Why authentication and identity security need a rethink

Security experts have spent years pushing for stronger authentication measures, moving from passwords to multi-factor authentication (MFA) and, more recently, to phishing-resistant MFA.

Yet the threats keep evolving.

Attackers have found ways to bypass MFA, token theft is on the rise, and traditional access controls like VPNs come with their own risks.

It’s time to rethink secure authentication and take a smarter approach.

Why passwords remain a major cybersecurity risk

Despite efforts to move away from passwords they remain one of the biggest cybersecurity vulnerabilities. Of the 600 million identity attacks Microsoft detect every day, 99% are password-based.

The reality is that weak, reused, or stolen credentials remain the easiest way for attackers to break in. And with upwards of 24 billion credentials available on the dark web, it’s rich pickings for cybercriminals with the ability to crack weak passwords in seconds.

Yes, we still live in a world where people still use password, 123456, or easily guessed personal details.

Easy to guess, simple to exploit.

Worse, the overwhelming number of passwords we manage every day creates password fatigue, leading many to reuse the same password across multiple accounts. If it’s compromised, then all linked accounts are suddenly at risk.

The good news is that awareness is growing. However, are people getting the right advice?

Changing passwords every 90 days is outdated thinking

Conventional wisdom has encouraged frequent password changes, but leading security agencies, including the National Cyber Security Centre (NCSC), Microsoft, the US Federal Trade Commission, and NIST, now advise against it.

Instead, they recommend:

• Creating strong, unique passwords of at least 12 characters.
• Only changing passwords when they are compromised.

But even with strong passwords, vulnerabilities remain, which is why we strongly advocate the move towards passwordless authentication. And a more holistic approach to managing secure access.

Why MFA is good but fallible to modern identity threats

MFA is becoming increasingly more commonplace within organisations. Indeed, Microsoft reported at Kocho’s recent Identity Roadshow that 41% of their enterprise customers have now adopted it fully.

That’s a positive step. But MFA isn’t a silver bullet solution.

Attackers are evolving. Advanced phishing techniques, such as token theft and adversary-in-the-middle (AiTM) attacks, are specifically designed to bypass MFA. These threats aren’t new, but they are becoming more sophisticated, automated, and alarmingly effective.

Take token theft, for example. Cybercriminals no longer need passwords; they hijack session tokens to bypass authentication entirely. AiTM phishing proxies go a step further, tricking users into handing over credentials and MFA codes in real time.

And the scale of these attacks is growing fast. In 2024 Microsoft recorded:

• 39,000 token theft incidents daily,
• 146% increase in AiTM phishing attacks

While authentication remains a critical security control, it needs to be part of a wider identity security strategy.

Putting identity at the heart of your cybersecurity initiatives

Modern identity security means addressing not just user authentication but also the broader attack surface, including applications, infrastructure, and authentication flows.

This requires:

By broadening the conversation beyond MFA and static authentication methods, organisations can build a more resilient security posture that adapts to new threats and changing environments.

Microsoft Entra’s unified framework for authentication, access, and protection

A modern approach to identity security requires a unified platform. Microsoft Entra provides a Zero Trust security framework that integrates authentication, access, and protection.

So, what does this look like?

Adaptive authentication and risk-based access controls

Attackers operate in real time, so authentication must adapt dynamically. Microsoft Entra ID enables organisations to implement intelligent authentication policies based on contextual risk signals.

Such as:

• Is the login from a recognised device?
• Is the login coming from an unusual location?
• Is the behaviour typical for the user?
• Is the network secure?

Using Conditional Access, organisations can fine-tune authentication requirements based on risk signals.

Conditional Access in action

With Conditional Access, organisations can apply adaptive security measures:

• A login from a trusted device may allow seamless access.
• An attempt from an unusual location may require additional verification.
• A high-risk sign-in can be blocked entirely.

Risk can be further reduced through applying least privilege access, ensuring users only receive the permissions they need to perform their tasks.

This limits lateral movement if an account is compromised.

Beyond VPN: Secure remote access with Global Secure Access

Traditional VPNs have long been the standard for remote access, but they present security and operational challenges:

• A single compromised VPN credential can provide attackers with unrestricted network access.
• VPNs create operational bottlenecks and lack visibility into user activity.

Identity-centric access: A modern alternative

Instead of network location-based access, a Zero Trust model prioritises identity-based remote access. Microsoft Entra’s Global Secure Access suite ensures:

• Identity-aware, application-specific access
• Verification of user identity and device trust before granting access
• Reduced attack surface and limited lateral movement

It takes identity and access security beyond the outdated model of network perimeters. Embracing the principles of Zero Trust and ensuring that remote access is secure, scalable, and designed for the way we work today.

Continuous identity protection and threat monitoring

It’s amazing how many organisations overlook the power of Microsoft Entra Identity Protection. The hidden gem within Entra that that detects and mitigates identity-based threats before an attack escalates.

Cybercriminals often test stolen credentials over time, searching for gaps in security. Identity Protection mitigates this by:

• Analysing login behaviours to identify anomalies.
• Assigning risk scores to users and sign-in attempts.
• Applying automated mitigations (e.g., requiring additional authentication).

It’s a vital function in your overall identity security posture.

A stolen credential by itself doesn’t raise an alarm unless there’s a system in place to detect unusual access behaviour.

Identity Protection helps security teams detect compromised accounts, apply additional authentication when necessary, and mitigate threats before they lead to a breach.

Security without friction: balancing protection and usability

Security shouldn’t slow users down.

One of the biggest challenges in authentication is balancing security with usability. If authentication processes are too complex, users find workarounds, leading to:

• Increased IT support tickets.
• Users storing passwords insecurely.
• Risky behaviours that weaken security.

Apply friction only when necessary

Not every login requires the same level of scrutiny. Adaptive authentication ensures low-risk logins remain seamless while high-risk attempts trigger additional verification, striking the right balance between security and efficiency.

Rethinking authentication for a smarter, secure future

Authentication alone is no longer enough. To stay ahead of evolving threats, organisations must:

• Move beyond passwords to phishing-resistant MFA.
• Implement adaptive authentication and Conditional Access.
• Transition from VPNs to more secure identity-based remote access.
• Leverage Identity Protection for continuous monitoring and threat detection.

Of course, security shouldn’t (and needn’t) come at the cost of productivity.

By adopting an intelligent, holistic approach with Microsoft Entra, organisations can strengthen authentication while maintaining a seamless user experience.

The time has come to rethink authentication and build a more resilient security strategy designed around users and modern working, and equipped to push back against today’s threats.

Key takeaways

Next steps