Building Aegis Sovereign — Our proprietary platform, actively deployed and improving daily. See the platform →
Home/Guides/MFA & Identity Hardening
Identity guide

MFA & Identity
Hardening

Identity is the new perimeter — most breaches start with a stolen or phished credential. Here's how to make accounts genuinely hard to take over, not just "MFA-enabled."

Updated June 2026 ~7 min read Actionable
What's inside
  1. Why identity is the target
  2. Not all MFA is equal
  3. Phishing-resistant MFA
  4. Conditional access
  5. Least privilege & RBAC
  6. Non-human identities
  7. Rollout checklist

1. Why identity is the target

Attackers don't break in anymore — they log in. Phished passwords, credential stuffing, session-token theft and MFA-fatigue attacks all aim at one thing: a valid identity. Once they have it, they look legitimate to most defenses. Hardening identity is therefore the highest-leverage security investment most organizations can make.

2. Not all MFA is equal

"We have MFA" can mean anything from genuinely strong to trivially bypassable. Ranked from strongest to weakest:

MethodStrengthNotes
FIDO2 / passkeys / hardware keysStrongestPhishing-resistant by design — bound to the origin
Authenticator app (TOTP)GoodSolid, but codes can be phished in real time
Push approvalGood*Strong with number-matching; weak to MFA-fatigue without it
SMS / email codesWeakSIM-swap and interception — avoid for anything sensitive
The takeaway. Push past "MFA enabled" to phishing-resistant MFA on your crown-jewel accounts — admins, email, VPN, identity provider. SMS is better than nothing but shouldn't guard anything that matters.

3. Go phishing-resistant where it counts

  • Passkeys / FIDO2 hardware keys for administrators and anyone with access to production or customer data.
  • Number-matching on push so a user can't reflexively approve an attacker's prompt.
  • Kill SMS fallback for privileged accounts — a fallback is only as strong as its weakest method.
  • Protect the recovery path. Account-recovery flows are a favorite bypass — secure them as carefully as login.

4. Add conditional access

MFA at login is a one-time gate. Conditional access makes trust continuous — evaluating context on every sensitive action:

  • Device posture — is the device managed, encrypted and healthy before it gets access?
  • Risk-based step-up — prompt for re-auth on new locations, impossible travel, or sensitive operations.
  • Endpoint step-up. Require a fresh prompt at the endpoint for RDP, sensitive processes or mapped drives — not just at the cloud-app boundary.

5. Least privilege & RBAC

Strong authentication still hurts if every account can do everything. Limit the blast radius:

  • Separate privileged accounts from daily-use accounts; no email/web browsing on admin identities.
  • Role-based access mapped to job function — grant the minimum, review quarterly.
  • Just-in-time elevation for admin tasks instead of standing privilege.
  • Fast offboarding. Deprovision access the day someone leaves — orphaned accounts are an easy way in.

6. Don't forget non-human identities

For every employee you have many non-human identities (NHI) — service accounts, API keys, OAuth tokens, certificates and secrets. They rarely have MFA, often have broad permissions, and are prime fuel for lateral movement.

  • Inventory them. You can't govern keys and service accounts you can't see — including ones sitting on endpoints.
  • Rotate and scope secrets; kill long-lived, over-privileged keys.
  • Watch for exposure — secrets in code, config, and logs are a constant leak source.

7. Rollout checklist

  • Phishing-resistant MFA on all admin, email, VPN and IdP accounts.
  • Number-matching enabled; SMS fallback removed for privileged users.
  • Conditional access tied to device posture + risk signals.
  • Separate privileged accounts; RBAC mapped and reviewed quarterly.
  • Offboarding deprovisions access same-day.
  • Non-human identities inventoried, scoped and rotated.
  • Alerting on identity anomalies — impossible travel, new admin, brute force.
How Kaimz helps. Identity is built into the platform — TOTP MFA, conditional access, granular RBAC, endpoint step-up MFA (prompt at the host for RDP/sensitive processes), and a non-human-identity inventory that surfaces keys, tokens and service accounts straight from the endpoint. See the platform →
Next step

Make identity hard to take over

Deploy free More guides