Identity security has quietly become the most important part of modern cybersecurity. The majority of breaches now start with a compromised account — not a missing patch, not an unprotected server, but someone logging in who shouldn't be there.
That shift has forced businesses to rethink everything they thought they knew about passwords, MFA, and user access. The old rules no longer apply, and sticking to them leaves your business exposed.
Passwords Alone Don't Protect Anyone Anymore
For years, the advice was simple: use long, complex passwords and change them frequently. Today, that approach is outdated — and in many cases, it creates more risk than it prevents. The NCSC's latest password guidance now actively advises against forced regular resets.
- People reuse passwords across personal and business accounts
- Frequent resets lead to predictable patterns
- Passwords are easily phished or stolen
- Attackers buy leaked credentials rather than guessing them
The problem isn't that passwords are too short — it's that passwords are no longer fit for purpose as the primary layer of identity protection.
MFA Is Essential — But the Type Matters
By now, most organisations have MFA enabled somewhere. But not necessarily in the right way. Traditional MFA like SMS codes is vulnerable to SIM swaps, MFA fatigue attacks, social engineering, and phishing.
Microsoft's guidance is clear: move away from weak MFA and towards phishing-resistant authentication. That means:
- Authenticator apps instead of SMS
- Number matching instead of simple approvals
- Conditional access policies guiding where and when MFA is needed
But the biggest modern upgrade goes beyond MFA entirely.
What MFA Fatigue Attacks Look Like
There's a darker side to MFA that many organisations aren't aware of — attackers don't try to crack MFA codes, they just send you so many of them until someone gets tired and approves one by mistake. MFA fatigue attacks work because they're annoying enough to break through people's decision-making, and successful attackers know that someone in your team will eventually hit approve without thinking.
Here's how it typically plays out: an attacker has valid login credentials (purchased from a dark web marketplace or leaked in a breach), so they attempt to sign in. Your MFA system sends a prompt to the legitimate user's device. Then it sends another. And another. Within minutes, dozens of prompts flood in — on someone's phone, laptop, or authenticator app. Eventually, someone who's trying to finish a task or just frustrated by the noise gives up and approves one to make it stop. That's the moment the attacker gets in.
This is why number matching was introduced as a standard — instead of just a simple "approve or deny" prompt, users see a specific number on their sign-in screen and must match it to the number shown in their authenticator app. It cuts through the fatigue because even if someone approves out of frustration, the attacker won't have that matching number and can't get in. If your team starts receiving unexpected MFA prompts, the message is simple: never approve one you didn't initiate, ignore the noise, and report it to your IT team or security contact immediately. Most importantly, don't assume it's a system glitch or just approve it to make it stop.
Passkeys: The Future of Logging In
Passkeys are one of the biggest steps forward in identity security in decades, and in 2025 they're no longer experimental — they're becoming the new default.
A passkey replaces your password with a cryptographic key stored securely on your device. No typing. No remembering. No phishing. No stolen credentials. The technology is backed by the FIDO Alliance, with support from Microsoft, Apple, and Google.
- They can't be phished
- They can't be reused across accounts
- They aren't stored in a database attackers can breach
- They reduce friction for users
For SMEs, enabling passkeys in Microsoft 365 and key business apps is now a highly recommended step — and one that dramatically cuts the risk of account compromise.
Identity Is Now the New Perimeter
With teams working from anywhere, using multiple devices, and relying on cloud apps daily, the old firewall-first model doesn't work anymore. Security now follows the user — not the network.
The most secure SMEs in 2025 do three things exceptionally well:
- Verify the user — are they who they claim to be? How risky is this login attempt?
- Verify the device — is it trusted? Is it compliant with your security standards?
- Verify the context — is the sign-in unusual? Is the location suspicious?
Access is granted or restricted dynamically, based on real risk — not guesswork.
Conditional Access: The Most Overlooked Upgrade
If there's one configuration that delivers the biggest security improvement with the least disruption, it's conditional access. With the right policies, you can:
- Block risky sign-ins automatically
- Require MFA only when needed
- Enforce passkeys on compliant devices
- Prevent unknown or unmanaged devices from accessing data
- Stop attackers using stolen credentials
It's smarter, more adaptive security — not more effort.
Your 2025 Identity Security Checklist
For a modern, resilient identity setup:
- Enable MFA everywhere using authenticator apps
- Replace SMS codes entirely
- Turn on number matching
- Implement conditional access
- Enforce trusted, compliant devices
- Reduce reliance on password rotation
- Phase in passkeys for high-risk accounts first
- Educate users on phishing and MFA fatigue
- Regularly review admin roles and permissions
- Disable legacy authentication
This is no longer a big-business strategy — SMEs can adopt all of it with the tools already included in Microsoft 365 Business Premium.
Final Thoughts
Identity is now the front door to your business, and attackers know it. But with the right combination of passkeys, strong MFA, and intelligent access policies, it becomes one of the easiest parts of your security to strengthen. For a broader view of the threat landscape and why this matters, see our article on why your business needs strong cybersecurity in 2025.
The critical thing to remember is that identity security isn't a one-time setup — it's an ongoing practice. Your threat landscape changes, new risks emerge, and authentication methods that were secure last year may have vulnerabilities exposed this year. That means regular reviews of your admin accounts and who has access to what, periodic checks of your conditional access policies to make sure they're still effective, and a keen eye on any authentication methods you've deprecated that might still be lingering in older applications or integrations. The checklist above is a starting point, not a finish line.
If you'd like help implementing passkeys, reviewing your identity setup, or upgrading your MFA and conditional access strategy, our team can guide you through exactly what's needed — without disrupting your day-to-day operations.