MFA vs passkeys vs SSO — what’s right for your business?

Multi-factor authentication, passkeys and single sign-on solve three different problems. Mixing them up is how Australian SMBs end up with weak controls, frustrated users and a failed Essential Eight audit. Here’s a plain-English guide to choosing the right combination in 2026.

Key takeaways

MFA is a property, not a product. It means “more than one factor” — what you know, what you have, what you are. SMS codes and passkeys are both MFA; one is phishing-resistant, the other is not.
Passkeys are the modern form of phishing-resistant MFA. The ACSC now expects them (or equivalent FIDO2 credentials) at Essential Eight Maturity Level 2 and above.
SSO is an architecture decision, not an authentication method. It lets one identity provider front dozens of apps, so you can enforce MFA or passkeys in one place instead of dozens.
You almost certainly need all three. The question is which order to roll them out — and for most Sydney SMBs on Microsoft 365 Business Premium, the answer is SSO first, then phishing-resistant MFA, then passkey migration.

Why this matters right now

The OAIC’s latest Notifiable Data Breaches report shows credential compromise and phishing are still the leading cause of reported incidents — around 20% of breaches in recent periods trace back to stolen credentials. The January to June 2025 period alone saw 532 notifications, with malicious or criminal attacks responsible for 59% of them. Attackers are no longer guessing passwords; they are running adversary-in-the-middle (AiTM) phishing kits that defeat SMS codes and push-prompt MFA in real time.

At the same time, the ACSC tightened the Essential Eight in 2025: Maturity Level 1 now requires “something you have” in addition to “something you know”, and Maturity Levels 2 and 3 require phishing-resistant MFA for workstations and online services. That regulatory shift is forcing a conversation that many Australian SMBs had been deferring: what does a modern, defensible authentication stack actually look like?

What each term actually means

Multi-factor authentication (MFA)

MFA is the principle that a user must present at least two different categories of evidence to prove who they are. The categories are:

Something you know — a password or PIN.
Something you have — a phone, a security key, a smart card.
Something you are — a fingerprint or face scan.

MFA can be implemented well or badly. SMS one-time codes and push prompts count as MFA, but both can be phished. An authenticator app with number matching is stronger. FIDO2 security keys and passkeys are the strongest end of the spectrum because the credential is bound to an origin and cannot be replayed on a lookalike site.

Passkeys

A passkey is a FIDO2/WebAuthn credential that replaces the password entirely. It consists of a public-private key pair where the private key never leaves the user’s device, and is unlocked by a local biometric or PIN. Because passkeys cannot be typed, copied, or re-used on a phishing domain, they defeat the dominant credential theft patterns we see in Australian breaches.

Microsoft, Google, Apple and the FIDO Alliance have aligned passkeys to a common standard, so the same credential flow works across Windows, macOS, iOS and Android. For Windows-first Australian SMBs, Windows Hello for Business is effectively a device-bound passkey that ships with every Microsoft 365 Business Premium seat.

Single sign-on (SSO)

SSO is an architecture where one identity provider — typically Microsoft Entra ID, Google Workspace, Okta or JumpCloud — handles authentication for many downstream applications. The user signs in once; the identity provider issues short-lived tokens (SAML or OIDC) that the apps trust.

SSO is not an authentication method. You still need a credential to sign in to the identity provider — and that credential is where MFA or passkeys belong. SSO’s value is control: you enforce one policy, you see one sign-in log, and when someone leaves you disable one account and access disappears everywhere.

How they fit together

Authentication methods compared for Australian SMBs (2026)
Method	Category	Phishing-resistant?	Meets Essential Eight ML1?	Meets Essential Eight ML2/3?	Typical SMB use
Password only	Single factor	No	No	No	Retire. Not compliant with anything.
Password + SMS code	MFA (weak)	No	Yes	No	Acceptable as a short-term bridge only.
Password + authenticator app (push or TOTP)	MFA (moderate)	Partial — number matching helps	Yes	No	Common today, but MFA fatigue is a real attack vector.
Windows Hello for Business	Device-bound passkey	Yes	Yes	Yes	Default for M365 Business Premium workstations.
FIDO2 security key (YubiKey, Feitian)	Hardware-backed passkey	Yes	Yes	Yes	Admins, shared devices, break-glass accounts.
Platform passkey (iOS, Android, macOS)	Synced passkey	Yes	Yes	Yes (with attestation)	Mobile-heavy teams, BYO-device contractors.
SSO (Entra ID, Okta, Google Workspace)	Architecture	Depends on the credential	N/A — SSO is not MFA	N/A	Paired with MFA or passkeys at the identity provider.

Choosing the right combination

If you’re a 10 to 50 seat business on Microsoft 365 Business Premium

You already own Entra ID P1 (the SSO and conditional access engine) and Windows Hello for Business. The fastest path to a defensible posture is:

Consolidate on Entra ID as your identity provider. Federate your line-of-business SaaS apps (Xero, HubSpot, Slack, etc.) to Entra so one account controls everything.
Enforce MFA via Conditional Access. Require authenticator-app MFA as your minimum, with number matching turned on.
Start a passkey pilot. Enable Windows Hello for Business for a volunteer group — typically the leadership team and finance — and give admins FIDO2 hardware keys.
Ramp to passkey-preferred over 6 months. Move staff group by group. Retire SMS as a fallback once coverage is above 90%.

If you’re a 50 to 200 seat business in a regulated sector

APRA-regulated entities, hospitals, aged-care providers and NDIS registered providers are in the cross-hairs of the tightened Essential Eight and Privacy Act reforms. You should be operating at Maturity Level 2 as a minimum, which means phishing-resistant MFA is not optional.

Plan for:

Passkeys or FIDO2 security keys on every workstation and admin account.
SSO via Entra ID or Okta, with all SaaS apps federated and deprovisioning automated through SCIM.
Conditional Access policies that block legacy authentication protocols, enforce compliant devices, and restrict sign-ins to Australian geographies unless explicitly approved.
Break-glass accounts in a sealed envelope, protected by a FIDO2 key held off-site.

If you’re on Google Workspace instead of Microsoft 365

Google Workspace supports passkeys natively for both administrator and user accounts. The same principles apply: enforce passkeys, federate SaaS apps through Google as your identity provider (or pair it with JumpCloud if you also need device and directory management), and retire SMS as soon as passkey coverage is high enough.

Common rollout mistakes we see

Treating passkeys as “just another MFA option”. Passkeys replace the password; they are not added on top. Leaving the password enabled as a fallback undermines the whole control.
Rolling out SSO without tightening the identity provider first. If Entra ID is protected by a weak password and SMS, federating 30 apps behind it concentrates your risk instead of reducing it.
Forgetting shared and kiosk devices. Reception PCs, warehouse scanners and clinical workstations need FIDO2 keys on lanyards or smart cards, not personal biometrics.
No break-glass plan. When the identity provider has an outage — and they all do, occasionally — you need a documented, tested way to recover admin access without emailing the CEO’s phone.
Skipping the contractor and BYO-device scenario. External users often can’t receive a Windows Hello enrolment. Platform passkeys on personal devices, gated by Conditional Access, are usually the right answer.

What to do this week

If you do nothing else after reading this, do three things. First, audit which staff still sign in with a password and SMS only — that cohort is the highest exposure on your tenancy. Second, check whether Windows Hello for Business is enabled in your Entra tenant; if it isn’t, you’re paying for a control you aren’t using. Third, order a pair of FIDO2 security keys for every administrator and put them on key rings, not in drawers.

Passkeys, MFA and SSO aren’t competing technologies. They are three layers of the same defence — and in 2026, Australian SMBs that fail to stack them the right way are the ones showing up in the OAIC’s next breach report.

Frequently asked questions

Do passkeys replace multi-factor authentication?

A passkey is itself a form of phishing-resistant MFA. Because it binds the credential to a device and requires a biometric or PIN to unlock, it satisfies the “something you have” plus “something you are or know” test in a single step. You do not need a separate SMS or authenticator code on top. The ACSC recognises FIDO2/WebAuthn passkeys as phishing-resistant MFA suitable for Essential Eight Maturity Level 2 and above.

Is SMS-based MFA still acceptable under the Essential Eight?

SMS and voice-call one-time codes still meet the minimum bar for Essential Eight Maturity Level 1, which now requires “something you have” in addition to “something you know”. However, they are not phishing-resistant and will not satisfy Maturity Level 2 or 3. If you are aiming for ML2, plan the move away from SMS well in advance — most Australian SMBs we work with retire SMS over 6 to 12 months.

Does single sign-on reduce or increase security risk?

Well-configured SSO reduces risk because it consolidates authentication behind one strongly protected identity provider, lets you enforce MFA or passkeys uniformly, and kills access everywhere the moment a staff member leaves. Poorly configured SSO concentrates risk — if the identity provider is breached and MFA is weak, every downstream app is exposed. SSO and phishing-resistant MFA are complements, not alternatives.

What does passkey rollout actually cost for a 50-seat Australian business?

If you already run Microsoft 365 Business Premium, you have Entra ID P1 and Windows Hello for Business included — the marginal licence cost of passkeys is zero. Budget for change management, a pilot group, documentation, and optional FIDO2 hardware keys for admins and shared-device users (roughly $60 to $120 per key). A typical 50-seat rollout lands at $3,000 to $8,000 all-in when done through an MSP, including admin-account hardening and break-glass procedures.

Authoritative resources & Australian compliance guidance

ACSC — Implementing Multi-Factor Authentication. The current Australian government guidance on MFA factors, ranked by strength.
ACSC — Essential Eight Maturity Model. Defines what MFA is required at ML1, ML2 and ML3 and the phishing-resistance requirements at each level.
ACSC — Essential Eight Maturity Model changes. Explains the 2025 uplift including the “something you have” requirement at ML1 and phishing-resistant MFA at ML2.
OAIC — Notifiable Data Breaches publications. Half-yearly statistics showing credential compromise and phishing as leading breach causes in Australia.
Microsoft Learn — Passkeys (FIDO2) in Microsoft Entra ID. Reference implementation for passkey rollout on Microsoft 365 tenancies.
FIDO Alliance — Passkeys overview. The cross-vendor standard that underpins Windows Hello, Apple, Google and third-party passkey implementations.

Next steps

If you are planning a passkey rollout, an SSO consolidation, or an Essential Eight uplift, All IT Services can help you scope the work and sequence it without disrupting day-to-day operations. Read our related guides below or get in touch for a no-pressure conversation.

Related comparisons and resources

Microsoft 365 Business Premium vs E3: which plan fits your business

From the IT Glossary: MFA • Passkeys • SSO • Conditional Access • Browse all 182 terms

1300 425 548