User Security — Every Identity Verified, Every Login Proven

Most firms believe they are protected because they "have MFA." But MFA is not a single technology — it is a spectrum, and most of what firms deploy today is vulnerable to the exact attacks regulators are warning about. The difference between standard MFA and phishing-resistant MFA is the difference between a lock that can be picked and one that cannot.

The Push Notification Problem

Standard MFA sends a push notification to the user's phone. The user taps "Approve" and they're in. In an MFA fatigue attack, an attacker who already has stolen credentials floods the user with repeated push notifications — at 2 AM, during meetings, nonstop. The user, just wanting it to stop, taps "Approve." This caused the Uber breach (2022) and attacks on Cisco, Okta, and others.

What Phishing-Resistant Looks Like

Number matching: the user types a number from the login screen into the authenticator. Biometric re-authentication confirms the person. Two extra seconds. Stops the entire category of fatigue attacks — the user cannot approve what they cannot see.

The Core Vulnerability

Standard push-notification MFA lets a user approve an authentication request they did not initiate. The user does not need to see the attacker's screen, verify any context, or take any deliberate action beyond tapping a button. One tap of "Approve" — whether intentional or out of fatigue — grants full access.

CISA — the Cybersecurity and Infrastructure Security Agency — does not consider push notifications, SMS codes, or standard one-time passwords to be phishing-resistant. In its Zero Trust guidance (OMB M-22-09), CISA mandates phishing-resistant authentication and identifies FIDO2/WebAuthn as the standard. Phishing-resistant MFA requires a cryptographic handshake between the user's device and the specific service being accessed — it cannot be intercepted, socially engineered, or replayed.

"Enabling MFA is not the same as enforcing phishing-resistant MFA. One gives you a checkbox. The other gives you actual protection. CISA does not consider push notifications, SMS, or standard OTP codes to be phishing-resistant — and neither should your firm."

Most firms use Microsoft Authenticator to protect Microsoft 365. From a security architecture perspective, this creates a dangerous concentration of risk. If Microsoft's authentication infrastructure is compromised, the tool you depend on to verify identity is compromised at the same time.

31%

of M365 breaches from token theft (2025)

146%

rise in AiTM attacks (2024)

50%+

AiTM campaign success rate (Proofpoint 2025)

In an Adversary-in-the-Middle (AiTM) attack, the attacker sets up a phishing page that proxies the real Microsoft login. The user completes MFA normally — through Microsoft Authenticator — and the login succeeds. But the attacker captures the session token and accesses Outlook, OneDrive, Teams, and SharePoint without triggering another MFA prompt.

In December 2024, Oasis Security disclosed "AuthQuake" — a critical vulnerability in Microsoft's MFA implementation that allowed unlimited brute-force attempts with no rate limiting and no user notification. An attacker could bypass MFA in under 70 minutes. The vulnerability affected every Microsoft account protected by authenticator-app-based MFA — more than 400 million paid Office 365 seats.

Microsoft Authenticator: Concentrated Risk

The credentials, the MFA verification, the session tokens, and the authentication logs all flow through Microsoft's infrastructure. When attackers target Microsoft — through AiTM phishing, OAuth abuse, or token theft — they are attacking the same ecosystem that is supposed to be verifying identity. A breach of one layer exposes every layer.

Independent Authenticator: Separated by Design

FCI uses an authentication provider that operates outside the Microsoft ecosystem. The MFA challenge is issued, verified, and logged by a different provider. Even if an attacker compromises Microsoft's token infrastructure, the authenticator's security boundary is untouched. The entity verifying security should never be the same entity being verified.

"Microsoft is the most targeted identity platform in the world. Using Microsoft Authenticator to protect Microsoft 365 means the lock and the key are both made by the company under attack. FCI separates them — by design, not by accident."

Financial services firms operate in an environment where every user is both a productivity asset and an attack surface. Regulators require that firms control who has access, verify that users are who they claim to be, and log every authentication event. Most firms believe they have this covered because they turned on MFA. The reality is different. MFA is often risk-based rather than enforced, federation and single sign-on are confused or misconfigured, and authentication logs are incomplete — or simply not captured at all.

The result is an identity layer that looks secure on paper but fails under scrutiny. When an examiner asks for proof of who logged into what system, when, and from where — or when a breach investigation needs to trace lateral movement — the gaps become visible.

MFA That Isn't Enforced

Most firms enable MFA but configure it as risk-based — meaning Microsoft decides when to challenge the user. If the login looks "normal," MFA is skipped. The firm believes every login is verified. It isn't. And there's no log showing when MFA was bypassed because the system decided it wasn't needed.

Federation, SSO, and MFA Conflated

These are three different technologies that serve three different purposes. Federation syncs usernames. Single sign-on eliminates repeated authentication. MFA verifies the person. Most firms — and even many IT providers — conflate them. The result is misconfigured identity infrastructure where gaps exist that no one recognizes.

Incomplete Authentication Logging

Microsoft's native logs capture basic events but miss critical context. Risk level, device location, authentication method, login source country — this information exists but is not captured by default. Without extended logging, a firm cannot answer the questions regulators and forensic investigators will ask.

No Lifecycle Visibility

Users are added when they join. But who tracks inactive accounts? Who detects anomalous behavior? Who ensures that when someone leaves, every access point is actually closed? Most firms have no systematic process for user lifecycle management. Orphaned accounts accumulate, and each one is a door that should have been locked.

Can you prove — for every user, every login, every application — who accessed it, when, how they were authenticated, and whether the access was appropriate?

Every capability below is part of FCI's Identity and Access Management practice — the discipline that governs who a user is, how they prove it, what they can reach, and how that access is reviewed and logged over time. FCI implements IAM end to end, across every user and every application.

FCI does not rely on Microsoft's default authentication behavior or trust that MFA is "probably" being enforced. FCI builds a complete authentication ecosystem — federation, single sign-on, CASB, and advanced MFA working together — so that every access decision is verified, logged, and provable.

Identity Authentication Authorization Governance Logging

01

Phishing-Resistant MFA

Advanced MFA enforced on every login — not risk-based, not optional. FCI implements CISA-recommended phishing-resistant MFA as a mandatory control using an independent authenticator outside the Microsoft ecosystem. Number matching requires the user to type a code from the login screen into the authenticator, followed by biometric re-authentication. Every login is verified. Every time.

02

Federation & Identity Sync

Federation syncs user identities across systems so that credentials are managed centrally. When Salesforce, Sophos, or any integrated application lets a user "log in with Microsoft," that's federation — the identity has been synced so the user doesn't need separate credentials for every system. FCI configures and manages federation across all integrated applications.

03

Single Sign-On (SSO)

SSO is a different technology from federation — it eliminates repeated authentication across integrated systems within a session. Once a user has been verified, they move between applications without re-authenticating. FCI implements SSO alongside federation so that security and usability work together, not against each other.

04

Cloud Access Security Broker (CASB)

CASB controls verify the user, the device, and the network before granting access to cloud applications. A valid login is not enough — the device must be trusted, the network must be known, and the user's risk profile must be acceptable. FCI implements CASB policies that enforce these conditions on every access attempt, creating a Zero Trust verification chain.

05

Extended Authentication Logging

FCI extends authentication logging beyond Microsoft's native capabilities to capture the full context of every login event. Every authentication event is ported to centralized logs and stored. This is the evidence that regulators and forensic investigators need — and that Microsoft does not provide by default.

Login Time Result User Application Risk Level Device Location Auth Method Source Country

06

User Lifecycle Management

FCI manages the full user lifecycle — from CISO-approved onboarding through active monitoring to decommissioning. Inactive users are detected and flagged for cost reduction and risk mitigation. User anomalies are identified through behavioral monitoring. A complete user inventory is maintained, and every change is logged. When a user leaves, every access point is closed — not just email.

Traditional Mobile Device Management has significant problems in a BYOD environment. Users report battery drain, restricted functionality, and a surveillance-like experience on their personal device. MDM platforms are costly to license and complex to administer. For most financial services field offices, the tradeoff isn't worth it.

The Problem with Traditional MDM

Solutions like Microsoft Intune work well with company-owned devices. But in a BYOD environment — the reality for most financial services field offices — traditional MDM creates friction firms cannot afford. Users report storage and battery drain, a surveillance-like experience, and discomfort having a management tool with visibility into personal photos, messages, and private data. It is their phone, with their personal life on it.

FCI's Approach

User-Remediated Cyber Settings & OS Updates Enforced at Conditional Access

Instead of installing a management agent on every personal device, FCI enforces security at the point of access. Before a smartphone or tablet can reach the firm's cloud environment — email, files, applications — the device must meet defined conditions: OS current, screen lock enabled, no jailbreak detected. If the device doesn't comply, the user is told exactly what to fix and access is blocked until they do. The user remediates on their own device, on their own terms. No agent. No surveillance. No corporate control over personal data. The firm gets the security posture it needs, and the user keeps the privacy they expect.

Every managed service provider can turn on MFA. The difference between FCI and everyone else is not the tools — it is mastery of the authentication ecosystem, automation that replaces manual identity management, consistency across every user and every access point, and persistent proof that every login is verified and logged.

Enabling MFA is not identity security. Configuring federation is not enforcement. FCI delivers both.

Expert Mastery

FCI has deployed federation, CASB, and advanced MFA across hundreds of financial services environments. That exposure means FCI knows the difference between federation and SSO, knows why risk-based MFA creates gaps, and knows which CASB policies actually matter for regulatory compliance.

Automated Procedures

Manual identity management fails because humans forget to disable accounts, skip federation configuration for new applications, and cannot keep up with the pace of Microsoft's authentication changes. FCI automates user provisioning, deprovisioning, and policy enforcement through templates.

Consistent Controls

Protecting some users is not protection. FCI covers every user, every application, every login — no gaps, no exceptions. Contractors, employees, BYOD users — all under the same authentication standard.

Persistent Proof

It is easy to show an auditor that MFA is enabled today. FCI produces evidence that every login was verified, every day, with full context — risk level, source country, device location, and method used. Point-in-time compliance is a byproduct of persistent enforcement, not a scramble.

"FCI does not trust that Microsoft's risk-based decisions are protecting the firm. Every login is verified. Every authentication event is logged with full context. The firm can prove who accessed what, when, and how — not because someone checked a box, but because the controls enforce it automatically."

A verified identity is not just a login event. It is the access decision that determines whether a user reaches the endpoint, the network, the data, and the cloud applications. Every domain protects every other domain — and user security is the gatekeeper that makes the rest enforceable.

The Principle

No single domain failure defeats the system. A compromised credential is stopped by the endpoint check. A compromised endpoint is contained by the network. Every layer reinforces every other layer.

Endpoint Security

A trusted device becomes a factor in user authentication. The authentication chain verifies not just who the user is, but whether they're on a known, managed endpoint before granting access.

Network Security

Always-on VPN ensures the user connects from a known IP. User authentication and network verification work together — a valid identity from an unknown network triggers additional scrutiny.

Cloud App Security

CASB policies tie directly to user identity. Access to M365 and other cloud applications is gated by the authentication ecosystem — user verified, device trusted, network known.

Data Security

User permissions determine who can access, modify, and export data. Without verified identity, data classification and DLP controls have no anchor — they don't know who is accessing the data.

Firm Security

Every authentication event feeds the FCI Portal. The security officer has visibility into login patterns, anomalies, and user lifecycle changes across the entire environment.

Regulators, home offices, and cyber insurance carriers all ask the same question: can you prove who has access and how they were authenticated? FCI produces continuous evidence as a byproduct of how it operates. There is no scramble before an exam. The proof already exists.

Authentication Verified

Proof that every login across every application was verified by phishing-resistant MFA — not risk-based, not optional. Evidence of method used, device context, and login source.

Access Controlled

Proof that CASB policies enforced Zero Trust conditions on every access attempt — user verified, device trusted, network known. Evidence of denied access when conditions were not met.

Lifecycle Managed

Proof that user accounts are provisioned with CISO approval, monitored for inactivity and anomalies, and decommissioned when no longer needed. Complete user inventory with full history.

Compliance Documented

Extended authentication logs that answer every question a regulator will ask: who, what, when, where, how, and whether the access was appropriate. Stored centrally, retained beyond Microsoft's native limits.

Independence Proven

Authenticator operates outside the Microsoft ecosystem — separate verification, separate logs, separate security boundary. No single point of failure in the identity chain.

FCI Portal Visibility

The security officer can access user evidence at any time — login patterns, anomalies, lifecycle changes, and the ability to go back to any point in time.

FINRA SEC NAIC State Regulators Cyber Insurance Home Office Compliance

Exactly who has access, how every login was verified, which authentication method was used, and whether the controls are enforced continuously — not just on the day you knew they were coming.

Ready to close the identity gaps your firm can't see?

FCI works with broker-dealers and branch offices, insurance carriers and agencies, and RIAs. Start with a gap analysis — it is free, takes 30 minutes, and commits you to nothing.

Request a 30-Minute Gap Analysis

Every identity verified, every login logged, every access decision enforced.

Not all MFA is created equal — and the wrong kind creates a false sense of security.

When your authenticator is made by the same company as the system being attacked, you have a single point of failure.

Most firms cannot prove who accessed what, when, or how.

Six capabilities — applied to every user, enforced continuously.

Securing mobile access without invasive MDM.

Four reasons the same tools produce different results.

User security does not stand alone — it gates access to everything else.

Evidence that builds itself — every day, not just on audit day.

Ready to close the identity gaps your firm can't see?