[tialaramex]

Unfortunately, unless this changed too recently for me to know about it, that feature is default off and labelled "Experimental" or something.

So it's difficult (ask me how I know) for someone who knows way too much about this stuff and has implemented it themselves, to explain to "leadership" why they should change that default.

[psanford]

I don't know the details except that we've been using it since early this year. The docs don't make it seem like there's anything particularly complicated with enabling it[0][1].

[0]: https://learn.microsoft.com/en-us/azure/active-directory/aut... [1]: https://learn.microsoft.com/en-us/azure/active-directory/aut...

[tialaramex]

It isn't complicated it's just one push button - but it isn't the default and so you're going to need to persuade somebody they should turn it on.

[psanford]

I'm not sure I really follow. In an enterprise setting, giving people the option to opt into fido fine and good, but it isn't going to meaningfully help lower the risk of phishing for the organization as a whole. To address phishing, organizations need to mandate fido and disable all the weaker forms of authn. That means you're still going to have to convince your leadership to buy into the change anyway. You'll also need a decent sized communication and training campaign to move everyone over to the fido auth flow.

The technology is the easy part for rolling out fido in the enterprise. The hard part is all the people stuff. (Although this too is getting easier, since a lot of orgs can now roll out fido with existing hardware via platform authenticators.)