Through two complementary presentations, Maja Šporčić and Dubravko Kovačić, Product Managers at ASEE, addressed authentication and identity management from both a security and a governance perspective.
Maja’s session focused on modern MFA technologies, while Dubravko expanded the topic of Identity and Access Management (IAM) and Identity Governance and Administration (IGA) as foundations for long-term control and compliance.
In her presentation, Maja Šporčić focused on the role of multi-factor authentication in preventing identity-based attacks. As phishing and credential theft remain dominant attack vectors, relying solely on passwords is no longer sufficient. MFA has therefore become a mandatory control rather than an optional security enhancement.
Maja presented the evolution of authentication methods and explained how FIDO-based hardware and software authenticators address the weaknesses of traditional authentication. Hardware security keys offer the highest level of protection because they rely on cryptographic mechanisms and cannot be compromised through phishing. They are particularly suitable for privileged users and high-risk roles where the impact of account compromise is significant.
At the same time, Maja emphasized the importance of software-based authenticators as a scalable and user-friendly option. These solutions enable strong authentication without the logistical complexity of distributing physical devices, making them well-suited for organizations seeking wider adoption while maintaining a high level of security. Together, hardware and software authenticators enable organizations to align authentication strength with risk.
While strong MFA significantly reduces the risk of unauthorized access, the session made it clear that authentication alone does not solve broader identity challenges. Organizations often struggle with fragmented identity environments, unclear access rights, excessive privileges, manual access assignment, and inactive or duplicated accounts.
These issues directly affect security, auditability, and compliance with regulatory frameworks such as NIS2 and GDPR, reinforcing the need for structured identity management.
Building on the authentication topic, Dubravko Kovačić presented how Identity and Access Management (IAM) provides the necessary structure and governance across the entire identity lifecycle. IAM ensures that access is not only secure at login, but also appropriate throughout a user’s time within the organization.
Dubravko explained how centralized user and role management, combined with Single Sign-On and fine-grained access policies, helps organizations regain visibility and control. Lifecycle management, from onboarding to offboarding, ensures that access rights are aligned with business roles and removed promptly when no longer needed. This reduces both operational overhead and security risk.
In addition to core IAM capabilities, the presentation covered advanced authentication methods, adaptive authentication based on risk scoring, and action-based authorization tailored to specific business processes. Support for network authentication through Remote Authentication Dial-In User Service (RADIUS) further extends centralized control across infrastructure and applications.
A key part of Dubravko’s presentation was the distinction between IAM and Identity Governance and Administration (IGA). While IAM focuses on enabling access, IGA introduces oversight, accountability, and compliance.
IGA adds structured access reviews, certification processes, segregation of duties controls, and policy management. These capabilities allow organizations to clearly demonstrate who has access to which systems and why, supported by audit-ready reporting. Role mining and intelligent role management further help reduce excessive privileges and support the principle of least privilege.
Together, IAM and IGA ensure that access decisions are both technically enforced and business-justified.
Automation was highlighted as a critical best practice for effective identity management. By triggering identity changes through HR events, organizations can automate onboarding, role changes, and offboarding. Policy- or role-based provisioning, combined with integration into systems such as SAP or Salesforce, ensures consistent access management across the IT landscape.
Continuous monitoring, detailed audit trails, and anomaly detection help organizations identify unusual behavior, privilege escalation, and unmanaged access. The presentation also addressed the importance of managing privileged accounts through PAM and applying just-in-time access models for critical systems, as well as detecting and addressing shadow IT.
The session concluded with an overview of how AI can support IAM and IGA processes. AI-based capabilities enable the consolidation of duplicate user accounts through entity recognition, analysis of access usage to identify unnecessary entitlements, and generation of recommendations for access optimization. AI also improves auditability by tracking identity changes and supporting compliance with NIS2 and GDPR requirements.
The Cybersecurity NIS2 Business Breakfast clearly demonstrated that adequate identity security requires a combination of strong authentication and structured identity management. MFA, particularly when based on FIDO standards, protects access at the authentication level. IAM and IGA ensure that access is appropriate, governed, and auditable throughout the entire identity lifecycle.
Together, these components help organizations mitigate identity-related risks, comply with regulatory obligations, and establish a sustainable approach to cybersecurity.
