Module 5: Authentication & Identity Management

Why is identity now the single most consequential security control in the stack?

The Arup deepfake fraud, the MGM ransomware, and the rolling wave of credential-stuffing breaches share a single root cause: identity controls that were not designed for the threats of 2026. This module is the executive view of authentication and identity management: what good looks like, what is provably broken, and how to read any identity vendor's claims against the underlying mechanics.

What you'll learn in this module

• The authentication factors (something you know, have, are, do) and which combinations are actually phishing-resistant
• MFA, passkeys, FIDO2, WebAuthn: what each delivers, what each leaves unsolved, and the rollout patterns that actually move risk
• Identity providers, single sign-on, and federation: what each is, where they sit in the architecture, and the failure modes of each
• Privileged access management and the workforce-versus-customer identity split that almost every organization gets wrong
• Identity threats in 2026: account takeover, MFA fatigue, session hijacking, AI-assisted social engineering, deepfake voice and video

The complete module gives executives the working model of identity that lets them prioritize the controls that actually move risk against the threats that actually matter.