Update 3-design-for-azure-active-directory.md

Author: staleycyn

learn-pr/wwl-azure/design-authentication-authorization-solutions/includes/3-design-for-azure-active-directory.md

@@ -30,7 +30,7 @@ Tailwind Traders plans to use Microsoft Entra ID in its identity management solu
 
 - **Consider limiting account synchronization**. Don't synchronize accounts to Active Directory that have high privileges in your existing Microsoft Entra Tailwind Traders instance. By default, Microsoft Entra Connect filters out these high privileged accounts. This configuration mitigates the risk of adversaries pivoting from cloud to on-premises assets (which could result in a major incident).
 
-- **Consider password hash synchronization**. Enable [password hash synchronization](/azure/active-directory/hybrid/whatis-phs) to sync user password hashes from on-premises to a cloud-based Microsoft Entra instance. This sync helps to protect Tailwind Traders against leaked credentials being replayed from previous sign-ins.
+- **Consider phishing-resistant authentication methods**. Microsoft recommends designing passwordless phishing-resistant credentials, like security keys and passkeys. These methods use origin-bound public-key cryptography and satisfy MFA in a single step.
 
 - **Consider single sign-on (SSO)**. Enable SSO to reduce the need for multiple passwords. Multiple passwords increase the likelihood of users reusing passwords or using weak passwords. With SSO, users provide their primary work or school account for their domain-joined devices and company resources. Their application access can be automatically provisioned (or deprovisioned) based on their Tailwind Traders organization group memberships and their status as an employee.