookie theft from infostealers. Even where MFA is correctly satisfied, an infostealer (Lumma, Redline, StealC, Vidar) on the user’s endpoint can exfiltrate the post-authentication session cookie, which is then replayed from the attacker’s infrastructure. This bypass works against every authenticator, including hardware keys, because the attacker is reusing the post-authentication session. The defence is a combination of EDR, browser hardening, token-binding (where the relying party supports it), and short Conditional Access session lifetimes — not a different MFA factor. Phishing-resistant MFA is necessary but not sufficient; we will return to this in the FAQ.
For an SME, the practical implication is simple: the attacker community has industrialised the bypass of every legacy factor on the menu. Anyone reasoning “we have MFA, we’re fine” is reasoning from 2019 evidence. For deeper context on the foundational factor model, see our guide to multi-factor authentication for business and our primer on protecting against business email compromise, both of which sit alongside this piece in the Cloudswitched cyber-security collection.
Which authenticators qualify as phishing-resistant
The official NCSC/CISA list is short and worth memorising, because the marketing language used by some vendors blurs it. Phishing-resistant authenticators in 2026 are:
FIDO2/WebAuthn security keys. Hardware authenticators that perform the cryptographic challenge inside a tamper-resistant chip, with a user gesture (touch, PIN, fingerprint) to authorise. The leading UK SKUs are YubiKey 5 NFC and YubiKey 5C NFC, Token2 PIN+ and Token2 Release2, Feitian ePass FIDO2, and Google Titan Security Key. All implement the FIDO2 CTAP 2.1 specification and present as platform-agnostic external authenticators.
Platform passkeys (device-bound). WebAuthn credentials stored in the device’s secure enclave (Apple Secure Enclave, Android StrongBox, Windows Hello TPM) and never synced. These are functionally equivalent to a security key built into the device, and Microsoft Entra accepts them as phishing-resistant when registered with attestation that confirms the credential is hardware-bound.
Synced passkeys. WebAuthn credentials synced through a passkey provider (iCloud Keychain, Google Password Manager, Microsoft Authenticator, 1Password, Bitwarden, Dashlane) so the user can authenticate from any of their devices. The cryptographic property is preserved within each device, and the sync channel is end-to-end encrypted. Synced passkeys are phishing-resistant against AiTM by design, but enterprise admins should be aware that they cannot enforce attestation on the underlying hardware (the credential might be on a phone, a laptop or a cloud-hosted browser session), and recovery flows can be a weak link if not designed carefully.
Smart cards / PIV. Public Key Infrastructure smart cards, common in UK central government and regulated finance. Long-established as phishing-resistant. Less common in SME, but worth knowing if you are integrating with public-sector tenants.
Certificate-based authentication (CBA). Microsoft Entra CBA accepts a user certificate issued by your PKI as a primary factor and is treated as phishing-resistant. Useful where you already operate a smart-card or device-certificate estate and want to fold privileged sign-in into the same trust anchor.
What does not qualify in 2026: SMS, voice call, email one-time code, TOTP authenticator apps, push notification (with or without number-matching), security questions, and any “magic link” sign-in. These remain useful for low-risk or recovery scenarios, but should not be the highest-strength factor on a privileged account. The Cyber Essentials Plus assessor pool is now actively flagging push-only MFA as a finding when admin accounts are scoped in — see the dedicated guide to Cyber Essentials Plus MFA requirements for the full assessor view.
If a vendor sells you something they call “phishing-resistant MFA,” ask: does it implement WebAuthn or CTAP? If the answer is no — if it’s a clever push variant, a magic link, or a chat-based approval — it is not phishing-resistant in the NCSC sense, regardless of what the datasheet says. WebAuthn or CTAP is the line.
Passkeys for business UK — what changes versus hardware keys
For most UK SMEs, the practical question is not “passkeys or security keys” but “which credential goes where, and how do I enforce it.” The decision pivots on three axes: who the user is, what the threat model is, and how recovery works.
Synced passkeys (consumer-grade convenience, business-grade security for non-privileged users). Synced passkeys live in iCloud Keychain, Google Password Manager, Microsoft Authenticator, 1Password, Bitwarden or Dashlane. They sync end-to-end encrypted across the user’s devices. The user enrols once on a phone or laptop and can sign in everywhere. For typical end-user accounts (sales, marketing, ops, customer-facing roles) this is the right default in 2026 because adoption is friction-free, lockouts are rare, and the AiTM bypass rate is functionally near zero. For deep practical guidance on the rollout mechanics, see our passwordless authentication implementation guide.
Device-bound passkeys (built-in hardware-grade authenticator). Same WebAuthn protocol, but the private key never leaves the device’s secure enclave. Useful when you need attestation that the credential is on managed hardware, particularly for executive devices and corporate-managed laptops. Windows Hello for Business, Apple Platform Single Sign-On and Android device-bound passkeys all fit this category.
FIDO2 hardware keys (privileged-account, break-glass and high-risk roles). External hardware authenticators, USB-C or NFC. The right default for Global Administrators, Privileged Identity Management eligible roles, the finance team handling supplier payments, the legal team handling sensitive matters, and any administrative account that touches Entra ID, on-premises AD, the firewall console or the cloud control plane. Two keys per privileged user is the well-established pattern: one in the user’s control, one in a sealed envelope in the safe as a break-glass. The cost is £35–£75 per key in UK retail, totalling £70–£150 per privileged user across both keys. Replace every five to seven years.
Cross-platform recovery. The honest truth: passkey recovery is the operationally hardest part of the rollout. If a user loses their phone and is locked out of the account that holds their synced passkeys, you need a recovery path that is not itself a phishing target. Best practice in 2026 is: register at least two authenticators per user (a synced passkey plus a hardware key, or two hardware keys, or a managed device platform passkey plus a synced fallback). Do not allow SMS as a recovery factor for any account that has phishing-resistant primary — otherwise an attacker simply triggers recovery and the posture collapses.
Enterprise concerns and attestation. Synced passkeys do not, today, support enterprise attestation in a way that lets you prove the credential is on hardware you trust. If your compliance regime requires hardware-backed credentials (FCA-regulated firms, certain DORA scopes, defence supply chain), you will need device-bound passkeys or hardware keys for those user classes and accept that synced passkeys are inappropriate for those roles. Microsoft Entra exposes “authentication strength” policies that let you require specifically hardware-backed FIDO2 for admin sign-ins, which is the cleanest enforcement primitive available in 2026.
Joiner-mover-leaver. Whatever credential class you pick, your JML process needs to register, transfer and revoke authenticators reliably. New starters should receive their hardware key on day one (or be enrolled in a managed device passkey before first sign-in). Internal movers may need a credential reset if scope changes. Leavers must have every credential revoked within the same hour as their account disable — lingering passkeys on personal devices have caused real UK incidents in 2025.
FIDO2 authentication UK SME — cost breakdown and pricing tiers
The total cost of a phishing-resistant MFA programme breaks into hardware, licensing, configuration, training and helpdesk delta. The table below is calibrated to UK 2026 prices and assumes a 50-user SME with five privileged accounts (typical IT lead, two admins, finance director, MD), plus an executive layer that gets hardware keys, plus a general workforce that gets synced passkeys. Prices are excluding VAT.
| Component | UK 2026 price | Scope & notes |
|---|---|---|
| YubiKey 5 NFC | £55–£65 each | USB-A + NFC. Most common SKU for UK SME admin keys. Two per privileged user. |
| YubiKey 5C NFC | £65–£75 each | USB-C + NFC. Required if your admin estate is MacBook-led or USB-C-only. |
| Token2 PIN+ Release2 | £35–£45 each | Lower-cost UK-supplied alternative, FIDO2 CTAP 2.1 certified. Functionally equivalent for most M365 use cases. |
| Feitian ePass FIDO2 | £30–£40 each | Budget tier. Suitable for lower-tier admin if procurement insists on a price point. |
| Synced passkey (M365) | £0 marginal | Bundled with Microsoft Entra ID Free / P1. No per-user surcharge. Included by default in 2026 M365 tenants. |
| Microsoft Entra ID P1 | £5.20 / user / month | Required for Conditional Access policies that gate phishing-resistant MFA enforcement. Most M365 Business Premium tenants already have this. |
| Microsoft Entra ID P2 | £7.50 / user / month | Adds Identity Protection risk-based policies and Privileged Identity Management. Recommended for the privileged account class. |
| Microsoft Intune (MDM) | £3.50–£6.50 / user / month | Required to enforce device compliance as a Conditional Access prerequisite. Bundled in Business Premium. |
| Helpdesk delta — month 1 | +10–15% ticket volume | Lockouts, lost keys, recovery questions. Normalises by month 3 with proper training. |
| Helpdesk delta — month 6 | −5–10% ticket volume | Net reduction once password reset tickets disappear. The phishing-resistant tenant is materially less work to run. |
| Initial configuration & training | £3,000–£8,000 one-off | Conditional Access design, authentication strength policies, JML changes, end-user training, executive enrolment. |
| Annual review & fire-drill | £1,500–£3,000 / year | Lost-device drill, break-glass test, attestation audit, policy refresh. |
For the same 50-user SME above, expect a first-year all-in cost of roughly £6,500–£12,500 above the existing M365 baseline (assuming Business Premium licensing is already in place), and ongoing annual cost of around £1,500–£3,500. Compared with the average UK breach cost of £3.4M in 2025, the case writes itself — phishing-resistant MFA is one of the highest-ROI controls a UK SME can buy in 2026. For a side-by-side view of Microsoft 365 enforcement options, see the Conditional Access policies in Microsoft 365 deep-dive.
Most UK MSPs and resellers will quote you on hardware keys. Insist on getting them in pairs, with a single SKU across the estate (mixing YubiKey 5 NFC and 5C NFC is fine, but don’t mix vendors unless you have a clear reason). Insist on the genuine FIDO Alliance certification number being on the invoice — counterfeit keys are a real problem in 2025–2026.
How phishing-resistant MFA compares with alternatives
Vendors will offer a range of options when you ask for “stronger MFA.” The two-card comparison below sets out the realistic UK SME choices in 2026, with the recommended default highlighted.
Phishing-resistant MFA (recommended)
Push-with-number-matching MFA (legacy default)
The recommendation for UK SMEs in 2026 is unambiguous: phishing-resistant MFA on every privileged account, synced passkeys for the general workforce, and push-with-number-matching only as a fallback for legacy applications that cannot accept WebAuthn (a shrinking list). Push-only or TOTP-only on admin accounts is, in 2026, a finding waiting to happen at your next Cyber Essentials Plus audit, and a contestable risk position on your cyber insurance renewal.
Phishing-resistant MFA readiness scoring — where most UK estates sit
The score grid below summarises the typical UK SME picture in early 2026 across three dimensions of phishing-resistant MFA maturity. It is calibrated against the Cloudswitched assessment data set from the last 18 months of UK SME engagements (200+ tenants, 28–240 user range).
The pattern is consistent: even where MFA is broadly enabled, the privileged account class is rarely on phishing-resistant authenticators, recovery design is fragile, and authentication strength policies (the Entra primitive that enforces “hardware FIDO2 only” for admins) are deployed in roughly one in ten tenants. The 90-day rollout in the next section is designed to flip these scores in the right order — admin accounts first, recovery design before workforce rollout, removal of legacy fallbacks last.
The 90-day phishing-resistant MFA rollout timeline
The rollout is phased by risk. Admins go first, executives and finance second, the broader workforce third, legacy methods are removed last, and the whole programme is anchored to a fire-drill at the end. The pattern below has been used by Cloudswitched across UK SME engagements throughout 2024–2025 with consistent success.
Three rules govern the rollout. First, never enforce a Conditional Access strength policy without a successful report-only run — locking out a Global Administrator at midnight will cost more than the entire programme. Second, never deploy without break-glass — two hardware keys per admin, one in the safe, plus a pre-registered break-glass account that is excluded from CA policies and monitored for any sign-in. Third, never declare the programme done before the fire-drill — the only test that matters is “does the recovery flow work when a real user is genuinely locked out at the worst possible moment.”
Phishing-resistant MFA benchmarks and KPIs
Programme health is best measured on adoption, enforcement and posture metrics rather than on activity metrics like “keys distributed.” The four KPIs below are the ones we track in the Cloudswitched managed Cyber Essentials service for every UK SME we run.
Phishing-resistant MFA programme KPIs (target ranges by month 6)
The single most informative chart, however, is the share of administrative sign-ins that occur with a phishing-resistant authenticator. In a healthy UK SME tenant in 2026 this should be 100%. The donut below shows the proportion of UK SMEs that achieve this in their first 90 days of a phishing-resistant MFA programme — the figure is encouraging but not universal.
The other 25% almost always trip on the same things: a forgotten service account that still uses a TOTP secret embedded in a script, a board observer with their own personal Microsoft account that was never properly federated, or a legacy line-of-business application that demands legacy auth and is exempted “temporarily” for 18 months. Each of those is solvable, but they need someone with budget, authority and a deadline — which is one of the reasons UK SMEs increasingly bring in a managed cyber-security partner for the rollout rather than spread the work across an internal team.
Decision framework — when to push beyond TOTP
The decision framework is a single test: does this account, if compromised, give the attacker the keys to the kingdom or to a restricted tier? If the former, it should be on hardware-backed phishing-resistant MFA today. If the latter, synced passkeys are an acceptable middle ground until you can reach phishing-resistance everywhere. The gauge below summarises the median UK SME readiness score for phishing-resistant MFA in early 2026.
A 41/100 is uncomfortable but representative. The five dimensions are: privileged-account coverage (are admins on phishing-resistant authenticators today?), workforce coverage (synced passkey adoption rate), recovery design (does the recovery flow itself meet the bar?), enforcement primitives (Conditional Access authentication strength, legacy auth blocked), and operational discipline (JML, fire-drill cadence, break-glass tested). UK SMEs typically score 80–90 on workforce push-MFA enablement, but 10–30 on every other dimension — which is precisely the picture an AiTM attacker is hoping for.
The decision rule that keeps boards on side: any account that can read or write money, that can change identity policy, or that can deploy code or infrastructure must be on phishing-resistant MFA from a hardware-backed authenticator. Everything else is the workforce tier and can move at a more deliberate pace. That single rule will direct 80% of the value of your programme into the first 14 days of work.
The 12-point phishing-resistant MFA checklist
This checklist is the operational version of every framework above — what an internal IT lead or a Cloudswitched delivery team would actually walk through to ship a programme. Treat it as a Gantt chart and a definition-of-done in one document.
- Inventory every authenticator across every cloud app and on-premises service. Microsoft Entra, Google Workspace, Okta, on-premises AD, the firewall, the cloud control plane (Azure, AWS, GCP), the line-of-business apps, the password manager, the file-sharing tools. List every authenticator type currently registered for every account.
- Build the privileged account list and tier it. Tier 0 (Global Admins, Domain Admins, root accounts), Tier 1 (server admins, identity admins, security admins), Tier 2 (workstation admins, helpdesk). Each tier maps to a specific authenticator class.
- Choose the hardware key SKU and order in pairs. YubiKey 5 NFC, Token2 PIN+, Feitian ePass — pick one, order two per privileged user plus 10% spares, plus dedicated keys for break-glass.
- Configure Conditional Access policies in report-only mode first. Authentication strength “Phishing-resistant MFA” for admins. Block legacy auth. Require compliant device. Run for two weeks before enforcement.
- Design and test the break-glass procedure. Two break-glass accounts, two hardware keys each, in two separate physical safes, monitored for any sign-in. Excluded from Conditional Access. Documented in the IT runbook with named on-call escalation.
- Pilot with admins and IT engineers first. Two hardware keys each, training session, written acknowledgement of the recovery procedure. Authentication strength enforced for the admin group only.
- Roll out to executives and finance second. Hardware keys plus synced passkey on personal devices for resilience. Update supplier payment runbook to require hardware key step-up for any change of bank details.
- Workforce passkey enrolment. Schedule drop-in clinics. Provide a clear written guide covering iCloud Keychain, Google Password Manager, Microsoft Authenticator passkey, 1Password and Bitwarden so users can choose their provider.
- Block legacy authentication and remove SMS. Block basic auth at the IdP. Remove SMS as an authentication method tenant-wide. Remove TOTP as an admin factor. Keep TOTP as a workforce fallback only if necessary.
- Update the joiner-mover-leaver process. Day-one provisioning of authenticators. Mover events trigger a credential review. Leaver process revokes every authenticator within one hour of account disable.
- Train the helpdesk on phishing-resistant recovery flows. Lost key, lost phone, broken biometric, replaced device — each scenario has a written runbook the helpdesk follows, none of which weakens posture by reverting to SMS or push.
- Run the fire-drill and document lessons learned. Lost-key tabletop. Compromised passkey tabletop. Break-glass invocation. Quarterly thereafter, scaled down to a 30-minute review.
This 12-point checklist is the spine of a defensible Cyber Essentials Plus submission in 2026. Print it, get the IT lead to sign each step as complete, and keep it in your evidence folder. Auditors love a dated, signed, sequenced rollout document.
Common phishing-resistant MFA mistakes UK SMEs make
The failure modes are remarkably consistent across UK SME rollouts. Avoiding the eight below will close most of the gap between “deployed” and “effective.”
- Only one hardware key per privileged user. If the user loses it on a Friday afternoon and your only recovery path is SMS to the same user, your phishing-resistant programme has a soft underbelly. Always two keys, always one in a safe.
- Leaving SMS as a recovery factor. Recovery is the AiTM attacker’s favourite back door. If recovery is SMS, the entire programme is only as strong as the SIM-swap defences of your mobile carrier — which is to say, weaker than you want.
- Exempting executives. Boards and CEOs are the highest-value compromise targets in any UK SME. Exempting them is the most damaging political concession an IT lead can make. Make the executive enrolment the first photo-op of the programme, not the last.
- Forgetting service accounts and shared mailboxes. Service accounts that authenticate to APIs cannot use a hardware key — they need certificate-based auth, managed identity or workload identity federation. Plan this in week 1, not month 6.
- No Conditional Access enforcement. Enrolling phishing-resistant authenticators without a Conditional Access authentication strength policy means users can still choose to sign in with their old TOTP at the moment of attack. Enforcement is what makes the programme real.
- Mixing Cyber Essentials Plus scope tenants. If you have multiple tenants, the assessor will check the in-scope one. Make sure that is the one with the rollout. Do not let an out-of-scope tenant become the soft underbelly that compromises an in-scope user.
- Over-relying on synced passkeys for admins. Synced passkeys are excellent for the workforce. For Tier 0 administrators they should be a secondary, not the primary — the cryptographic quality is fine, but enterprise attestation and revocation are weaker than a hardware key.
- No fire-drill. Programmes that have never simulated a lost key fail under the first real lost key. The fire-drill is not a nice-to-have, it is the validation that the rollout actually works.
UK mobile number porting is harder than it was, but social-engineered carrier staff and insider abuse continue to produce successful SIM swaps in 2025–2026. If your recovery flow contains an SMS step, your defence in depth ends at the doorway of a mobile retail store. Remove SMS from the recovery flow before declaring the programme done.
Real-world example — UK SME case study
A 38-person consultancy in Manchester, regulated by the Solicitors Regulation Authority, contacted Cloudswitched in late 2024 after a near-miss. The finance manager had clicked a phishing link that appeared to come from a long-standing supplier, signed in to a perfect AiTM clone of the Microsoft 365 sign-in page, satisfied a number-matching push prompt and continued with their day. Forty-eight hours later, an inbox rule was created that auto-forwarded any email containing “invoice” to an external address, and a request to change supplier bank details was drafted as a reply to a real customer thread. The fraud was caught only because the customer rang the consultancy to verify the new bank details — an entirely manual, entirely human control that happened to work that day.
The post-incident programme rolled out hardware keys to all four admins, the MD, the CFO and the four-person finance team in week one. Synced passkeys went out across the remaining workforce in weeks two and three. Conditional Access was hardened with authentication strength “Phishing-resistant MFA” for the admin group, legacy authentication was blocked tenant-wide, SMS was removed as an authentication method, and a break-glass procedure with two YubiKey 5 NFC keys in a sealed envelope in the partner’s office safe replaced the previous “text the IT lead at home” recovery flow.
Six weeks later, telemetry showed two further AiTM attempts against finance-team mailboxes, both blocked at the authentication layer because the AiTM kit could not relay a phishing-resistant credential. The Cyber Essentials Plus audit in March 2025 passed without findings on authentication. The cyber insurance renewal in June 2025 attracted a 12% premium reduction. The MD’s assessment, captured in the post-engagement debrief:
“The honest summary is that we thought we had MFA and that meant we were safe. The near-miss told us we didn’t and we weren’t. The hardware key rollout was less disruptive than we feared — the partners actually like the physical certainty of it — and the programme paid for itself before the end of year one between the avoided fraud and the insurance discount. Phishing-resistant MFA was the cheapest serious upgrade we’ve made to our cyber posture in five years.”
Three structural lessons came out of the engagement. First, the human-in-the-loop control that caught the fraud (the customer ringing to verify) was a coincidence, not a system — do not rely on it. Second, the friction cost of hardware keys is consistently overstated by IT leads relative to what users actually report after two weeks of use. Third, removing SMS from the recovery flow was the single most impactful policy change — not the addition of phishing-resistant authenticators, but the removal of the fallback that defeated them.
NCSC MFA guidance 2026 and Cyber Essentials Plus MFA requirements
The compliance and regulatory picture in 2026 has tightened in ways that matter for procurement and audit. The four reference points to know:
NCSC MFA guidance 2026. The NCSC’s “Multi-factor authentication for online services” guidance moved phishing-resistant authenticators to the “preferred” tier for any account considered high-impact. The NCSC defines high-impact loosely as “an account whose compromise would lead to material loss, regulatory exposure, or service disruption” — in plain English, every privileged account, every account that handles money, every account that holds personal data on a meaningful number of data subjects.
Cyber Essentials Plus MFA requirements. Under Cyber Essentials Montpellier, MFA is required on all administrative accounts and on cloud services that hold organisational or personal data. The 2026 assessor pool is increasingly applying the “phishing-resistant” lens when evaluating administrative accounts — push-only is being recorded as a minor finding in some audits, and as a major finding when paired with a weak recovery flow. The deeper guide to the assessor view sits at Cyber Essentials Plus MFA requirements, with adjacent compliance ground covered in our 2026 Cyber Essentials Plus requirements deep-dive.
ICO and GDPR exposure. Where an MFA failure leads to BEC, supplier fraud or personal data exfiltration, the ICO assesses whether the control framework was “appropriate” under Article 32 GDPR. In 2025–2026 enforcement actions, the ICO has begun citing the absence of phishing-resistant MFA on admin accounts as a contributing factor in penalty calculations. This is not yet a strict liability position but the trajectory is clear.
DORA and NIS2. For UK firms in scope of DORA (financial services with EU exposure) or NIS2 (operators of essential services and important entities), phishing-resistant MFA on privileged accounts is treated as a fundamental hygiene control. Auditors will expect to see it deployed and evidenced.
Cyber insurance. UK cyber insurance underwriters have moved to a position where push-only MFA on admin accounts is either excluded from cover or attracts an explicit premium loading. Phishing-resistant MFA, by contrast, attracts a premium reduction in most 2026 renewals, typically 5–15% on the premium component related to social engineering and BEC.
The compliance argument therefore aligns precisely with the security argument: phishing-resistant MFA is what regulators, auditors and insurers expect, and what attackers cannot easily defeat. Both forces are pulling in the same direction, which is the easiest political environment in years for getting a programme funded.
How Cloudswitched delivers phishing-resistant MFA
Cloudswitched delivers phishing-resistant MFA as a defined component of the managed Cyber Essentials and Microsoft 365 hardening service. The engagement model is consistent: a two-week design and inventory phase, an admin-tier hardware key rollout in weeks three and four, a workforce passkey enrolment programme through weeks five to ten, legacy authentication and SMS removal in week eleven, and a fire-drill, audit and lessons-learned session in week twelve. We bring the hardware procurement, the Conditional Access policy templates, the JML runbook, the fire-drill scripts and the helpdesk training, and we hand you a documented programme that survives both your next Cyber Essentials Plus audit and your next cyber insurance renewal. The work is calibrated for UK SMEs in the 10–250 user range, with a typical first-year cost in the band laid out in the cost breakdown above.
Get expert help rolling out phishing-resistant MFA
Talk to the Cloudswitched team about a phishing-resistant MFA programme tailored to your UK SME — covering admin hardware keys, workforce passkeys, Conditional Access, recovery design and a Cyber Essentials Plus-ready evidence pack.
Talk to us about Cyber SecurityFAQ
What is phishing-resistant MFA, and how is it different from regular MFA?
Phishing-resistant MFA describes authenticators where the user’s credential is cryptographically bound to the legitimate website’s origin, so an adversary-in-the-middle (AiTM) phishing site cannot harvest a usable session. The qualifying authenticators are FIDO2/WebAuthn security keys, passkeys (synced or device-bound), smart cards/PIV and certificate-based authentication. Regular MFA — SMS, TOTP, push (with or without number-matching) — relies on a code or approval the user types or taps, which can be relayed by an AiTM proxy in real time. In the UK in 2026, NCSC guidance and Cyber Essentials Plus assessors increasingly expect phishing-resistant MFA on administrative accounts, and cyber insurance underwriters are pricing the difference into premiums.
Are passkeys phishing-resistant?
Yes. Passkeys are simply discoverable WebAuthn credentials, and WebAuthn is the W3C standard that defines phishing-resistant authentication. A passkey will refuse to authenticate against any origin other than the one it was registered against, so a phishing site — even one running a real-time AiTM proxy — cannot trick a user’s device into producing a valid signature for the attacker’s domain. There are two flavours: synced passkeys (kept in iCloud Keychain, Google Password Manager, Microsoft Authenticator, 1Password, Bitwarden or Dashlane and shared across the user’s devices via end-to-end encrypted sync) and device-bound passkeys (locked to a single device’s secure enclave). Both are phishing-resistant. For Tier 0 admin accounts the conservative choice is hardware keys or device-bound passkeys with hardware attestation; for the workforce, synced passkeys are an excellent default in 2026.
Does Cyber Essentials Plus require phishing-resistant MFA in 2026?
Cyber Essentials Plus under the Montpellier requirement set requires MFA on all administrative accounts and on cloud services that hold organisational or personal data. The 2026 assessor pool is increasingly applying the “phishing-resistant” lens to administrative accounts in particular — push-only MFA on admins is being recorded as a minor finding in some audits, and as a major finding when paired with a weak recovery flow. While “phishing-resistant” is not yet a strict pass/fail criterion in the published Cyber Essentials documentation, the practical reality for UK SMEs in 2026 is that pursuing Cyber Essentials Plus while leaving admin accounts on push-only is a measurable audit risk. Phishing-resistant MFA on admins is the defensible posture.
Do I need hardware security keys, or are device-bound passkeys enough for a UK SME?
For Tier 0 administrators (Global Admins, Domain Admins, root accounts), hardware security keys remain the gold standard because two keys per user gives you a clean break-glass story and because hardware attestation is mature. For Tier 1 and Tier 2 admins, device-bound passkeys backed by Windows Hello for Business, Apple Platform SSO or Android StrongBox are an entirely reasonable choice. For the general workforce, synced passkeys are the right default. Most UK SMEs end up with a hybrid: 5–15% of users on hardware keys, the rest on synced passkeys, with Conditional Access authentication strength policies enforcing the right credential class for each role.
How much does phishing-resistant MFA cost per user in the UK?
Hardware keys cost £35–£75 each in UK retail, and you should plan for two per privileged user, totalling £70–£150 across the pair. Synced passkeys are bundled with most Microsoft 365 and Google Workspace tenants at no marginal cost. Microsoft Entra ID P1 (£5.20/user/month) is required for Conditional Access enforcement, and Entra ID P2 (£7.50/user/month) is recommended for Privileged Identity Management on the admin tier. A typical 50-user UK SME programme costs £6,500–£12,500 in year one above the existing Microsoft 365 baseline, dropping to £1,500–£3,500 ongoing. Compared with the £3.4M average UK breach cost in 2025, the return on investment is straightforward.
What happens if a user loses their hardware key or device?
If you have followed the two-keys-per-privileged-user pattern, the user simply uses their second key while a replacement is shipped. For workforce users who have lost a phone holding their synced passkeys, the recovery flow uses their cloud account’s recovery procedure (Apple, Google, Microsoft) plus a second passkey on a different device. The critical design rule is that recovery must not weaken posture — specifically, do not allow SMS as a recovery factor for any account that has phishing-resistant primary, otherwise an attacker simply triggers recovery and the entire programme is hollowed out. The right pattern is two phishing-resistant authenticators per user from day one, plus a documented helpdesk runbook for each loss scenario.
Will my cyber insurance premium go down if I roll out phishing-resistant MFA?
In most UK 2026 renewals, yes. Underwriters are pricing phishing-resistant MFA on admin accounts as a meaningful control reduction, typically 5–15% off the premium component related to social engineering and BEC. Some underwriters now treat push-only MFA on admins as either an explicit exclusion or a premium loading. The insurance angle alone has tipped the cost-benefit case in favour of the rollout for many UK SMEs in 2026, even before you consider the security uplift. Bring your insurance broker into the conversation early — they will often write the business case for you.
Does Microsoft 365 / Entra ID support phishing-resistant MFA out of the box?
Yes, comprehensively. Microsoft Entra ID supports FIDO2 security keys, Windows Hello for Business, Microsoft Authenticator passkeys (GA April 2024), and Entra Certificate-Based Authentication. The enforcement primitive is the “authentication strength” policy, which allows you to specify (for example) “phishing-resistant MFA only” for the Global Administrator role group while permitting other authenticators for the workforce. You will need Entra ID P1 for Conditional Access, and Entra ID P2 is recommended for Identity Protection and Privileged Identity Management on admin accounts. Out of the box: yes. Configured correctly: that is the rollout.
How do I handle BYOD when rolling out passkeys for business UK?
BYOD splits into two patterns. For users who can install a managed browser profile or a managed app (Microsoft Edge with Intune profile, Outlook mobile with Intune App Protection), enrol synced passkeys through the user’s personal cloud account and apply Conditional Access App Control to constrain session capabilities. For users who need a higher bar — finance, HR, legal — do not allow BYOD into those tenants at all; issue a managed laptop or require sign-in only from compliant managed devices. The middle path (some BYOD, some managed) is workable but requires a clear written policy and a Conditional Access design that distinguishes the two populations cleanly.
Can attackers still steal session cookies after I move to phishing-resistant MFA?
Yes — and this is the single most important caveat. Phishing-resistant MFA stops the attacker from completing the authentication. It does not stop an infostealer (Lumma, Redline, StealC, Vidar) on the user’s endpoint from exfiltrating the post-authentication session cookie and replaying it from the attacker’s machine. The defences are EDR (Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne), browser hardening, token-binding where supported, short Conditional Access session lifetimes, and continuous access evaluation. Phishing-resistant MFA is necessary but not sufficient — pair it with endpoint hardening and Conditional Access risk-based controls for a complete posture.
Do I need to remove SMS as a recovery method, or can I keep it as a fallback?
Remove it. The recovery flow is the AiTM attacker’s favourite back door, and a programme with phishing-resistant primary plus SMS recovery is only as strong as the SIM-swap defences of your mobile carrier. UK mobile porting has hardened since 2022 but remains a viable attack vector through social-engineered carrier staff and insider abuse. The right recovery pattern is two phishing-resistant authenticators per user (a hardware key plus a synced passkey, or two hardware keys, or a managed device platform passkey plus a synced fallback), plus a documented helpdesk runbook for each loss scenario. SMS belongs nowhere in a 2026 phishing-resistant programme.
How do I handle service accounts and shared mailboxes?
Service accounts that authenticate to APIs cannot use a hardware key. The right patterns are: managed identities (Azure), workload identity federation (cross-cloud), certificate-based authentication for Entra service principals, and OAuth client credentials with tightly scoped tokens. Shared mailboxes in Microsoft 365 should be configured as actual shared mailboxes (no licence, no sign-in) rather than as a real account that everyone signs into — the latter is a phishing-resistance black hole. Plan service accounts and shared mailboxes in week one of the rollout, not month six, because they are the most common “remaining 25%” that holds back full programme completion.
Related reading
- Multi-Factor Authentication for Business: A UK Guide — the foundational MFA primer that this article extends.
- How to Implement Passwordless Authentication for Business — the rollout-mechanics companion to the passkey sections above.
- MFA and Cyber Essentials Plus Requirements — the assessor-view companion piece on compliance overlap.
- Conditional Access Policies in Microsoft 365 — the enforcement primitive that makes phishing-resistant MFA real.
- How to Protect Against Business Email Compromise — the broader BEC defence stack that phishing-resistant MFA fits into.
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.
