Identity is the new perimeter

With infrastructure scattered across SaaS and cloud, the firewall no longer defines your boundary — identity does. The overwhelming majority of intrusions begin with a valid credential, not a clever exploit.

Not all MFA is equal

  1. SMS / email codes — better than nothing, but phishable and SIM-swappable.
  2. TOTP authenticator apps — solid, but still phishable via real-time relay.
  3. Push with number matching — defeats blind push-bombing.
  4. Phishing-resistant (FIDO2 / passkeys / hardware keys) — the goal. Cryptographically bound to the origin, so a fake login page gets nothing.

Push privileged accounts to phishing-resistant factors first.

Beyond the login

  • Session security. Short-lived sessions, re-auth for sensitive actions, and revocation on risk signals. A stolen session cookie bypasses MFA entirely.
  • Conditional access. Risk-based policies: block impossible-travel logins, step up auth from unmanaged devices.
  • Least privilege. Standing admin rights are a liability. Use just-in-time elevation that expires.

Kill the dead accounts

Dormant and orphaned accounts are pure attack surface with no business value. Run a monthly access review, disable accounts inactive for 30+ days, and deprovision on the same day someone leaves — not at the end of the quarter.

Hardening identity gives you more risk reduction per dollar than almost any other control.