All your creds are belong to us!

People may read this article and think Smartcard, FIDO or Windows Hello are the only ways to guard against channel jacking or real time phishing.

However using Azure Conditional Access with any one of these configurations will also successfully prevent both channel jacking and real time phishing: 1) Intune enrollment 2) IP fencing 3) Hybrid Domain Join 4) Certificate Based Auth with MCAS. Each of these are coercion proof as well. Just wanted to make sure that anyone new to this understands those mentioned in the article are not the only options.

Also - for a large enterprise rollout, I wouldn't advocate Smartcards because they are only compatible with ADFS, and we are trying to move people to Azure AD.

FIDO is a great future option for many orgs but as of today (I just checked this) you can't sign into Office 365 with a security key as your default authenticator (yet).

What I mean by that is if you go to myprofile.microsoft.com and select your default authenticator, you can only select "Authenticator App OR hardware token." You currently cannot select "hardware token only" as your 2nd factor. This is significant because in the scenario where you had to *guarantee* against channel jacking and real time phishing, you couldn't do that today (yet) with a FIDO2 token, because the attacker has the option of signing in with the OTP which is hackable through coercion. The only coercion proof methods were not mentioned in this article, because they aren't authenticators in the academic sense, but instead, they rely on Azure Conditional Access to check for one of the four methods I cited above (Intune Compliance, IP Fencing, Hybrid Domain Join or CBA via MCAS). Hope this helps bring clarity for those who are trying to find practical ways to guard against these attacks. My advice is to find a Microsoft Partner who can help you find the best solution to fit your business, technical, and security goals and objectives.