Most break-ins start with a real login.
Attackers don't usually break the lock — they get the key. Stolen passwords, fake login pages, and old accounts that nobody removed when someone left the company. We tighten up how your team signs in, make those logins phishing-proof, and shut down access the same day someone walks out the door.
The MFA factor honest matrix.
All of these technically count as 'MFA' for an auditor. They are not equivalent in the field.
| SMS code | TOTP app | Push approval | Passkey (FIDO2) | Hardware token | |
|---|---|---|---|---|---|
| Phishing-resistant | No | No | No | Yes | Yes |
| MFA-fatigue resistant | N/A | Yes | No | Yes | Yes |
| SIM-swap resistant | No | Yes | Yes | Yes | Yes |
| User experience cost | Low | Medium | Low | Low (after setup) | Medium |
| Recovery / lost-factor cost | Low | Medium | Medium | Medium | High |
| Regulatory acceptance | Yes (declining) | Yes | Yes | Yes (preferred) | Yes |
What's included.
- 01
Entra ID or Okta deployment
Tenant configuration, app integration plan, conditional access policy set tuned to your industry's risk profile.
- 02
Conditional access policy suite
Risk-based, location-aware, device-aware. Compliant mobile + managed device required for sensitive apps. Block-by-default with exceptions you can audit.
- 03
MFA rollout plan
No-disruption pilot, then broaden. Passkeys first for admins, then privileged users, then everyone — over 90 days, not 90 minutes.
- 04
Group + role taxonomy cleanup
Most environments have 800 groups and 12 that are actually used. We rebuild the model around your real org chart.
- 05
Automated offboarding
Termination in your HRIS triggers access revocation within 15 minutes — across every SSO-connected app and most of the SaaS that isn't.
- 06
Break-glass procedure
Documented, drilled emergency accounts that work when Entra ID itself is down. Auditors check for this; most firms don't have it.
The no-lockout rollout.
MFA rollouts go wrong when they move fast. We measure twice.
- 01
Discovery sweep
Inventory every account, every app, every authentication path. Find the service accounts using NTLM nobody remembers creating.
- 02
Pilot — 10 power users
Two weeks with a hand-picked group. Document every confusion, every recovery scenario. Update training before the broad rollout.
- 03
Conditional access (log-only)
Policies enforce nothing yet — they just log what they would have blocked. Two weeks of report-only mode catches edge cases.
- 04
Enforce, broaden, repeat
Move from log-only to enforce in tranches. Admins get passkey-mandated first. Standard users next.
- 05
Quarterly access reviews
Every group, every privileged role, every external collaborator gets re-justified by an owner. Stale access decays by default.
Where IAM controls satisfy your auditor.
Identity is the highest-density control area in every framework. The same program checks every box.
What we measure (and send you every month).
Goal: every admin uses a sign-in method that can't be tricked, like a passkey.
From the moment HR marks someone as terminated, all their access is gone.
Accounts no one has signed into for 90+ days. We chase them down.
What share of your staff have admin powers. Most firms have too many.
Who needs this.
- Anyone whose cyber-insurance application asks 'is MFA enforced on all accounts including admins?' — universal in 2026 underwriting.
- Firms preparing for SOC 2, HIPAA, ISO 27001, or PCI-DSS audit (the access-control section is always the most evidence-heavy).
- Anyone who's had a terminated employee retain access for more than 24 hours.
- Firms with shared service accounts, group mailboxes, or 'one Excel file with all the admin passwords.'
Q01We already have MFA. Isn't that enough?
We already have MFA. Isn't that enough?
It depends on the factor. SMS MFA and push approvals are routinely bypassed in 2026 — by SIM-swap, by fatigue, by adversary-in-the-middle proxies. Phishing-resistant MFA (passkeys, FIDO2) is the only factor class that resists modern phishing kits.
Q02What's a passkey and why do you keep mentioning it?
What's a passkey and why do you keep mentioning it?
A passkey is a FIDO2 credential bound to a device (or a hardware key). It can't be phished because the user never sees a secret to type. It's the most significant authentication improvement in a decade and works everywhere modern.
Q03What happens to access when someone leaves?
What happens to access when someone leaves?
With us: termination in your HRIS triggers automated revocation in Entra/Okta within 15 minutes. Every SSO-connected app instantly. Non-SSO apps via SCIM where supported, runbook where not.
Q04Can we keep our existing Active Directory?
Can we keep our existing Active Directory?
Yes. Most clients run hybrid — on-prem AD synchronized to Entra ID via Entra Connect. We harden both sides and add conditional access on top.
Q05How do we avoid breaking everything during rollout?
How do we avoid breaking everything during rollout?
Log-only conditional access first. We watch what would have broken for two weeks, fix it, then enforce. Pilot groups before broad rollout. We've done this enough times to know what surprises happen.
Free 30-minute identity posture review.
Bring us your Entra/Okta tenant for read-only review and we'll map your current state against phishing-resistance, account hygiene, and conditional-access maturity.