Frontrow Technology
← All insights & guides
Guide

Cyber — phishing-resistant MFA

Phishing-resistant MFA migration plan — the 90-day Australian rollout

ASD Essential Eight ML2 expects phishing-resistant MFA on internet-facing systems and privileged accounts. We walk through the 90-day rollout we run for Australian midmarket — FIDO2 keys, Windows Hello for Business, Authenticator passkeys.

Daniel Brown · Last reviewed 10 May 2026 · 8 min read

Phishing-resistant MFA is the single most consequential identity uplift Australian organisations will run this year. The ACSC has explicitly recommended it for privileged accounts and internet-facing systems; Essential Eight Maturity Level 2 expects it; APRA CPS 234 increasingly assumes it as part of 'commensurate with the threat profile'; and the operational reality is that SMS-based and phone-based MFA can be phished, SIM-swapped or bypassed in ways that FIDO2, Windows Hello for Business and Microsoft Authenticator passkeys cannot.

The migration is a 90-day project, not a tenant-setting change. Rushing it leaves users locked out at the worst moments and creates a backlash that delays the next security uplift by a year. The plan below is what Frontrow runs with Australian midmarket and enterprise tenants.

Days 1–10: scope and supply

List the populations: privileged accounts (Global Admin, security admin, application admin, exchange admin, user admin, helpdesk admin), executive accounts, finance accounts touching payment files, and remote-access accounts. These are tier 1 — phishing-resistant MFA is non-negotiable for them. Order FIDO2 hardware security keys for every tier 1 user (typically YubiKey 5 NFC or equivalent — about AUD $90 per key, two per user as primary plus backup).

Decide the tier 2 strategy: most Australian midmarket land on Microsoft Authenticator passkeys for general staff (no hardware purchase needed, deployable through Intune-pushed app), with FIDO2 as an option for users who want it. Windows Hello for Business is the right choice for fully-managed Windows fleet — but requires Intune device compliance to be in place first.

Days 11–25: pilot the tier 1 cohort

Roll out FIDO2 to a small tier 1 pilot — typically the IT and security teams. Use the pilot to debug Conditional Access policy interactions, identify break-glass procedure gaps, and validate the user-onboarding flow. Critical: have a documented break-glass account that bypasses the new MFA strength requirement, with the credential stored physically secure, monitored for any sign-in, and tested monthly. We've seen one organisation lose access to their tenant for six hours because the rollout wasn't tested with a break-glass scenario.

Days 26–45: tier 1 full rollout

Hand FIDO2 keys to every privileged, executive, finance and remote-access user. Update Conditional Access policies to require 'phishing-resistant MFA' for these roles — not just any MFA. Communicate the change in advance with named owner and named support path. Run a daily ops check for the first two weeks: who is locked out, who is calling support, who is failing the MFA challenge in unusual ways. Adjust the comms and the policy before tier 2 starts.

Days 46–75: tier 2 rollout

Roll Authenticator passkeys (or Windows Hello for Business) to general knowledge workers. The mechanism: a Conditional Access policy that requires phishing-resistant MFA for cloud apps, with a 30-day grace period during which Authenticator push or SMS continues to work but the user is prompted to enrol the stronger method. After 30 days, the grace period closes and only phishing-resistant MFA is accepted.

Frontline workers on F-series licences need a different approach — typically shared-device profiles with simpler MFA. Don't force FIDO2 onto retail workers sharing a tablet; the friction will defeat the whole rollout.

Days 76–90: external accounts and review

External guest accounts (B2B in Entra) need the same uplift. Cross-tenant access policies can require phishing-resistant MFA from inviter side, but the sign-in still happens on the home tenant — coordinate with material partners. For partners that won't cooperate, evaluate whether the access risk justifies the relationship.

Final review: pull the Conditional Access sign-in logs for the last 30 days. Confirm every policy is enforcing phishing-resistant MFA where intended. Document the result for the board pack — this is a control uplift the board cares about. Add MFA strength as a standing item in the quarterly security review.

What actually goes wrong

  • Break-glass account untested before rollout — leads to lockouts that erode trust in the security team.
  • FIDO2 keys not ordered with backup. One lost key, one user locked out, one helpdesk fire.
  • Conditional Access policy ordering wrong — the new policy is overridden by an older policy that still allows weak MFA.
  • Rolling out to users who can't onboard (no smartphone, no managed device) without an alternative path.
  • Skipping tier 2 because tier 1 was hard. Tier 1 alone doesn't reach Essential Eight ML2.

Want us to run this with your team?

30 minutes. No deck. We'll walk through your tenant, your priorities, and the next sensible move.

Book a chatEmail Frontrow1300 012 466