Microsoft: Phishing-Resistant MFA Stops 99%+ of Identity Attacks

Microsoft's Digital Defense Report 2025 provides telemetry-scale data on the identity threat landscape. With visibility across billions of daily authentication events, their findings carry significant weight.

The headline number: phishing-resistant MFA, specifically FIDO2 security keys and passkeys, stops over 99% of identity attacks. This is not a theoretical projection. It is measured effectiveness against real attacks observed across Microsoft's authentication infrastructure.

The attack landscape data is equally informative: - 97% of identity attacks were password spray attacks - Identity-based attacks surged 32% in H1 2025 - Over 90% of 15.9 billion account creation requests in H1 2025 were from bots - Lumma Stealer was the most prevalent infostealer from October 2024 to October 2025

The 99%+ effectiveness of phishing-resistant MFA presents a clear architectural direction. While no single control is perfect, FIDO2/passkeys represent the most impactful identity security control available today. The challenge is deployment. Most organizations still rely on SMS, push notifications, or OTP-based MFA that can be bypassed through social engineering, SIM swapping, or MFA fatigue attacks.

For identity architects, Microsoft's data provides an evidence-based case for prioritizing phishing-resistant MFA deployment. CISA's guidance aligns: FIDO/WebAuthn is the only widely available phishing-resistant authentication standard. The data is clear. The solution exists. The remaining challenge is architectural will and implementation discipline.