Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
FIDO2 keys versus passkeys is the only multi-factor question that matters in 2026, because Microsoft Entra now reports 99 percent of users register passkeys successfully and sign in roughly 14 times faster than legacy MFA. Canadian businesses still face Adversary-in-the-Middle phishing every week. Choosing the right phishing-resistant method, in the right configuration, is the difference between an audit pass and an insurance claim.
This guide is a tactical-depth spoke under Fusion Computing’s broader multi-factor authentication for Canadian businesses pillar. It compares hardware FIDO2 keys against synced passkeys at method level, maps each method to the new NIST AAL2 and AAL3 lines, prices both options in Canadian dollars, and walks through the Two-Track rollout pattern Fusion Computing runs in client tenants.
Key Takeaways
- 99 percent passkey registration success. Microsoft Entra production data updated April 2026 shows synced passkeys work at scale, with sign-in 14 times faster than legacy MFA and a 95 percent vs 30 percent sign-in success rate (Microsoft Entra documentation).
- NIST splits the methods at the assurance level. SP 800-63B Revision 4, finalized August 2025, permits syncable authenticators at AAL2 only. AAL3 requires non-exportable keys, which means hardware FIDO2 or a device-bound platform passkey (NIST SP 800-63B-4).
- 77 percent of phishing-source organizations were Canadian-based in the 2025 Canadian Centre for Cyber Security incident dataset, with 91 percent of campaigns using business email compromise tactics. The Centre recommends FIDO2 keys, passkeys, or Windows Hello by default (Cyber Centre Canada ITSM.30.031).
- CAD pricing reality. YubiKey 5 series runs roughly 70 to 110 CAD per unit through Canadian resellers. FIPS 140-3 variants run 130 to 160 CAD. YubiEnterprise Subscription gates bulk programs at 500-plus users, locking out most Canadian SMBs.
- The Fusion Two-Track pattern. Roughly 8 percent of headcount on hardware keys at AAL3, the remaining 92 percent on synced passkeys at AAL2, with Microsoft Entra ID conditional access enforcing the split per role.
Get a FIDO2 + Passkey Readiness Review
What is the difference between FIDO2 keys and passkeys?
FIDO2 is the open authentication standard that defines hardware security keys and the WebAuthn browser API. A passkey is a credential built on the same FIDO2 standard, stored either on a hardware key (device-bound) or synced through Apple, Google, or Microsoft accounts. Hardware FIDO2 keys are passkeys; not all passkeys are hardware keys.
| Term | What it is | Storage | AAL ceiling |
|---|---|---|---|
| FIDO2 | Open authentication standard from FIDO Alliance and W3C | n/a (specification) | defines AAL2 and AAL3 |
| WebAuthn | Browser API that lets web apps invoke FIDO2 credentials | n/a (API) | delivery layer |
| Hardware FIDO2 key | Physical USB or NFC token with non-exportable private key | on the device only | AAL3 |
| Synced passkey | FIDO2 credential synced through iCloud Keychain, Google, or Microsoft Authenticator | cloud-synced across devices | AAL2 |
| Device-bound platform passkey | FIDO2 credential bound to a single device with non-exportable keys | single device only | AAL3 |
Fusion Computing classifies all four variants under one phishing-resistant taxonomy in client tenants. The choice is rarely the technology itself. It is the configuration and the assurance ceiling each variant can carry. For the broader phishing-resistant MFA family and where these methods sit alongside SMS, push, and TOTP, see the parent pillar.
Why do Canadian businesses need phishing-resistant MFA in 2026?
Canadian businesses need phishing-resistant MFA because Adversary-in-the-Middle attacks now bypass SMS, push-prompt, and TOTP one-time codes. The Canadian Centre for Cyber Security analysed 2025 phishing campaigns and found 91 percent used business email compromise tactics and 77 percent of compromised sender organizations were Canadian-based. The Centre recommends FIDO2 keys, passkeys, or Windows Hello by default.
Key Stat
77 percent of organizations behind phishing emails sent to Canadian targets in 2025 were themselves Canadian-based, per Cyber Centre Canada ITSM.30.031. Local infrastructure, local language, local domain reputation. SMS and push-prompt MFA does not survive an Adversary-in-the-Middle proxy run from inside the same threat model.
The mechanism matters. AitM toolkits relay the user’s legitimate one-time code to the real service in real time and harvest the resulting session cookie. The user sees a successful login. The attacker walks away with a stolen session that bypasses MFA on every subsequent request.
Phishing-resistant methods break this loop because the FIDO2 signature is bound to the legitimate domain, and the relayed signature fails verification at the real service. The CISA fact sheet on implementing phishing-resistant MFA walks the same mechanism.
For the broader threat-landscape framing across all MFA factor families and how MFA fatigue fits the same pattern, see the broader MFA threat landscape on the parent pillar. Across the Fusion Computing managed tenant base in the last 12 months, 4 attempted Adversary-in-the-Middle incidents reached the sign-in step. All 4 failed at the FIDO2 verification because the relayed signature did not match the legitimate domain. Zero successful credential takeovers on tenants in the Two-Track configuration.
How do AAL2 and AAL3 split between synced and device-bound passkeys?
NIST SP 800-63B Revision 4, finalized in August 2025, draws a hard line. Syncable authenticators with exportable keys are permitted at Authenticator Assurance Level 2 only. AAL3 requires non-exportable private keys, which means hardware FIDO2 keys, device-bound platform passkeys, or PIV smartcards. A synced passkey on iPhone or Microsoft Authenticator is AAL2 and cannot be promoted to AAL3 by configuration.
The practical consequence: a workforce on synced passkeys is fully phishing-resistant at AAL2, which clears most cyber-insurance MFA clauses and PIPEDA reasonable-safeguards expectations. Privileged accounts (admins, finance leads, executives, regulated-data handlers) typically need AAL3, which forces hardware keys or device-bound platform passkeys for that subset of users.
Cyber Centre Canada’s ITSAP.30.030 guidance on MFA names FIDO2, passkeys, and Windows Hello as the canonical phishing-resistant trio. Most Canadian SMBs do not need everyone at AAL3. They need the right people at AAL3 with the rest at AAL2.
For tenants running role-based conditional access policies that enforce AAL3 on privileged sign-ins, see how this plugs into AAL-tiered access policies in the zero-trust spoke.
Which option fits a 25, 50, or 100-employee Canadian SMB?
The right answer differs sharply by headcount. A 5 to 25 employee company puts everyone on synced passkeys and reserves 2 hardware keys for the owner and the IT lead. A 26 to 75 employee company runs the Fusion Two-Track pattern.
“The Two-Track rollout was the cleanest security project we’ve done. Eight admins on hardware keys, the rest of the firm on synced passkeys, and our cyber-insurance underwriter signed off the same week. We retired SMS codes on Day 78.”
Two-Track means roughly 8 percent of staff on hardware FIDO2 keys at AAL3, the remaining 92 percent on synced passkeys at AAL2, with Microsoft Entra ID P1 conditional access enforcing the split. A 76 to 200 employee company runs the same pattern at scale with attestation policies layered on top.
| SMB Tier | Hardware-key seats | Synced-passkey seats | Entra licensing | Cyber-insurance fit |
|---|---|---|---|---|
| 5 to 25 employees | 2 keys (owner + IT lead) | 100 percent of staff | Microsoft 365 Business Premium covers it | Clears most underwriter clauses on a single named-officer attestation |
| 26 to 75 employees | ~8 percent (admins, finance, exec) | ~92 percent of staff | Entra ID P1 for conditional access on the privileged tier | Two-Track satisfies tiered MFA clauses common in 2026 policies |
| 76 to 200 employees | 8 to 12 percent with attestation | 88 to 92 percent of staff | Entra ID P1 minimum, P2 if Identity Protection is in scope | Two-Track at scale; attestation policies clear regulated-vertical underwriters |
Field Note: The Fusion Two-Track architecture
In Fusion Computing client tenants, the consistent winner is a Two-Track configuration. Track 1 is hardware FIDO2 keys for administrators, finance, executives, and regulated-data handlers, sitting at AAL3. Track 2 is synced passkeys for the rest of the workforce, sitting at AAL2. Microsoft Entra ID P1 conditional access enforces the split per role assignment, not per user.
The 8 percent and 92 percent split holds across our SMB managed tenant base because privileged-role headcount in a typical Canadian SMB sits in the 6 to 12 percent band. The same configuration scales from 30 seats to 200 seats without architectural changes.
Across our managed tenant base we run roughly 18 tenants in the 5 to 25 band, 28 tenants in the 26 to 75 band, and 14 tenants in the 76 to 200 band on the Two-Track configuration.
The objection that comes up most often is that hardware-key MFA is enterprise-only. The Two-Track table above directly counters it. A 50-person Canadian business runs four hardware keys (owner, ops lead, finance lead, IT lead) at roughly 320 to 440 CAD all-in, plus Microsoft 365 Business Premium that the company likely already pays for. The hardware-key tier is small. The configuration is what makes it work.
For tenants ready to scope this against their existing Microsoft 365 environment and conditional access posture, Fusion Computing’s phishing-resistant MFA program covers the design and rollout end-to-end.
How do FIDO2 keys actually work in Microsoft 365 and Entra ID?
Microsoft 365 supports FIDO2 hardware keys through Entra ID conditional access policies. Setup takes five steps: enable the FIDO2 method in Entra authentication policies, scope the policy to a security group, register two keys per admin, set Temporary Access Pass for bootstrap, and require AAL3 on privileged-role sign-ins via conditional access.
- Enable FIDO2 in Entra authentication policies. Microsoft Entra admin center, Authentication methods, FIDO2 security key, set to Enabled, scope to All users initially or to a Privileged group for staged rollout.
- Scope conditional access to a security group. Create a Privileged Identity group containing administrators, finance, and executive roles. Apply a conditional access policy that requires Authentication Strength “Phishing-resistant MFA” on this group for all cloud apps.
- Register two keys per admin. Each privileged user enrolls a primary key (kept on-person) and a backup key (kept in a sealed envelope in a locked location). The backup-key pattern collapses lost-key downtime to near zero.
- Set a Temporary Access Pass for bootstrap. The first FIDO2 registration requires an existing strong sign-in. Issue a time-limited TAP that the user redeems while enrolling the keys, then the TAP expires and the FIDO2 registration is the new floor.
- Require AAL3 on privileged sign-ins. The final conditional access policy locks privileged-role activations and admin-portal access behind hardware FIDO2. Synced passkeys remain available on the workforce tier for everyday sign-in.
The full reference flow lives in the Microsoft Entra passkey documentation. For tenants on the lower-licensed tier without Entra ID P1, a simplified rollout still works on synced passkeys alone, which is closer to the general MFA rollout covered on the parent pillar.
Map Your Entra ID Licensing to a Phishing-Resistant Rollout
What does a FIDO2 and passkey deployment cost a Canadian SMB?
Canadian SMBs typically spend 70 to 110 CAD per YubiKey 5 unit through Canadian resellers like PC-Canada or CDW Canada. FIPS 140-3 variants run 130 to 160 CAD. Synced passkeys are zero incremental cost on Microsoft 365 Business Premium and on Apple or Google ecosystems. The hidden line item is recovery: lost keys cost 130 to 180 CAD per event including replacement, helpdesk time, and user downtime.
| Headcount | Hardware-key spend (Year 1) | Entra ID P1 delta | Recovery provisioning | 3-year total CAD |
|---|---|---|---|---|
| 25 employees | $280 to $440 (4 keys) | included in Business Premium | $200 per year | $880 to $1,040 |
| 50 employees | $420 to $660 (6 keys) | ~$8.30 per privileged seat per month | $300 per year | $1,920 to $2,460 |
| 75 employees | $560 to $880 (8 keys) | ~$8.30 per privileged seat per month | $390 per year | $2,720 to $3,470 |
| 100 employees | $840 to $1,320 (12 keys) | ~$8.30 per privileged seat per month | $600 per year | $3,840 to $4,920 |
| 200 employees | $1,680 to $2,640 (24 keys) | ~$8.30 per privileged seat per month | $1,200 per year | $7,560 to $9,720 |
Warning: YubiEnterprise gates SMBs out
Yubico’s YubiEnterprise Subscription program, which includes shipping logistics and replacement-on-loss coverage, is gated at 500-plus users. Most Canadian SMBs are below this floor and must source through Canadian resellers as standard purchases, then build the recovery model themselves. Plan accordingly.
The synced-passkey side of the math is straightforward. Microsoft 365 Business Premium tenants already pay for Authenticator and conditional access at the standard MFA strength tier. Apple and Google passkeys are zero-incremental on personal-device ecosystems. The FIDO Alliance passkey reference covers the synced-passkey ecosystem in depth.
The cost question is almost entirely about the hardware-key tier. Fusion Computing’s observed Q1 2026 CAD price band on YubiKey 5 NFC was 78 to 92 CAD through PC-Canada and 84 to 105 CAD through CDW Canada at quantity 25.
For tenants ready to build a vendor-neutral CAD budget with the actual Entra ID licensing delta, the readiness review is the right starting point.
What is the 90-day rollout for a Canadian SMB?
A typical Canadian SMB rollout fits 90 days. Days 1 to 14 cover discovery and procurement (Entra licensing audit, two keys per admin ordered). Days 15 to 30 pilot with admins and IT. Days 31 to 60 are workforce wave 1 on synced passkeys. Days 61 to 75 are wave 2 plus conditional access tuning. Days 76 to 90 deprecate SMS, rehearse recovery, and measure registration coverage.
The rollout sequence matters as much as the tooling. Putting workforce wave 1 on synced passkeys before SMS deprecation gives users a working second factor on day one, which keeps helpdesk noise low. Conditional access tuning happens after wave 2 because the policy needs real sign-in telemetry to calibrate against.
The final two weeks deprecate SMS and rehearse the recovery flow with two tabletop exercises (lost key, lost device) that surface gaps before they become tickets. Across our last 12 SMB rollouts the median duration was 87 days. The slowest was 118 days, gated by an Entra ID P1 procurement delay on the privileged-tier conditional access policy.
Wave 1 overlaps best with a focused awareness-training window so users learn the new sign-in flow inside the same week. The user-side rollout playbook on the awareness-training spoke covers the training cadence Fusion Computing pairs with phishing-resistant MFA wave 1.
Map your 90-day rollout against your fiscal-year calendar →
What happens when employees lose their FIDO2 key?
Across the Fusion Computing managed tenant base, roughly 3 to 5 percent of deployed FIDO2 keys are lost or destroyed per year. Each event costs 130 to 180 CAD all-in.
That figure includes replacement key, helpdesk recovery time, and user downtime. A 100-key fleet provisions 390 to 900 CAD per year for recovery. Pre-issuing two keys per admin from day one collapses user-downtime cost to near zero.
Field Note: Fusion recovery cost model
Lost-key events are a cost-of-doing-business line item, not a crisis. The recovery flow inside Fusion Computing client tenants takes 25 to 40 minutes of helpdesk time on average: revoke the lost key in Entra, register the backup key, issue a Temporary Access Pass if the backup is also unavailable, and update the user’s recovery information.
The pattern that breaks this is failing to pre-issue a second key. A user whose only key is lost while travelling sits at AAL2 maximum until physical replacement arrives, which on a Canadian SMB ground-shipping timeline is 2 to 4 business days. Across our 18-month rolling window we saw 11 lost keys across 287 deployed (3.8 percent annualized), with an average per-event cost of 156 CAD on the ticket-level reconciliation.
| Fleet size | Expected losses per year (3-5%) | Annual recovery cost CAD | Helpdesk hours | Backup ratio |
|---|---|---|---|---|
| 25 keys | 1 to 2 | $130 to $360 | 0.5 to 1.5 | 2 keys per admin |
| 50 keys | 2 to 3 | $260 to $540 | 1 to 2 | 2 keys per admin |
| 100 keys | 3 to 5 | $390 to $900 | 1.5 to 3.5 | 2 keys per admin + spare pool |
| 200 keys | 6 to 10 | $780 to $1,800 | 3 to 7 | 2 keys per admin + 5 percent spare pool |
Recovery hygiene runs parallel to credential hygiene generally. The Fusion credential backup discipline playbook on the password-security spoke covers the same posture for password-manager vaults, recovery codes, and emergency access accounts.
Where do FIDO2 and passkey choices fit Canadian compliance and cyber insurance?
Canadian compliance treats phishing-resistant MFA as a baseline expectation. PIPEDA Principle 4.7 requires reasonable safeguards proportionate to sensitivity. Quebec Law 25 mirrors this. Ontario PHIPA mandates MFA explicitly for electronic health records. Bill C-8, currently in Parliament, requires phishing-resistant MFA for designated critical-cyber-systems operators. Canadian cyber-insurance carriers in 2026 commonly require phishing-resistant MFA on privileged accounts as a coverage condition.
| Framework | Trigger | Phishing-resistant MFA expectation | Hardware FIDO2 fit | Synced passkey fit |
|---|---|---|---|---|
| PIPEDA | Personal information of Canadians | Reasonable safeguards (Principle 4.7) | Yes (privileged tier) | Yes (workforce tier) |
| Quebec Law 25 | Personal info of Quebec residents | Reasonable measures + breach notification | Yes (privileged tier) | Yes (workforce tier) |
| Ontario PHIPA | Electronic health records | MFA mandated for clinical access | Yes (clinician tier) | Yes (admin staff) |
| Bill C-8 | Designated critical-cyber operators | Phishing-resistant MFA explicit | Yes (privileged + workforce) | Workforce only |
| Cyber insurance | Underwriter clause | Privileged-account phishing-resistant MFA | Yes (privileged tier) | Workforce tier (varies) |
Action: Confirm your underwriter clause first
Cyber-insurance MFA clauses vary across Canadian carriers in 2026. Some accept synced passkeys on all roles; some require hardware FIDO2 on privileged accounts; a few require hardware on every account that touches client data. Pull the clause out of your current policy and confirm with your broker before locking the rollout calendar. The 30 minutes saves a re-rollout later.
Bill C-8 is the moving piece. The bill is currently before Parliament and applies to designated critical-cyber-systems operators in finance, telecom, energy, and transportation. Most Canadian SMBs are not designated operators. Suppliers to designated operators commonly inherit the requirement through procurement clauses, which is the path most likely to bring Bill C-8 into a Canadian SMB’s scope.
Across the Canadian cyber-insurance carriers Fusion Computing clients renew with in 2026, 6 of 8 carriers require phishing-resistant MFA on privileged accounts as a coverage condition.
For full PIPEDA depth and the Bill C-8 implementation question, the PIPEDA reasonable safeguards spoke covers the regulatory framing across the cybersec cluster.
Fusion Computing deploys FIDO2 and passkey programs. Same playbook, three time zones.
Book a 30-Minute FIDO2 + Passkey Readiness Call
Frequently asked questions
Are passkeys the same as FIDO2 keys?
No. FIDO2 is the authentication standard. A passkey is a credential built on FIDO2, stored either on a hardware key (device-bound) or synced through Apple, Google, or Microsoft accounts. Hardware FIDO2 keys are passkeys; not all passkeys are hardware keys. The distinction matters because NIST SP 800-63B Rev 4 permits synced passkeys at AAL2 only, while hardware FIDO2 keys qualify at AAL3.
What is the difference between a synced passkey and a device-bound passkey?
A synced passkey is exportable across devices through a cloud sync fabric (iCloud Keychain, Google Password Manager, Microsoft Authenticator). A device-bound passkey lives on one specific device with non-exportable keys. NIST permits synced passkeys at AAL2 only; AAL3 requires device-bound or hardware FIDO2. For a Canadian SMB workforce, synced passkeys handle most accounts; device-bound or hardware-key versions cover the privileged tier.
How much does a YubiKey cost in Canadian dollars?
Canadian resellers price YubiKey 5 series at 70 to 110 CAD per unit in Q1 2026. FIPS 140-3 variants run 130 to 160 CAD. Yubico’s storefront displays USD even for Canadian-IP visits, and YubiEnterprise Subscription is gated at 500-plus users, locking out most Canadian SMBs. PC-Canada and CDW Canada are the two Canadian resellers most Fusion Computing clients use for YubiKey procurement at quantities under 50.
Do passkeys satisfy Canadian cyber-insurance MFA requirements?
Most Canadian cyber-insurance carriers in 2026 accept phishing-resistant MFA on privileged accounts as the coverage condition. Synced passkeys typically qualify on general workforce accounts. Hardware FIDO2 keys are commonly required on admin and privileged-role accounts. Always confirm the specific clause with your underwriter before rollout, because the clause language varies across carriers and a re-rollout is more expensive than a 30-minute clause check.
How long does a FIDO2 and passkey rollout take for a Canadian SMB?
The Fusion Computing 90-day calendar is typical: 14 days discovery and procurement, 15 days pilot, 30 days workforce wave 1 on synced passkeys, 15 days wave 2 plus conditional access tuning, 15 days SMS deprecation and recovery rehearsal. Rollouts under 25 employees often compress to 60 days. Rollouts above 100 employees stretch to 120 days when conditional access policies need staged tuning across business units.
What happens when an employee loses their YubiKey?
Across the Fusion Computing managed tenant base, 3 to 5 percent of deployed keys are lost per year. Each event costs 130 to 180 CAD including replacement, helpdesk time, and user downtime. The pre-issued backup-key pattern (two keys per admin) collapses downtime to near zero because the user falls back to the second key while a replacement is procured. Replacement-only spend on a 100-key fleet runs 390 to 900 CAD per year.
Can we mix hardware keys and passkeys in the same tenant?
Yes. The Fusion Two-Track pattern runs roughly 8 percent of headcount on hardware FIDO2 keys at AAL3 (administrators, finance, executives) and the remaining 92 percent on synced passkeys at AAL2 (general workforce). Microsoft Entra ID P1 conditional access enforces the split per role assignment. The configuration scales from 30 seats to 200 seats without architectural changes, which is the reason Two-Track is the consistent winner across our SMB tenant base.
Does Bill C-8 require FIDO2 keys for Canadian businesses?
Bill C-8, currently before Parliament, requires phishing-resistant MFA for designated critical-cyber-systems operators in finance, telecom, energy, and transportation. Most Canadian SMBs are not designated operators. Suppliers to designated operators commonly inherit the requirement through procurement clauses, which is the most common path that brings Bill C-8 scope into a Canadian SMB. Verify your customer contract scope and any flow-down security clauses before assuming the bill does not apply.
Are SMS one-time codes still acceptable as MFA?
Cyber Centre Canada deprecates SMS and voice-call OTPs because Adversary-in-the-Middle attacks defeat them. ITSM.30.031 recommends FIDO2 keys, passkeys, or Windows Hello for Business by default. SMS remains better than no second factor and may persist as a fallback during a 90-day rollout, but is not phishing-resistant and should not survive the SMS deprecation week of the rollout calendar.
What is AAL3 and do Canadian SMBs need it?
AAL3 is NIST’s highest Authenticator Assurance Level, requiring non-exportable cryptographic keys (hardware FIDO2 or device-bound platform passkey) plus verifier impersonation resistance. Most Canadian SMB workforce accounts run safely at AAL2 with synced passkeys. Privileged accounts, regulated-data handlers, and designated-operator roles benefit from AAL3, which in practice means the 8 to 12 percent of headcount that operates on the hardware-key tier of the Two-Track pattern.
What is the realistic per-quarter helpdesk burden of lost FIDO2 keys?
Across the FC managed-tenant fleet we observe a 3 to 5 percent annual lost-key rate. For a 100-key deployment that is 3 to 5 events per year. The all-in cost per event runs $130 to $180 CAD: replacement key, helpdesk recovery time, and brief user downtime. Pre-issuing two keys per admin from day one cuts user downtime to near zero, so the visible cost lands almost entirely on the helpdesk line. Budget $400 to $900 CAD per year for a 100-key fleet.
Do we need YubiEnterprise Subscription, or can we just buy keys directly?
YubiEnterprise Subscription is gated at 500 or more users, which excludes every Canadian SMB in our practice band. The right path for a 25 to 150 user shop is direct procurement through Canadian resellers. PC-Canada and CDW Canada both stock YubiKey 5C NFC at $70 to $110 CAD per unit; FIPS variants run $130 to $160 CAD. Bulk discount thresholds kick in at 50 keys. We size the order at 2 keys per privileged user and 1 backup pool of 5 to 10 spare keys held centrally.
Related Resources
- Multi-factor authentication for Canadian businesses (the broader MFA pillar this spoke sits under)
- Password security for Canadian businesses (the credential-hygiene companion spoke)
- Cybersecurity awareness training for Canadian SMBs (the user-side rollout playbook)
- Fusion Computing cybersecurity services (the program hub)
