Your Entra ID OTP tokens are still phishable. Hardware-bound FIDO2 keys aren't.
YOUR EVALUATION KIT
2 × FIDO2 Security Keys
Free to evaluate
Passkeys are the direction. Where your credential lives decides how strong it is.
OTP token vs. hardware-bound FIDO2 key
Both work with Entra ID. Only one removes what attackers target.
| Property | OTP token | FIDO2 key |
|---|---|---|
| Resists real-time relay (adversary-in-the-middle) phishing | ||
| No code for a person to read, type, or mistype | ||
| No shared secret stored on a verification server | ||
| Credential cannot be copied or exported from the device | ||
| Recognized as phishing-resistant by CISA and NIST | ||
| Meets NIST's highest assurance level (AAL3) | ||
| Works natively with Microsoft Entra ID |
If you already issue OTP tokens, you are most of the way there.
Your users already carry an authenticator and have the routine of using it. Switching to FIDO2 keys keeps the habit and removes the phishable code. A small team can roll it out in phases.
Sample and test
Provision
Roll out by risk
Retire the fallback
The Provisioning Tool
KeyProvision for Entra ID: enroll the users who can't enroll themselves
Self-registration works for technical staff. It leaves gaps for shared-workstation, deskless, and less-technical users. KeyProvision lets your admins pre-provision FIDO2 keys directly to Entra ID accounts, so a labeled key reaches each person ready to use, with no help-desk ticket and no exposed setup step.
Pre-register keys to accounts from one console
Enforce phishing-resistant MFA with FIDO2
Built for Microsoft Entra ID, no identity platform to replace
KeyProvision · Entra ID
Why teams choose FEITIAN
Request your 2 free FIDO2 sample keys.
Tell us a little about your environment and we'll ship two keys to evaluate with Entra ID. No cost, no obligation.
FAQs
How many keys can we get, and what does it cost?
The evaluation is two keys at no cost. For rollouts, we recommend two keys per user (a primary and a backup). Planning 100 or more? Our team will share volume pricing and deployment support.
Which form factors are available?
USB-A, USB-C, and NFC, plus biometric options. You can mix models across roles, and NFC keys work well with tap-based sign-in on shared devices.
What about users who cannot register a key themselves?
That is exactly what KeyProvision handles. Admins pre-provision keys to Entra ID accounts, so shared-workstation, deskless, and less-technical staff receive a key that is ready to use.
How are hardware keys different from synced passkeys?
Synced passkeys live on a phone or laptop and sync through a personal account. Hardware-bound keys keep the credential on the device where it cannot be synced or copied, which is why they meet AAL3 and suit privileged and shared roles. Most organizations use both.

