Identity security moves to the centre as MFA comes under pressure

Latest News07 May 2026

Identity has become the most common entry point for cyber-attacks. Stolen credentials, session hijacking and token abuse are now used more often than traditional exploitation of software vulnerabilities.

Guidance from bodies such as the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology reflects that shift, with identity protection now treated as a core security priority.

Multi-factor authentication (MFA) still plays an important role. Adding a second factor significantly reduces the risk associated with compromised passwords and remains one of the most widely recommended controls. Many organisations have rolled it out across critical systems as a baseline requirement.

At the same time, attackers have adjusted their approach. Phishing kits increasingly replicate authentication flows in real time, allowing them to capture session tokens even when MFA is enabled. Social engineering techniques such as repeated push notifications are used to pressure users into approving login attempts. The European Union Agency for Cybersecurity has reported growing use of these methods, particularly in targeted campaigns.

This is pushing organisations to look beyond basic MFA deployment.

Stronger forms of authentication are gaining traction. Phishing-resistant options such as passkeys and hardware security keys remove reliance on one-time codes, which are more vulnerable to interception. Adaptive authentication is also becoming more common, applying additional checks when behaviour or context raises risk.

Identity security is also expanding in scope. Human users are only part of the picture. Service accounts, applications and machine identities now account for a large share of access within modern environments. These identities often operate with high privileges and are harder to monitor, making them an attractive target.

As a result, organisations are placing more emphasis on visibility and control across all identities. Continuous monitoring, tighter access policies and better management of credentials and tokens are becoming standard practice.

MFA remains a necessary layer, but it works best as part of a broader approach. Organisations that treat identity as an ongoing security concern, rather than a one-time authentication step, are better equipped to deal with how attacks are evolving in 2026.