In the rapidly evolving world of cyber threats, identity has become the new security perimeter. The Microsoft Digital Defense Report 2025 highlights a stark reality: attackers are relentlessly targeting identities, and UK organisations are at the forefront of this battle.
As we look ahead to 2026, adopting an identity-first security strategy is not just a best practice – it’s a business imperative.
First off, what is MFA in cyber security?
Multi-factor authentication (MFA) is a security mechanism that requires users to provide two or more verification factors to access a resource, such as a password plus a biometric or a security token.
By adding layers of verification, MFA makes it significantly harder for attackers to compromise accounts, even if they have stolen credentials.
The case for Identity-First Security.
Identity-first security means making identity the foundation of your cyber defence strategy. This approach prioritises strong identity controls—such as Microsoft Entra ID, phishing-resistant multi-factor authentication (MFA), token protection, and passkeys—to block attackers at the source.
Key Statistics:
- Microsoft reports that enabling MFA security can block over 99% of account compromise attacks.
- In 2025, over 80% of successful cyberattacks involved compromised identities or weak authentication controls (Microsoft Digital Defense Report 2025).
Why identity matters.
The UK remains a prime target for ransomware, extortion, and nation-state campaigns. According to the National Cyber Security Centre (NCSC), the country has seen record numbers of nationally significant incidents, many of which began with compromised credentials.
The Microsoft Digital Defence Report 2025 reinforces this, noting that identity compromise is the leading attack vector for modern cybercriminals.
Attackers are leveraging AI to scale and sophisticate their campaigns, making traditional perimeter defences increasingly obsolete. Instead, they exploit weak authentication, phishing, token and credential theft to gain access and move laterally within organisations.
The result? A single compromised identity can lead to widespread disruption, financial and data loss, as well as reputational damage.
4 Practical steps to strengthen identity security.
1. Enforce phishing-resistant MFA for all users
Phishing-resistant MFA is no longer optional. By requiring strong, adaptive authentication for every user, organisations can dramatically reduce the risk of credential theft and account takeover.
2. Deploy token protection and passkeys for privileged accounts
Privileged accounts are prime targets for attackers. Implementing token protection and passkeys makes it significantly harder for adversaries to hijack sessions or escalate privileges.
3. Regularly audit and remove unused identities and credentials.
Stale accounts and unused credentials expand your attack surface. Regular audits ensure that only the right people have access to the right resources.
4. Integrate with Microsoft Entra ID
Leverage Microsoft Entra ID for unified identity management, enabling seamless enforcement of security policies across your digital estate.
How Identity-First Security stops attackers.
Identity compromise is a leading attack vector because it enables phishing, account takeover, and lateral movement. By enforcing robust authentication and minimising credential theft, organisations can block these attacks before they escalate.
Example:
According to the Microsoft Digital Defence Report 2025, 97% of identity attacks were password spray attacks, making phishing-resistant MFA and continuous verification essential for reducing risk.
Recommendations for UK organisations.
- Use Zero Trust Principles – Explicitly verify, Least Privilege and Assume Breach
- Make identity security a board-level priority.
- Mandate phishing-resistant MFA for all users, not just admins.
- Deploy token protection and passkeys for all privileged accounts.
- Automate identity and credential audits.
- Educate users on the importance of identity security and how to spot phishing attempts.
Attackers are moving fast – are you ready?
Let ANS, Microsoft’s UK Partner of the Year 2025, help you take control with identity-first security. Find out more about our Managed Security Services.
