Multi-factor authentication is the floor, not the ceiling. Over the last three years, UK SMEs have strengthened MFA across email, Microsoft 365 and remote access. As a result, Cyber Essentials, insurance questionnaires and high-profile breaches have pushed MFA higher up the priority list.That was the right step. In 2026 it is no longer enough on its own.

Phishing-resistant identity is the next layer. Attackers in 2026 are routinely bypassing standard MFA through attacker-in-the-middle phishing kits, MFA fatigue, session token theft and SIM swap. Each of these defeats the six-digit code or authenticator push notification that most UK SMEs now rely on.The best defence replaces bypassable factors with cryptographic factors that attackers cannot phish or relay.

Below: what phishing-resistant identity means in practice, the three controls UK SMEs are landing this year, where this sits alongside Cyber Essentials and cyber insurance, and how to roll it out without breaking the working week.

Why MFA alone is no longer enough in 2026

MFA reduces the chance of a successful credential phish from very high to very low. It does not reduce it to zero, and attackers have adapted to the gap.

Three specific bypass techniques are now common:

  • Attacker-in-the-middle phishing. The attacker hosts a convincing login page that relays credentials and the MFA token to the real Microsoft 365 in real time, capturing a valid session. The user thinks they have logged in. They have, and so has the attacker.
  • MFA fatigue. Attackers often flood users with MFA prompts. As a result, a tired or confused user may tap Approve just to stop the alert.
  • Session token theft. Malware on the device steals the authenticated session cookie. No MFA prompt is needed. The attacker reuses the cookie.

Each technique works against SMS codes, authenticator push notifications and one-time codes. A strong defence uses a factor that attackers cannot relay, even when they trick the user into trying to authenticate on a fake page.The NCSC recommended types of MFA guidance is now explicit on this point: only FIDO2-based methods (passkeys, hardware security keys, Windows Hello for Business) genuinely resist this class of attack. Everything else can be bypassed under the right conditions.

Our phishing attacks in 2026 post covers the attack side in more detail. This piece is about what comes after MFA.

What phishing-resistant identity looks like

The defining property is binding. Phishing-resistant factors are cryptographically tied to the legitimate website. First, the factor checks the domain when the user tries to authenticate. Then, the system compares it with the registered factor. If the domain does not match, the system silently blocks authentication before the user can make a mistake.

That single property defeats all three attack classes above. The attacker can build a convincing phishing site. They cannot make the user’s passkey or security key agree to authenticate against it.

The three identity controls beyond MFA

These are the three controls UK SMEs are landing in 2026, in roughly the order most businesses can adopt them.

1. Passkeys for everyday users

Passkeys are the consumer-grade version of FIDO2. They live on the user’s phone (Face ID, fingerprint) or computer (Windows Hello) and replace passwords entirely for supported sites, which now includes Microsoft 365, Google and most major SaaS. The FIDO Alliance passkeys overview covers the underlying standard.

For everyday SME staff, passkeys are the lowest-friction phishing-resistant option. Microsoft now supports passkeys for Microsoft 365 sign-in. The rollout is largely a settings change rather than a hardware purchase.

The trade-off: passkeys are tied to specific devices. Finally, plan your recovery process before you roll out phishing-resistant MFA. For example, if a user loses their phone, a well-designed recovery process will restore access quickly without compromising security.

2. FIDO2 hardware keys for admin and high-risk accounts

For example, you can protect accounts with administrative privileges, finance authorisation or access to sensitive data by using a physical FIDO2 security key, such as a YubiKey or Feitian key. This remains the gold standard for phishing-resistant authentication.

The user inserts or taps the key to authenticate. The key cannot be cloned, intercepted or socially engineered.

Recommended use: every admin account, every finance approver, anyone with access to client data above a defined sensitivity threshold. Hardware cost is modest, in the region of £30 to £50 per key, and the protection is the strongest commercially available.

3. Conditional access tied to device posture

Conditional access is included in Microsoft 365 Business Premium. The control most SMEs do not configure is device posture, allowing sign-in only from devices enrolled in Intune, patched, and running endpoint protection. As a result, this rules out an attacker who has the password and MFA code but is trying to sign in from a personal laptop.

Combined with passkeys or hardware keys, conditional access closes the bypass routes that pure password-plus-MFA leaves open.

Where this fits with Cyber Essentials and cyber insurance

Cyber Essentials v3.3 already requires MFA across all cloud services. The standard is moving toward expecting phishing-resistant methods for administrative accounts in the next revision. Cyber insurers are asking, on renewal questionnaires in 2026, whether the business has deployed phishing-resistant MFA for admins.

Implementing phishing-resistant identity now positions the business ahead of where the standard and the insurance market are heading. It also addresses one of the biggest causes of high-cost cyber claims in 2025 and 2026: credential phishing that bypasses standard MFA. Our identity threat detection (ITDR) piece covers the detection side of the same problem.

How UK SMEs are rolling this out without disrupting the team

The honest concern with new identity controls is disruption. Staff have got used to MFA. They will resist anything that feels like more friction. The pattern that works at SME scale is staged, not big-bang.

A typical 90-day rollout:

  1. Days 1 to 30: admins first. Every admin account gets a FIDO2 hardware key. Highest-value, lowest-disruption move. Prioritise the people most likely to be attacked. They represent the smallest group and are usually the most willing to adopt stronger security.
  2. Days 31 to 60: finance and approvers. Anyone authorising payments or accessing finance systems. Hardware key issued, trained on use, conditional access updated.
  3. Days 61 to 90: general staff to passkeys. Microsoft 365 sign-in moves from password-plus-MFA to passkey-where-possible. During the transition, the old method remains in place as a fallback.

After 90 days the business has phishing-resistant identity across the highest-risk accounts and a working transition path for everyone else.

Where to start

However, if your business already uses MFA across the board but has not yet adopted phishing-resistant methods, you should review your identity posture first. What MFA methods are in use today, by which users, for which systems. From there, the highest-value first step is hardware keys for the admin accounts, followed by passkeys for general staff.

If you would like us to review your current identity posture and produce a 90-day rollout plan tailored to your business, book a Unite identity uplift review and we will produce a one-page posture map plus a sequenced fix list within two weeks.