Adrian Ghira
When multi-factor authentication first rolled out across Canadian businesses, it was a step change. Add a second factor a code from an app, a text message, a push notification and the era of "password leaked, account stolen" was supposed to end. For a few years, it mostly did. Then the attackers caught up.
By mid-2026, the security model that defined the last decade a password plus an SMS code or a push notification is the model being actively exploited every week across Canadian businesses. MFA fatigue attacks bombard employees with push prompts until someone taps approve. Adversary-in-the-middle phishing kits relay legitimate MFA codes in real time. SIM swap fraud hijacks SMS codes before they reach the legitimate phone. Session token theft skips the login flow entirely. The 2026 Verizon Data Breach Investigations Report puts credential-based attacks at the top of the initial access vector list for the third year running, and the credentials being stolen now include the MFA codes themselves.
This article is the practical guide Canadian SMBs need in 2026. It explains what phishing-resistant authentication actually means, why passkeys have become the default answer for businesses serious about identity security, how the rollout works inside Microsoft 365 and Google Workspace environments most Canadian SMBs already run, and how this connects to cyber insurance requirements that explicitly call for phishing-resistant MFA at renewal.
Why Standard MFA Is No Longer Enough
Multi-factor authentication still beats a password alone. That has not changed. What has changed is the gap between the strongest form of MFA and the weakest, and the willingness of attackers to invest in tooling that defeats the weak forms at scale.
MFA fatigue and push bombing
The simplest modern attack does not defeat MFA technically it defeats the human on the other end. The attacker, having obtained a valid username and password from a credential leak or a previous phish, triggers MFA push notifications repeatedly. Twenty pushes in five minutes. A hundred over an hour. The employee, distracted, half-asleep, or assuming it is a glitch, eventually taps approve to make it stop. The attacker is in.
MFA fatigue was the technique used in several high-profile 2022 and 2023 breaches of major North American organizations. By 2026, it is industrialized. The tooling is automated, the credential lists are abundant, and the click-through rate is high enough that the attack scales.
Adversary-in-the-middle phishing
More sophisticated, and harder to defend against without phishing-resistant factors. The attacker stands up a proxy site that looks identical to the real Microsoft 365 or Google login page. The employee enters credentials, which the proxy relays to the real site. The real site prompts for MFA. The proxy displays the MFA prompt to the employee, who completes it. The proxy captures the resulting session token and uses it to sign in as the employee, indefinitely, from anywhere.
This attack defeats SMS codes, app-generated codes, and push notifications. The session token is the prize, and once the attacker has it, MFA is no longer in the loop. Open-source kits like Evilginx and its commercial successors made this attack accessible to every level of threat actor years ago. In 2026 it is one of the most common methods used in business email compromise against Canadian SMBs.
SIM swap and SMS interception
SMS-based MFA has been considered weak since the U.S. National Institute of Standards and Technology flagged it in 2016. The attacks are well documented: an attacker convinces a mobile carrier to transfer the victim's phone number to a SIM card the attacker controls, then receives all incoming SMS codes. Canadian carriers have hardened their processes, but SIM swap fraud still happens, and SMS-based MFA still puts a critical security control on top of a consumer-grade infrastructure that was never designed for it.
Token theft and infostealer malware
The fastest-growing identity attack in 2026 is one that skips the login flow entirely. Infostealer malware running on a personal device often a contractor's laptop or a BYOD phone exfiltrates browser session tokens directly. The attacker imports those tokens into their own browser and is signed in as the victim, without ever seeing the password or MFA challenge. The defense against this attack is not better MFA it is shorter session lifetimes, device compliance enforcement, and conditional access policies that re-evaluate trust continuously.
What Phishing-Resistant Authentication Actually Means
The term "phishing-resistant MFA" has become a marketing label, applied to products that range from genuinely strong to barely better than the SMS codes they claim to replace. To cut through that, here is what the term means in the standards that regulators and insurers actually point to.
The NIST and CISA definitions
The U.S. National Institute of Standards and Technology and the Cybersecurity and Infrastructure Security Agency define phishing-resistant authentication as authentication that cannot be defeated by relaying credentials to a fake site. In practice, that means the authentication factor is cryptographically bound to the legitimate site's domain, so a proxy or fake site simply cannot complete the authentication even if a user is fooled into trying.
Two technologies meet this bar today: FIDO2 security keys and passkeys. Both use the WebAuthn standard. Both work by having the authenticator sign a challenge with a private key that never leaves the device, and verifying the signature against the legitimate site's registered public key. A proxy site cannot replay the signature because the signature is bound to the domain, not just to the user.
What does not qualify
SMS codes do not qualify. App-generated one-time codes (TOTP) do not qualify, because a user can be phished into typing the code into a proxy site. Push notifications with simple approve/deny do not qualify, because they are vulnerable to MFA fatigue. Push notifications with number matching (where the user enters a number shown on the login screen into the app) are stronger but still fall short of cryptographic phishing resistance they are the second-best option for organizations not ready for passkeys yet, but they are not the destination.
Passkeys vs. hardware security keys
Passkeys and FIDO2 hardware keys are the same underlying technology in different form factors. A hardware key is a physical device a YubiKey, a Feitian, a Google Titan that the user carries and plugs in or taps. A passkey is the same cryptographic credential, stored in a device the user already has: the secure enclave of a phone, the TPM of a laptop, or a password manager synced across the user's devices.
For most Canadian SMBs in 2026, passkeys are the practical answer. They deliver the same phishing resistance as hardware keys, they do not require buying and shipping physical tokens to every employee, and they recover gracefully when a device is lost because the passkey is synced through the user's Microsoft, Apple, Google, or password manager account. Hardware keys remain the right answer for a small set of high-privilege users domain admins, executives, finance approvers where the additional cost is worth the additional assurance.
Passkeys in Microsoft 365 and Google Workspace
Most Canadian SMBs run their identity stack on either Microsoft Entra ID (formerly Azure AD) inside Microsoft 365, or Google Cloud Identity inside Google Workspace. Both support passkeys as a primary authentication method in 2026, and both have made the rollout significantly easier than it was even a year ago.
Microsoft 365 with Entra ID
Microsoft Authenticator supports passkeys as a first-class authentication method. Users register a passkey from the Authenticator app on their phone, and that passkey becomes a phishing-resistant sign-in option across all Microsoft 365 services. Administrators can enforce phishing-resistant authentication through Conditional Access policies, requiring it for sensitive applications, high-risk sign-ins, or all access by specific user groups.
The Microsoft 365 rollout works in three phases for most SMBs:
-
Phase 1: Enable passkey registration in the authentication methods policy and pilot with the IT team and a small group of willing early adopters. Two to four weeks to validate the user experience and identify any application that has not yet caught up with modern authentication.
-
Phase 2: Open passkey registration to all employees, communicate the benefits, and pair the rollout with a session-policy review so session lifetimes are tightened in step with the stronger authentication. Four to eight weeks for the broad organization.
-
Phase 3: Enforce phishing-resistant authentication through Conditional Access first for sensitive applications and admin accounts, then for all access where the technology and user-base maturity supports it. Ongoing.
Google Workspace
Google Workspace supports passkeys natively. Users can register a passkey from any device they sign in from, and administrators can require passkeys or hardware keys for sign-in through the advanced protection program or through context-aware access policies. For Google Workspace SMBs, the typical 2026 rollout pattern is similar: pilot, broad opt-in, then enforced policy.
The applications that still struggle
Not every business application supports passkeys in 2026, though the list is shrinking quickly. Legacy line-of-business applications, older accounting systems, and some industry-specific tools still rely on password-only or password-plus-SMS authentication. The right way to handle these in an SMB rollout is to put them behind an identity provider through SAML or OpenID Connect federation where possible, so the strong authentication at the identity provider applies to the application even if the application does not natively support passkeys. Where federation is not possible, the application becomes a known weak point that needs to be flagged in the risk register and tracked toward replacement.
The Business Case: Productivity, Security, and Insurance
Passkeys are usually evaluated on security grounds, but the business case extends further. For most Canadian SMBs, the rollout pays back in three measurable areas.
Help desk volume drops
Password resets and MFA-related lockouts are routinely among the top three help desk ticket categories in SMBs. Passkeys eliminate password resets for the user-side of the equation, because there is no password to forget, and they reduce MFA-lockout tickets because the recovery path is built into the device rather than dependent on SMS or app re-enrollment. Organizations that have completed a passkey rollout typically report a noticeable drop in identity-related help desk volume within the first quarter, which translates directly into reduced IT cost or freed-up internal staff time.
Sign-in is faster, not slower
Contrary to the assumption that stronger authentication slows users down, passkeys are usually faster than the password-plus-MFA-code flow they replace. A face scan or a fingerprint touch is one action. The password-plus-code flow is three or four. Over the course of a year, the time difference is measurable, and the friction difference is more so. User satisfaction with passkeys is consistently higher than with traditional MFA in surveys we run with clients after rollouts complete.
Cyber insurance qualification and pricing
Cyber insurance underwriters in 2026 explicitly ask whether the organization has deployed phishing-resistant MFA, and whether it is enforced for administrative accounts at a minimum and ideally for all users. A "yes" with documentation, on this single question, can move a renewal from declined to bound, and in many cases significantly affects pricing. For SMBs, this is one of the highest-ROI security investments measured in pure insurance terms, before counting the actual risk reduction.
What a Passkey Rollout Looks Like for a Canadian SMB
Stepping through the rollout in concrete terms for a typical 50- to 150-employee Canadian SMB on Microsoft 365.
Week 1 to 2: discovery and design
Inventory the applications employees sign into. Identify which are federated through Entra ID, which use password-plus-MFA directly, and which are outside the identity perimeter entirely. Inventory the devices employees use, including BYOD phones. Decide on the authentication methods policy: which methods are permitted, which are required, and which are blocked. Decide on the device requirement: passkeys can be device-bound or synced, and synced is generally the right choice for SMBs because it survives device loss gracefully.
Week 3 to 4: pilot
Enable passkey registration for the IT team plus five to ten willing pilot users from different roles. Walk them through registration on the Authenticator app. Verify the sign-in experience across the applications they use daily. Document the questions that come up they will surface in the broader rollout and refine the user-facing instructions before they go to the whole company.
Week 5 to 8: broad rollout
Communicate the change to the company a week before it lands. Run a 30-minute live session walking through registration on screen, with time for questions. Make the registration self-service for employees who can, but offer a help desk slot for anyone who wants to register with someone watching the screen. Track registration completion daily, and follow up individually with employees who have not registered after a week. Most organizations reach 80 percent registration within two weeks and the long tail completes over the next month.
Week 9 onward: enforcement and admin hardening
Move sensitive applications and admin accounts behind a Conditional Access policy requiring phishing-resistant authentication. Disable SMS and voice call as authentication methods. Tighten session lifetimes, particularly for finance applications and remote access. Begin removing legacy authentication protocols still permitted in the tenant. The work continues beyond the initial rollout, because identity security is a posture, not a project.
Connecting This to Cyber Insurance and Compliance
Identity is where regulatory and insurance requirements increasingly meet, and passkeys sit at the intersection.
Cyber insurance
Carriers have moved beyond "do you have MFA" to specifying what kind. Phishing-resistant MFA for administrative accounts is now table stakes for many carriers. Phishing-resistant MFA for all users is the differentiator that affects pricing meaningfully. Number-matching push, while not fully phishing-resistant, is accepted by most carriers as a stepping stone but the direction is clearly toward passkeys, and renewal language is starting to reflect that.
Canadian privacy law
The Office of the Privacy Commissioner of Canada and provincial privacy commissioners have published guidance treating credential-based breaches as foreseeable and preventable when standard authentication is in use. The reasonable safeguards obligation under PIPEDA and provincial privacy law is increasingly interpreted to include strong authentication for systems holding personal information. The bar is not yet "you must use passkeys," but it is heading toward "you must use authentication that cannot be defeated by phishing," and the practical expression of that is passkeys or hardware keys.
Industry-specific compliance
Organizations subject to HIPAA-equivalent provincial health legislation, PCI DSS, or supply-chain security expectations like CMMC for U.S. defense work are seeing the same convergence. Phishing-resistant authentication is the direction of every major standards body, and the implementation pattern is the same regardless of which framework you are tracking against. A passkey rollout done well satisfies all of them at once.
Common Objections — and the Honest Answers
"What happens if an employee loses their phone?"
Synced passkeys recover with the user's Microsoft, Apple, Google, or password manager account on the new device. Device-bound passkeys require re-registration, which is built into the standard recovery flow. The worst-case experience is similar to losing the device today: contact IT, verify identity through a backup method, re-register on the new device. The difference is that the attacker who briefly has the lost phone cannot use it to sign in, because the passkey requires biometric or PIN unlock that the attacker does not have.
"What about employees who do not have a smartphone?"
Two answers. First, for many roles in 2026, a smartphone is already an effective business tool requirement and the business should consider providing one. Second, for roles where that is not appropriate, a FIDO2 hardware security key is the alternative. The key plugs into a USB port or taps via NFC, costs in the range of forty to seventy Canadian dollars, and provides the same phishing resistance as a phone-based passkey.
"Will every application work?"
Most modern applications federated through Entra ID or Google Workspace will work natively. Legacy applications outside federation may not. The discovery phase identifies these, and the rollout plan handles them through federation where possible and replacement timelines where not.
"Is this going to slow us down?"
Almost always the opposite. Passkey sign-in is faster than password-plus-code. Help desk volume drops. Compromise risk drops. The transition itself takes a few weeks of attention; the steady state is better than what came before, in every measurable dimension.
Why Canadian Businesses Choose GAM Tech for Identity Modernization
GAM Tech has been the managed IT partner for Canadian small and mid-sized businesses since 2012. SOC2 certified, B-Corp certified, and operating from eight offices across Calgary, Edmonton, Red Deer, Vancouver, Victoria, Toronto, Ottawa, and Montréal, we deliver national coverage with local presence.
On identity modernization specifically, our work with clients in 2026 covers four areas:
-
Designing and rolling out passkey authentication across Microsoft 365, Google Workspace, and federated business applications.
-
Hardening Conditional Access policies, tightening session lifetimes, and removing legacy authentication protocols that still permit weaker sign-in.
-
Mapping the identity posture to cyber insurance application questions so renewals go smoothly and pricing reflects the controls actually in place.
-
Building identity work into the project packs included in our managed services agreement — no separate scoping exercise required.
24/7 internal staff, never outsourced. A 5-minute response guarantee. The certifications and experience to do the work right the first time.
Frequently Asked Questions
What is phishing-resistant MFA?
Phishing-resistant MFA is authentication that cannot be defeated by relaying credentials to a fake or proxy site, because the authentication factor is cryptographically bound to the legitimate site's domain. The two technologies that meet this bar are FIDO2 hardware security keys and passkeys, both based on the WebAuthn standard. SMS codes, app-generated one-time codes, and simple push notifications do not qualify as phishing-resistant.
What is a passkey?
A passkey is a cryptographic credential stored on a device the user already has a phone, a laptop, or a synced password manager that replaces the password for sign-in. The passkey is unlocked with the device's biometric or PIN, signs a challenge from the legitimate site, and the signature is verified against a previously registered public key. Passkeys are phishing-resistant because the cryptographic binding to the site's domain means a fake site cannot complete the authentication.
Are passkeys safe for business use in Canada?
Yes. Passkeys are based on open standards, supported natively by Microsoft 365, Google Workspace, and most modern business applications, and recognized by Canadian privacy regulators and cyber insurance carriers as a strong form of authentication. The technology is deployed in production by major Canadian banks, governments, and enterprises in 2026.
Will passkeys work with Microsoft 365 for small business?
Yes. Microsoft Entra ID supports passkeys through Microsoft Authenticator as a first-class authentication method across all Microsoft 365 plans that include modern authentication. Administrators can enable passkey registration in the authentication methods policy and enforce phishing-resistant authentication through Conditional Access for sensitive applications and admin accounts.
What is the difference between a passkey and a hardware security key?
Both use the same underlying technology. A hardware security key is a physical device, like a YubiKey, that the user plugs in or taps. A passkey is the same cryptographic credential stored on a phone, laptop, or password manager. Passkeys are typically more practical for general business users because they do not require shipping and managing physical tokens. Hardware keys are still the right choice for a small number of high-privilege users like domain administrators and executives, where the additional assurance is worth the additional cost and process.
Does cyber insurance require phishing-resistant MFA?
Increasingly yes. Cyber insurance applications in 2026 explicitly ask whether phishing-resistant MFA is deployed and whether it is enforced for administrative accounts. Phishing-resistant MFA for admin accounts is now table stakes for most carriers. Phishing-resistant MFA for all users is the differentiator that affects qualification and pricing. Some carriers are beginning to write language requiring it at renewal, particularly for organizations in higher-risk industries or with previous claims.
What is an MFA fatigue attack?
An MFA fatigue attack is one in which the attacker, having obtained a valid username and password, triggers MFA push notifications repeatedly until the legitimate user taps approve to make the prompts stop. The attack does not defeat MFA technically it defeats the human behind it. Number-matching push reduces the risk because the user must enter a specific number from the login screen, but passkeys eliminate the attack vector entirely because there is no push prompt that can be spammed.
How long does a passkey rollout take for a small business?
For a typical 50- to 150-employee Canadian SMB on Microsoft 365 or Google Workspace, a complete passkey rollout takes eight to twelve weeks from discovery to enforced policy. Discovery and design take one to two weeks, the pilot takes two weeks, broad rollout takes four to eight weeks depending on user-base maturity, and enforcement and admin hardening continue from there. Smaller organizations can complete the rollout faster.
What happens to my passkey if I lose my phone?
Synced passkeys recover with the user's Microsoft, Apple, Google, or password manager account on a new device, the same way other synced data is restored. Device-bound passkeys require re-registration through the standard identity recovery process. The lost phone cannot be used to sign in without the biometric or PIN that unlocks the passkey, so a brief delay in recovery does not translate into account compromise.
Can I keep my password as a backup?
Yes during the transition, no over the long term. Passkey rollouts typically run alongside password sign-in for the first several weeks while users register and verify. Over time, password sign-in should be disabled for users who have passkeys registered, and eventually for the organization as a whole. Keeping passwords as a permanent fallback defeats the security gains of the passkey rollout because the password remains a phishable factor.
Ready to Move Beyond MFA?
If your business is still relying on passwords plus SMS or app codes, the gap between your authentication posture and the threats facing your business in 2026 has widened. Passkeys are the answer, and the rollout is more practical than most SMB leaders expect.
GAM Tech helps Canadian SMBs design, deploy, and enforce phishing-resistant authentication across Microsoft 365 and Google Workspace, with the surrounding Conditional Access, session, and federation work that makes the rollout stick. Eight offices across Canada, 24/7 internal staff (never outsourced), a 5-minute response guarantee, SOC2 and B-Corp certified, in business since 2012.
Book a 30-minute identity posture review at gamtech.ca, or call your closest GAM Tech office to get started.
