The perimeter is gone — and everyone knows it. What many organizations are still catching up to is what replaced it. Identity is now the primary attack surface, and attackers are exploiting it with increasing precision. Instead of smashing through firewalls, they steal refresh tokens, abuse OAuth consent, hijack sessions, and quietly persist as legitimate users. Recent industry reporting shows that 67% of organizations have seen an increase in identity-based incidents, with third-party access and stolen credentials dominating breach investigations. For blue teams and IAM operators, this changes the job. Preventive controls alone are no longer enough. You need Identity Threat Detection and Response (ITDR) that can spot subtle abuse inside trusted identity systems like Okta and Microsoft Entra, and respond fast enough to contain blast radius. This playbook focuses on the threats defenders are actually seeing — and how to detect, respond, and measure success in the real world. Why Identity Attacks Are Harder to Catch Identity attacks don’t look like traditional intrusions. There’s no malware beaconing, no port scans, no obvious lateral movement. Everything happens through legitimate APIs, tokens, and sessions. Once an attacker steals a refresh token or compromises an OAuth app, they don’t need to reauthenticate. They can mint fresh access tokens, move between services, and blend into normal user behavior for days or weeks. Session hijacking compounds the problem by allowing attackers to inherit device trust, MFA state, and conditional access context. This is why identity incidents are often detected late — and why blast radius matters as much as detection. Detecting Refresh Token Theft in Okta and Entra Refresh tokens are high-value targets because they outlive access tokens and often bypass MFA once issued. Detection hinges on spotting behavior that breaks normal patterns, not just failed logins. In Entra, one of the strongest signals is token usage from unexpected locations or device contexts, especially when the access token claims indicate a different sign-in posture than the original authentication event. When refresh tokens are replayed from infrastructure or geographies never associated with the user, defenders should treat it as probable compromise, not a false positive. Okta environments show similar patterns. Watch for sudden spikes in token refresh events, particularly outside business hours or immediately following OAuth app consent. A single refresh token generating access tokens across multiple resources in rapid succession is another common indicator. The key mistake teams make is treating these as “interesting logs” instead of actionable alerts. Token misuse is rarely benign. Rogue OAuth Apps and Consent Abuse OAuth consent is one of the quietest persistence mechanisms attackers have. By tricking a user into approving a malicious or over-privileged app, attackers gain durable API access without needing to maintain a live session. The app continues working even after the user logs out or resets their password. Detection starts with visibility. Teams need to baseline which apps normally request consent, what permissions they ask for, and who approves them. In both Okta and Entra, high-risk signals include newly registered apps requesting broad scopes like offline access, mail read/write, directory access, or files permissions — especially when consent comes from non-admin users or outside expected workflows. Another overlooked signal is unused but still-authorized apps. OAuth grants that remain active without corresponding user activity are often persistence artifacts. Effective ITDR treats OAuth apps as identities in their own right, subject to the same scrutiny as users and service accounts. Session Hijacking: When MFA Is Already Bypassed Session hijacking is particularly dangerous because it often defeats MFA and conditional access entirely. If an attacker steals a session cookie, they inherit the trust state of the original login. In Entra, defenders should watch for session reuse across IP addresses or devices that would normally trigger reauthentication. Sudden changes in user agent strings, browser fingerprints, or access patterns mid-session are strong indicators. Okta logs can reveal similar anomalies, especially when a session continues long after expected expiration or survives events that should invalidate it, such as password resets or device posture changes. The defensive challenge here isn’t detection alone — it’s speed. Session hijacking demands fast containment before the attacker pivots deeper into SaaS or cloud resources. Response Automations That Actually Work Detection without response is just telemetry. For token theft, immediate revocation is non-negotiable. That means invalidating refresh tokens, terminating active sessions, and forcing reauthentication with MFA. In both Okta and Entra, this should be automated for high-confidence detections rather than left to manual workflows. OAuth abuse requires a slightly different approach. The response should disable or delete the offending app, revoke its grants tenant-wide, and notify affected users. Crucially, security teams should also audit what data the app accessed while active — something many incident responses skip entirely. For session hijacking, the response window is narrow. Automated session termination combined with conditional access tightening is often the only way to cut off attacker momentum. The most mature teams pre-wire these actions into SOAR or native automation, reducing response time from hours to minutes. Measuring ITDR Effectiveness: KPIs That Matter ITDR success isn’t measured by alert volume. It’s measured by outcomes. Mean time to detect identity misuse is a critical metric, but mean time to contain is even more important. Teams should also track how often identity incidents are detected before data access occurs, and how frequently compromised identities lead to secondary incidents. Another overlooked KPI is blast radius per incident. How many apps, datasets, or sessions were reachable from a single compromised identity? Reducing that number is as important as improving detection fidelity. This is where ITDR intersects with identity architecture. Reducing Blast Radius While ITDR Fights the Fire ITDR focuses on detecting and responding to active threats. But even the fastest response can’t undo overexposed data. This is where Ensto, as a control plane in the Keywix ecosystem, fits into the story. By minimizing standing access, reducing unnecessary data exposure, and enforcing tighter identity-to-data boundaries, Ensto limits how far an attacker can move even after identity compromise.
Passwords have been the weakest link in enterprise security for decades, yet they’ve survived because every alternative either hurt usability or shifted complexity to users. Passkeys change that equation for the first time. What’s different now isn’t just the technology — it’s adoption. Industry reporting from the FIDO Alliance and identity-focused publications shows passkeys achieving around 93% sign-in success rates, with billions already in active use across consumer platforms. Enterprises are no longer experimenting in isolation; they’re building on patterns users already trust in their daily lives. For platform security leaders, the question is no longer if passkeys belong in the enterprise, but how to roll them out without breaking workflows, overwhelming the help desk, or creating recovery nightmares. This guide outlines a realistic 90-day rollout plan that balances security, usability, and operational reality — and shows how passkeys naturally support a user-controlled identity model that strengthens authentication without expanding stored personal data. Why Enterprises Are Moving Now Three pressures are converging. First, users are ready. Employees already unlock laptops and phones with biometrics dozens of times a day. Passkeys feel familiar, not foreign, which removes the biggest historical barrier to MFA adoption. Second, the security upside is immediate. Passkeys are phishing-resistant by design. There is no shared secret to steal, no password database to leak, and no push notification to fatigue into approval. For organizations battling credential-based attacks, this is a structural fix, not another patch. Third, operational costs are forcing the issue. Password resets and MFA failures remain among the top drivers of help-desk tickets. Passkeys directly reduce those events instead of trying to manage them more efficiently. The result is a rare win-win: stronger security that users actually prefer. Device-Bound vs Synced Passkeys: Choosing the Right Trust Model One of the earliest decisions enterprises must make is where passkeys live. Device-bound passkeys are stored in hardware-backed secure elements such as TPMs or secure enclaves. They offer the strongest security guarantees and are well suited for administrators, privileged roles, regulated environments, and shared workstations. The trade-off is recovery: when a device is lost or replaced, organizations need clearly defined fallback paths. Synced passkeys, on the other hand, are backed up and synchronized across a user’s devices through platform ecosystems like Apple, Google, or Microsoft. They dramatically improve usability and reduce lockouts, especially for knowledge workers who move between devices. The trust boundary is wider, but for many roles, the UX benefits outweigh the risk. In practice, most mature deployments use both. Risk-based segmentation — not ideological purity — is what makes passkeys work at enterprise scale. Days 0–30: Laying the Groundwork The first month should focus on decisions, not enforcement. Security teams need a clear picture of who will use passkeys and where. Workforce users, contractors, administrators, and partners all have different risk profiles. Access paths matter just as much: SaaS applications, internal portals, VPNs, RDP, and legacy systems all behave differently under modern authentication. This is also the moment to define recovery and break-glass policies. Passkeys reduce lockouts, but they don’t eliminate device loss or human error. Enterprises that succeed treat recovery as a first-class security flow, not an afterthought, with time-bound break-glass access and auditable recovery events. Equally important is deciding what identity data no longer needs to be stored. Passkeys allow strong authentication without passwords, knowledge-based questions, or excessive profile data. This aligns directly with Keywix’s user-controlled identity philosophy: authenticate users cryptographically while minimizing retained PII and reducing breach impact. Days 31–60: Pilot and Enrollment Experience The second phase is where theory meets reality. A small pilot group should be chosen deliberately — users on modern devices who authenticate frequently and are willing to give feedback. Their experience will expose friction early, before it becomes an enterprise-wide problem. Enrollment should feel almost boring. The most successful deployments introduce passkeys immediately after a successful login, explain the value in plain language, and complete enrollment in a single flow using existing biometrics. If users have to read documentation, adoption will stall. During this phase, passwords should remain available as a fallback. The goal is not to prove passkeys can replace everything instantly, but to validate real-world scenarios such as new device provisioning, remote access, VPN connectivity, and device replacement. Metrics matter here. Sign-in success rates, authentication time, and help-desk tickets will tell you far more than theoretical threat models. Days 61–90: Scale and Enforce with Confidence By the third month, passkeys should move from optional to expected. New users can be enrolled by default, while existing users are prompted progressively rather than forced all at once. High-risk access — administrative consoles, finance systems, external entry points — is the right place to enforce phishing-resistant authentication first. As confidence grows, legacy password flows can be retired selectively. Every removed password reduces attack surface, operational overhead, and compliance exposure. At this stage, leadership-level metrics become powerful. Organizations typically see fewer authentication failures, fewer MFA complaints, and a noticeable drop in password-related support tickets — often within weeks. The Reality of VPNs, RDP, and Legacy Systems Skepticism around passkeys often centers on enterprise edge cases, and not without reason. Modern VPNs that support SAML or OIDC integrate cleanly with passkeys, while older appliances may require phased coexistence. Windows environments benefit significantly from device-bound passkeys combined with Windows Hello for Business, particularly for RDP and administrative access. Legacy applications rarely block progress outright, but they do reinforce the need for federation layers rather than direct authentication rewrites. Passkeys don’t instantly modernize legacy infrastructure — but they make the cost of not modernizing far more visible. Help Desk Impact: Fewer Tickets, Better Outcomes One of the most consistent outcomes of passkey adoption is a shift in support load. Password resets and MFA push issues drop sharply. What replaces them are fewer, more meaningful interactions around device lifecycle and recovery. Over time, even those decrease as users become familiar with the model. The net effect is not just lower volume, but better quality support work.
Compare SAML and OIDC in 2026 and follow a pragmatic, low-risk migration path for modern identity and federation architectures. Keep SAML Where It Shines, Move Where It Hurts In 2026, the question is no longer whether OIDC is “better” than SAML. Most identity leaders already know the textbook answer. The real question is far more practical: where does SAML still make sense, where does it actively slow you down, and how do you migrate without breaking enterprise trust or uptime? Despite years of predictions about its demise, SAML is still deeply embedded in enterprise identity ecosystems. At the same time, OIDC has become the default choice for mobile apps, APIs, consumer identity, and modern SaaS platforms. This creates tension for IdP owners and SaaS product managers who need to support both worlds without doubling complexity or risk. This article lays out a realistic, non-dogmatic approach to protocol strategy in 2026: keep SAML where it works, move to OIDC where it hurts, and use deliberate bridging patterns to survive the transition. Why This Debate Still Matters in 2026 SAML is old, but it isn’t obsolete. Its endurance comes from network effects. Enterprises have thousands of existing SAML integrations with HR systems, VPNs, legacy SaaS tools, and internal applications. Replacing those integrations isn’t just a technical exercise — it involves procurement cycles, vendor negotiations, audits, and retraining IT teams. OIDC, on the other hand, was built for a different world. It aligns naturally with REST APIs, JSON, mobile apps, SPAs, and cloud-native architectures. It supports incremental consent, token-based authorization, and modern security controls in a way SAML never really evolved to handle. The result is a split reality. Most organizations aren’t choosing either SAML or OIDC. They’re running both, often without a clear strategy for how long or why. Where SAML Still Shines In workforce identity, SAML remains deeply practical. Corporate desktops, internal web applications, and long-lived enterprise SaaS integrations often rely on SAML for good reasons. It is stable, widely supported, and well understood by enterprise IAM teams. Many mature governance, provisioning, and compliance workflows are already built around it. SAML also excels in scenarios where sessions are browser-based, users authenticate infrequently, and the application surface is relatively static. In these environments, the XML-heavy nature of SAML is more annoying than dangerous, and its maturity becomes an advantage rather than a liability. For IdP owners, the biggest strength of SAML is predictability. Once a SAML integration is live, it tends to stay live for years. Where SAML Actively Hurts The pain starts when SAML is forced into modern product contexts it was never designed for. Mobile applications struggle with SAML’s browser-centric flows. APIs don’t naturally align with SAML assertions. Token refresh, fine-grained authorization, and delegated access become awkward or impossible. Operational risk is another growing concern. SAML depends heavily on X.509 certificates, and certificate rotation remains a common source of outages. Miss a rotation window, and entire customer environments can lose access. For SaaS PMs, this turns identity into a reliability risk rather than a solved problem. Finally, SAML’s verbosity and rigidity make it harder to evolve user experiences. CIAM use cases such as passwordless login, step-up authentication, and cross-device continuity are far more natural in OIDC-based designs. Why OIDC Fits Modern Identity Better OIDC was designed with APIs, mobile apps, and distributed systems in mind. Its JSON-based tokens, standardized scopes, and tight alignment with OAuth make it easier to secure modern application architectures without awkward workarounds. For CIAM and SaaS platforms, OIDC enables smoother onboarding, better developer experience, and more flexible authorization models. It integrates cleanly with modern security patterns like PKCE, token rotation, and short-lived access tokens. From a product perspective, OIDC also lowers friction. Developers understand it, SDKs are mature, and it fits naturally into cloud-native environments. That’s why most new identity platforms default to OIDC even when they continue to support SAML for enterprise compatibility. The Reality: Dual-Stack Is the New Normal For most organizations in 2026, the answer isn’t an immediate cutover. It’s a dual-stack strategy. In this model, SAML continues to serve workforce and legacy enterprise integrations, while OIDC becomes the primary protocol for mobile apps, APIs, and new customer-facing experiences. The key is intentional separation. Teams that treat dual-stack as a temporary accident often end up with duplicated logic, inconsistent policies, and higher operational risk. Successful dual-stack environments centralize identity policy while allowing protocol-specific edges. Authentication rules, risk signals, and user lifecycle management stay consistent, even though the federation protocol differs. This approach allows gradual migration without forcing enterprise customers into rushed changes they’re not ready to make. Certificate Rotation, Downtime, and Hidden Risk One of the most underestimated differences between SAML and OIDC is operational risk. SAML certificate rotation is still a leading cause of identity-related outages. It requires coordination across vendors, customers, and environments — and failures are often discovered only when users are locked out. OIDC reduces this risk by relying on dynamic key discovery and rotation through well-known endpoints. Keys can rotate transparently without breaking integrations, dramatically reducing downtime risk for SaaS providers. For platform owners, this difference alone often justifies prioritizing OIDC for new integrations, even when SAML support remains mandatory for enterprise adoption. The Keywix View: Reducing Risk Beyond the Protocol Whether you use SAML or OIDC, one truth remains constant: the biggest breaches often happen after federation succeeds. Tokens are issued, identity attributes are passed, and applications store far more sensitive data than they actually need. Keywix approaches this problem from a protocol-agnostic angle. Through tokenization and unintelligible data techniques, sensitive identity attributes can be protected regardless of whether they arrive via SAML assertions or OIDC tokens. This means applications don’t need to persist raw identity data at rest. Even if a downstream system is compromised, the exposed data is meaningless without proper context and access. For enterprises running mixed SAML and OIDC environments, this dramatically reduces blast radius and compliance exposure. In other words, while teams debate federation
If you’re an IAM or application security architect in 2026, OAuth 2.1 is no longer something you can safely “keep an eye on.” It’s already shaping how identity platforms behave, how security teams audit applications, and how modern apps are expected to authenticate users and services. OAuth 2.1 doesn’t introduce a brand-new protocol. Instead, it consolidates more than a decade of hard security lessons into a simpler, stricter core. Flows that were repeatedly abused are removed. Protections that used to be optional are now mandatory. Ambiguity is intentionally stripped away. For architects searching “OAuth 2.1 changes” or “migrate implicit flow,” the real question isn’t what changed, but how quickly you can move without breaking production systems or developer workflows. Why OAuth 2.1 Exists OAuth 2.0, published in 2012, was designed to be flexible. That flexibility helped it scale across web apps, mobile apps, SPAs, APIs, and even CLIs. Unfortunately, it also led to insecure interpretations that became widespread before the ecosystem fully understood the risks. Over time, the IETF released multiple documents to patch these issues: PKCE, Security Best Current Practice, browser-based app guidance, and stricter redirect URI handling. The problem was fragmentation. Architects had to read several RFCs just to understand what “secure OAuth” meant in practice. OAuth 2.1 solves this by folding those documents into a single, opinionated baseline. Instead of “you may” or “you should consider,” the spec now says “this is required” or “this is no longer allowed.” That shift alone is why OAuth 2.1 matters. What OAuth 2.1 Removes — and Why It Matters The most visible change is the complete removal of the Implicit flow. Originally intended for browser-only applications, Implicit was a workaround for a world that didn’t yet have PKCE. Tokens were returned directly via the browser, which exposed them to history logs, referrer headers, JavaScript injection, and malicious extensions. In real environments, this became an easy target. OAuth 2.1 formally eliminates Implicit flow. Any application still using response_type=token is now relying on a pattern the standards community considers fundamentally unsafe. The modern replacement is Authorization Code flow with PKCE, even for SPAs. Resource Owner Password Credentials (ROPC) is also gone. While it was meant for highly trusted first-party apps, in practice it encouraged applications to collect usernames and passwords directly. That expanded credential attack surfaces, weakened MFA adoption, and made phishing resistance nearly impossible. OAuth 2.1 removes ROPC to draw a clear line: if your app handles passwords, OAuth is no longer the right abstraction. These removals are not theoretical cleanups. They directly reflect how OAuth has been attacked in the real world. What OAuth 2.1 Makes Mandatory The most important requirement in OAuth 2.1 is PKCE. Proof Key for Code Exchange is no longer optional or “recommended.” It is required for all public clients, including SPAs and mobile apps. PKCE prevents authorization code interception by binding the code exchange to a cryptographically random verifier generated by the client. Even if an attacker steals the authorization code, they can’t redeem it without that verifier. This single requirement eliminates a large class of OAuth attacks that were previously considered edge cases. Redirect URI handling is also much stricter. OAuth 2.1 disallows wildcard redirects, partial matching, and dynamically supplied redirect URIs. Redirects must be explicitly registered and matched exactly. This change shuts down many token leakage attacks that exploit open redirects or URI confusion. The spec also aligns more clearly with modern browser realities. Browser-based apps are expected to use Authorization Code with PKCE, avoid long-lived tokens in the browser, and treat token storage as a high-risk activity. OAuth 2.1 no longer pretends that SPAs can be secured the same way as confidential server-side clients. Why Architects Should Act Now Although OAuth 2.1 is still an active draft on datatracker.ietf.org, the ecosystem has already moved. Major identity providers increasingly disable Implicit flow by default, mark ROPC as legacy, and enforce PKCE automatically. Security assessments routinely flag wildcard redirect URIs and browser-stored tokens as critical findings. Waiting for OAuth 2.1 to reach final RFC status is risky. By then, deprecated flows will already be operational liabilities, not just compliance gaps. From a security architecture perspective, OAuth 2.1 represents the new baseline, not an experimental future. A Practical 30 / 60 / 90-Day Migration Plan In the first 30 days, the priority is visibility. Architects should inventory OAuth clients across environments and identify where Implicit flow, ROPC, missing PKCE, or loose redirect URI rules are still in use. Logging and usage analysis often reveal forgotten admin tools, internal dashboards, or legacy mobile apps that quietly depend on deprecated patterns. Communication with development teams is critical at this stage, but production behavior should remain unchanged. Days 31 to 60 are about reducing real risk. SPAs should migrate from Implicit to Authorization Code with PKCE, which in most modern frameworks is largely a configuration change. Applications using ROPC require deeper redesign, often moving to redirect-based authentication or service-to-service flows for backend jobs. Redirect URIs should be locked down, and token lifetimes reviewed with refresh token rotation enabled where supported. By days 61 to 90, enforcement becomes realistic. Deprecated flows can be disabled, PKCE can be required globally, and wildcard redirect URIs can be rejected outright. At this stage, OAuth becomes predictable again, which is exactly what security teams want. The Keywix Perspective: Reducing Risk After OAuth OAuth 2.1 significantly improves how authorization is performed, but many breaches still occur after tokens are issued. Applications frequently store identity attributes, user profiles, and session data long after they are needed. This is where Ensto by Keywix offers a complementary approach. Instead of encouraging apps to persist identity data post-OAuth, Ensto minimizes what applications ever store. Identity context is fetched only when required, scoped tightly, and not duplicated across services. For architects, this means a smaller breach blast radius, fewer compliance concerns, and less sensitive data sitting at rest inside applications. OAuth 2.1 hardens the front door, while Ensto reduces what’s worth stealing inside.
SaaS has changed how we work. You sign up in minutes, log in from anywhere, and collaborate in real-time. But while SaaS innovation moves at lightning speed, security often lags. We are still dragging old assumptions into a new world. Today, companies face a tough balancing act: Protect sensitive data or keep the user experience fast. If you have too much security, users complain and find workarounds. If you have too little, you risk data leaks and broken trust. The good news? You don’t have to choose. You just need to rethink how SaaS security works. The SaaS Security Balancing Act Growth outpaced security SaaS exploded because it removed friction. No installs, no VPNs, no long setups. Security, however, stayed stuck in an “on-premise” mindset. It was built for closed networks and static users. The result is security controls that feel bolted on, rather than built-in. The false trade-off Many teams believe they must choose between strong security and great UX. So, they compromise. And compromise is where risk sneaks in. Modern security doesn’t have to interrupt users. It just has to be designed differently. Why Traditional Models Fall Short The perimeter is gone Old firewalls worked when apps lived in one place. In SaaS, the “perimeter” is everywhere. Once users log in, most traditional defences step aside. “Log in = Trust” is dangerous Authentication is vital, but it isn’t a safety net. Once inside, users—or attackers with stolen credentials—often see far more data than they should. This isn’t just a hacking problem. It is a design problem. SaaS breaches are often quiet Not every breach involves sophisticated malware. Many happen simply because of: Over-permissioned users. Misused admin access. Data exposed exactly as designed. The Real Risk: PII Everywhere SaaS loves duplication CRMs, HR tools, and support desks all store their own versions of user data. The same PII lives in multiple systems, creating multiple risks. The more copies that exist, the harder they are to protect. Readable PII in internal tools Internal dashboards often display raw PII by default. Support agents and analysts get full visibility, even if they don’t need it. This is how accidental leaks happen. Attackers target identity first Passwords change. Tokens expire. Identity data sticks. PII fuels phishing and fraud, which is why attackers target it first. The Myth: Security Must Be Painful Bad UX weakens security Constant MFA prompts and session timeouts create “security fatigue”. Users click “approve” without thinking, or they find risky shortcuts like sharing passwords. Security should be invisible The best SaaS security feels like good design. If users notice it constantly, something is wrong. A Better Approach: Privacy by Design Minimise exposure, don’t break features Most workflows don’t require raw PII. Masked data, tokens, or abstract identifiers often work just as well. Protect specific fields, not just systems Instead of locking down entire apps, modern security focuses on: Specific data fields. Specific contexts. Specific use cases. Unintelligible by design Unreadable doesn’t mean unusable. Data can appear as tokens or masked values. Users can still complete their tasks, but if an attacker steals the data, they get nothing useful. IAM Isn’t Enough Where IAM stops short Identity and Access Management (IAM) answers: Who are you? and Can you log in? But once access is granted, IAM steps aside. It doesn’t control what data is displayed or whether it remains readable. Data-centric controls Modern security combines IAM with data-level protection. IAM decides who enters; data security decides what they can actually see and use. Compliance Without Complexity Smaller scope, fewer headaches Regulations like GDPR and DPDP demand data minimisation. When systems store less readable PII, compliance audits shrink. There is simply less data to review and worry about. Resilience beats prevention Perfect prevention is a myth. Breaches will happen. The goal is to limit the “blast radius”. If exposed data is unreadable, the damage stays contained. The Future of SaaS Security The future isn’t about locking down apps. It is about protecting data wherever it flows. Strong PII protection doesn’t have to be loud or slow. It works quietly in the background, preserving trust and letting users focus on their work. By rethinking how PII is exposed, SaaS platforms can finally stop choosing between security and experience. The future belongs to the products that get both right.
