MSPs can no longer treat identity security as a box to tick as phishing-resistant identity, detection and faster triage are becoming integral to growth strategy.
The traditional network perimeter has shifted, and identity is now the main battleground. Microsoft reported that identity-based attacks rose by 32% in the first half of 2025, with over 97% of those attacks being password-based.
Most organizations still rely heavily on multifactor authentication (MFA) to mitigate these threats, but despite being a key component in any security stack, it’s no longer sufficient on its own as adversaries diversify and scale their attacks with the help of AI.
Why the MFA checkbox era is over
According to Matt Caulfield, Vice President of Identity Products at Cisco, attackers have found clever ways to get around MFA by targeting different parts of the user account life cycle. “They might target the enrollment process or help desk calls,” he said. “Or the attacker is actually on the device installing malware allowing them to hijack sessions and steal tokens out of memory. Advanced phishing techniques are also on the rise.”
This increasingly advanced threat landscape means MSPs see limited efficacy from conventional MFA measures such as SMS messages and other push-based methods. MSPs often view identity security as a simple MFA deployment.
However, in 2026, this approach is insufficient. To provide true value, MSPs must shift their focus from “deploying MFA” to “building identity resilience.” This means moving beyond a single line-item sale and adopting a comprehensive strategy that covers the entire identity life cycle.
From authentication to identity resilience
As both human and nonhuman identities proliferate, security-first identity becomes essential for MSPs and the organizations they manage. After all, identities are now the primary control point for access, as opposed to network perimeters that have eroded in the era of decentralized work, SaaS app proliferation and the rise of machine identities. Of course, that’s been the case for a while now, but it’s even more important as AI, agentic automation and machine identities become embedded in almost every organization.
Organizations need both preventive and reactive controls, because even the strongest proactive controls can’t stop everything. MFA might protect the front door, but identity resilience covers the whole building or, in this case, onboarding, access rules, session behavior and detection once someone is inside. As such, post-login visibility matters more than ever.
- Preventive controls: Phishing-resistant authentication, device-bound identity and adaptive policies.
- Reactive controls: Identity threat detection and response (ITDR) to detect suspicious behavior after login.
Caulfield also stressed the importance of applying this model across legacy apps and shared devices. “It’s hard to get MFA everywhere, and getting to true phishing resistance across the board requires a thoughtful and phased approach. It’s not just a one-and-done concern. You need an identity provider that can extend to those dark corners of the organization you’re trying to protect. In this case, it’s really important that MSPs have a variety of tools in their stacks to help protect these types of accounts.”
In other words, security-first identity must extend beyond modern single sign-on environments and into the harder-to-protect parts of the business, such as legacy applications, shared systems and the underlying protocols that many organizations still rely on.
Reaching comprehensive phishing resistance requires broad protocol coverage and phased modernization. Cisco Duo, for instance, gives MSPs a way to extend identity controls into legacy applications, shared systems and older access methods that might otherwise stand in the way of full phishing resistance.
How MSPs can turn identity security into recurring value
When it comes to security products MSPs offer, MFA is really just an entry point, but it needn’t — and shouldn’t — be the full offer. By bundling identity around broader tooling and strategy, such as continuous protection, advanced threat detection, policy adherence support and auditing, MSPs can deliver greater value while reducing risk to both themselves and their clients.
“MFA is often seen as a checkbox activity, but there’s actually a lot more that MSPs can layer around it,” Caulfield said. “They can offer tiering in their packages, for example, starting with basic MFA and advanced phishing resistance and, at higher tiers, things like managed ITDR and threat detection and response. That way, MSPs can align their services with the needs and maturity levels of those clients.”
What makes identity security a real driver of value is that it’s directly tied to client trust and operational continuity. Moreover, with standardization, automation, dashboards and clear service expectations, MSPs can get to a solution that’s repeatable and low-cost for them to operate on behalf of the client.
From the client’s view, the story then changes from the technical framing of “we deployed MFA” to the operational risk framing of “we continuously manage identity risk.”
With this approach, that value is easier to measure, too. “MSPs can look at things like the number of accounts under management, MFA adoption rates, time to respond, support-ticket volumes and how customer satisfaction improves over time,” Caulfield said. “With Cisco Duo and Secure MSP Center, MSPs have a centralized dashboard and automation capabilities that greatly reduce manual effort.”
Using AI to scale identity services
The time it takes for cybercriminals to move laterally from an initially compromised host to other systems within a network has shrunk to just 29 minutes. For the most part, this is down to adversaries using AI to scale and adapt their attacks in less time.
The shift from one-time deployment to continuous identity risk management also helps explain why AI is also becoming a force multiplier for MSPs.
“MSPs are highly suited to implementing AI tools to improve their scalability and the time it takes for them to resolve issues. That way, they can deliver enhanced client experiences and security outcomes, and grow their margins,” Caulfield said.
Whether through built-in assistants or broader, API-driven automation, AI can reduce manual effort while helping service teams triage login issues faster and investigate and remediate suspicious activity more efficiently and effectively.
In this sense, AI becomes an accelerator of security-first identity by helping to further position MSPs to protect their clients and grow revenue in the process.
For a complete overview of what identity security is and how it protects organizations, see Cisco Duo’s guide to identity security. If you want to take the next step, see how Cisco's Secure MSP Center helps MSPs deliver scalable security to their clients.
