In 2025, it is safe to say that Multi-Factor Authentication (MFA) has become a standard for web-based authentication. Yet, even with widespread adoption, the security of MFA still varies depending on how it is implemented. Where SaaS and B2C services rely on passwords, SMS codes and email links, users remain exposed without token protection and passkeys. These are the basics to consider in web-based authentication – Multi Factor Authentication (MFA) and Single Sign On (SSO).

1.  MFA

   MFA stands for Multi-Factor Authentication, which refers to using two or more categories of credentials to verify a user’s identity. These categories are: 

   1. Something you know – e.g. passwords or PINs 

   2. Something you have – e.g. your smartphone, laptop, or a hardware security key (like a FIDO key) 

   3. Something you are – e.g. your fingerprint or face (biometrics)

Traditional MFA is typically a combination of something you know (password) and either something you have or something you are. However, passwords remain the weakest link because they’re often reused, poorly constructed, and vulnerable to phishing or theft.  

2. SSO 

   Once authenticated, users are granted a session token which keeps users signed in without constant reauthentication impacting productivity. 

   While "keep me signed in" is convenient, it also introduces risk, especially if stolen and re-used by attackers.  

   It is possible to balance security and productivity through smarter conditional access for sensitive applications. For example: 

   • Financial systems and cloud infrastructure administrator roles can demand more frequent reauthentication. 

   • Less sensitive systems can allow longer or indefinite sessions. 

     
     

3. Why passkeys and Token Protection are the future  

Passkeys 

Modern authentication methods are moving away from passwords in favour of passkeys. Passkeys eliminate the need for passwords altogether. Passkeys are a form of authentication that falls into the “something you have” category. Passkeys are cryptographic keys stored on a secure module in your device (like your phone or laptop).  These secure modules are ideally protected by biometrics. This ensures a 2+3 MFA setup -something you have (your device) and something you are (biometrics). 

This combination is significantly more secure than traditional MFA because: 

• The private key never leaves your device. 

• Authentication cannot be phished or reused. 

• Physical access is needed to compromise the key, and even then, device protection (PIN, screen lock, encryption) remains a barrier. For IT teams, this means planning for passkey adoption by implementing manual processes for secure device onboarding and registration. Over time passkeys should completely replace passwords for user sign-in, with passwords used solely for recovery purposes. 

Token Protection 

Token protection is an emerging technology designed to tie session tokens to a specific device. This means if a token is stolen, it cannot be reused elsewhere. 

Microsoft Entra has introduced token protection as part of its Conditional Access framework. However, as of 2025, its use and support is limited to 

• Windows 10+, Windows Server 2019+, and a small number of applications with complex implementations not practical for most SMBs. That said, as token protection matures, expect broader support and adoption in the years ahead within the enterprise security space.  

Why isn’t this the industry standard for SaaS providers already? 

Despite the availability of modern authentication technologies like OAuth2, OpenID Connect, SSO, and Passkeys, many Software-as-a-Service (SaaS) providers are lagging behind. While the technology is mature, business priorities often lean toward flashy features and marketing, over fundamental security. 

Most people would be surprised to hear that many businesses still don’t offer Single Sign-On (SSO) or proper MFA integration, especially in the B2C (business-to-consumer) space. Apple leads B2C identity management, while Microsoft leads in B2B (Business-to-Business). Unfortunately, many SaaS platforms have not yet caught up in either space. 

Real-world impact 

In early 2025, several Australian superannuation providers were targeted by attackers using stolen credentials. While many providers had MFA available, the breach highlighted key issues: 

• Customers who did not enable MFA, put themselves at risk. 

• One provider, AusSuper, offered limited MFA support for users, and faced significant public backlash for failing to provide basic protections. 

This illustrates the shared responsibility of security. Users must adopt the tools available, and businesses must provide them in the first place. 

The road ahead 

The future of authentication is simple, secure, and password-less. As more services adopt passkeys and token protection, users will benefit from: 

• Stronger security with less effort 

• Fewer phishing opportunities 

• Faster and more seamless sign-in experiences 

Passwords that are never used cannot be phished, stolen, or guessed. If they exist solely for recovery (and even then require additional verification) we’re well on our way to a safer digital world. 

Things to remember 

• MFA is standard, but not all MFA is equally secure. 

• Passkeys offer strong, phishing-resistant authentication. 

• Token protection strengthens session security. 

• Businesses and users both play a role in adopting modern authentication. 

• The move to password-less is both inevitable and necessary.