Identity & Authentication
User authentication and identity protection controls
User MFA Registration
MFA blocks over 99.9% of account compromise attacks. Even with a CA policy requiring MFA, users must actually register MFA methods to be protected. Low registration means users are vulnerable.
Block Legacy Authentication
Legacy protocols like IMAP and POP3 cannot enforce MFA. Attackers specifically target these protocols to bypass your MFA policies. Blocking them closes a major attack vector.
Enable Self-Service Password Reset
SSPR allows users to securely reset passwords without helpdesk intervention. It reduces password reset tickets by up to 70% while maintaining security through MFA verification during reset.
Configure Smart Lockout Protection
Password spray attacks try common passwords across many accounts. Smart lockout detects these patterns and blocks attackers while allowing legitimate users to authenticate. Weak settings leave you vulnerable.
Complete Authentication Methods Policy Migration
The legacy per-user MFA system cannot be centrally managed or monitored. Migrating to the unified Authentication Methods policy enables centralized control over passkeys, FIDO2, and all MFA methods.
Passkey Adoption Coverage
Passkeys provide phishing-resistant authentication for all users. High adoption rates reduce organizational vulnerability to credential theft attacks. Microsoft and industry standards increasingly recommend passkeys as the primary authentication method.
Require Phishing-Resistant MFA for All Users
Phishing attacks can bypass traditional MFA. At Level 3, the entire organization uses authentication methods that cryptographically prove user presence, eliminating MFA bypass attacks entirely.