Identity is the new perimeter
With infrastructure scattered across SaaS and cloud, the firewall no longer defines your boundary — identity does. The overwhelming majority of intrusions begin with a valid credential, not a clever exploit.
Not all MFA is equal
- SMS / email codes — better than nothing, but phishable and SIM-swappable.
- TOTP authenticator apps — solid, but still phishable via real-time relay.
- Push with number matching — defeats blind push-bombing.
- Phishing-resistant (FIDO2 / passkeys / hardware keys) — the goal. Cryptographically bound to the origin, so a fake login page gets nothing.
Push privileged accounts to phishing-resistant factors first.
Beyond the login
- Session security. Short-lived sessions, re-auth for sensitive actions, and revocation on risk signals. A stolen session cookie bypasses MFA entirely.
- Conditional access. Risk-based policies: block impossible-travel logins, step up auth from unmanaged devices.
- Least privilege. Standing admin rights are a liability. Use just-in-time elevation that expires.
Kill the dead accounts
Dormant and orphaned accounts are pure attack surface with no business value. Run a monthly access review, disable accounts inactive for 30+ days, and deprovision on the same day someone leaves — not at the end of the quarter.
Hardening identity gives you more risk reduction per dollar than almost any other control.