By NHI Mgmt Group Editorial TeamPublished 2026-03-06Domain: Governance & RiskSource: Descope

TL;DR: Device and behavioral signals can help distinguish legitimate users from account takeover, fake account creation, and distributed automation, according to Descope’s connector overview and its cited Cifas Fraudscape 2025 finding that account takeover cases jumped 76% in 2024. The governance problem is that authentication alone cannot resolve identity trust when fraud tools make attackers look valid.


At a glance

What this is: This is Descope’s analysis of how device and behavioral risk signals can be embedded into authentication flows to reduce account takeover, fake account creation, and automated abuse.

Why it matters: It matters because IAM and customer identity teams need controls that work after credentials look valid, not just at the point of login.

By the numbers:

👉 Read Descope's analysis of account fraud controls with device and behavior intelligence


Context

Account takeover and fake account creation remain governance problems as much as fraud problems. When credentials, browser sessions, and device signals are all treated as trustworthy by default, attackers can look legitimate long enough to get through the front door. This article is about adding device intelligence and behavioral scoring into authentication flows so identity controls can make a better decision before access is granted.

For IAM, CIAM, and fraud teams, the practical question is where to place trust decisions when the user journey is being attacked by automation, proxies, and spoofed devices. The source argues that step-up verification and adaptive blocking work better when authentication is informed by session-level risk rather than credentials alone.


Key questions

Q: How should security teams use device intelligence in account takeover prevention?

A: Security teams should use device intelligence as an authentication input, not a post-login forensic signal. The goal is to evaluate whether the browser, environment, and session behave like a legitimate user before access is granted. When device reuse, spoofing, or emulation appears, the flow should add verification or block the attempt.

Q: Why do credential checks fail against fake account creation and fraud rings?

A: Credential checks fail because fraud rings can use valid-looking data, proxies, and scripted journeys to pass the first gate. The deeper problem is that identity quality is being evaluated too late and with too little context. Behavioral and device signals reveal whether a signup is part of a coordinated abuse pattern.

Q: What do security teams get wrong about adaptive authentication?

A: Teams often treat adaptive authentication as a user experience feature rather than a control plane for trust decisions. If the score is not tied to a clear action, it becomes telemetry without enforcement. Effective programmes define when to allow, challenge, or block based on live journey risk.

Q: How can IAM and fraud teams reduce friction without weakening controls?

A: They should target friction only at sessions that show abnormal behavior, device anomalies, or repeated infrastructure reuse. Trusted users should move with minimal interruption, while suspicious activity gets stepped-up verification or denial. That preserves usability while shifting control effort toward real abuse.


Technical breakdown

How behavioral risk scoring changes authentication decisions

Behavioral risk scoring evaluates interaction patterns such as typing cadence, navigation consistency, velocity, and whether the journey looks scripted or human-driven. In practice, this is not about replacing authentication. It is about adding a second decision layer that compares current-session behavior with expected user patterns, then combines that signal with other context to estimate fraud risk. That matters because valid credentials can still belong to an attacker, and a legitimate account can still be used through automation. When the score is high, the flow can require more verification or stop the request altogether.

Practical implication: feed behavioral telemetry into authentication so suspicious sessions can be challenged before account creation or login completes.

Why device profiling catches repeat fraud infrastructure

Device profiling looks for signals that survive credential changes and IP rotation, such as browser tampering, emulation, virtual environments, device reuse, and spoofing artifacts. A durable device profile helps teams connect multiple sessions or accounts to the same fraud tooling, even when attackers try to fragment activity across time. That makes device intelligence valuable for spotting synthetic identity abuse and account takeover rings that would otherwise look unrelated. The important distinction is persistence: device signals can remain visible after the attacker changes accounts, but they must be evaluated at runtime to be useful.

Practical implication: pair device profiling with journey controls so repeat infrastructure can be blocked even when sessions appear fresh.

Adaptive authentication for fraud prevention and user journeys

Adaptive authentication adjusts the user journey based on risk rather than applying the same checks to every login or signup. That can mean allowing low-risk users to proceed, requesting step-up MFA, or blocking and recording a suspicious attempt. The technical value is not in the challenge itself, but in the sequencing: the risk engine evaluates signals while the flow is still active, so the decision can shape the next step immediately. This works best when behavioral and device intelligence are available at the same point in the journey, not after the session has already been accepted.

Practical implication: map risk scores to explicit journey actions so authentication becomes a live control, not just a static gate.


Threat narrative

Attacker objective: The objective is to convert valid-looking identity activity into fraud outcomes while avoiding detection by conventional authentication controls.

  1. Entry begins when attackers use stolen credentials, automated tooling, or fake registrations to enter user journeys that look legitimate at the authentication layer.
  2. Escalation occurs when they add proxy networks, device spoofing, emulation, and account reuse to hide automation and increase the success rate of repeated attempts.
  3. Impact follows when attackers reach account takeover, promotion abuse, fraudulent transactions, or persistent fake-account infrastructure that is hard to distinguish from real users.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Authentication is no longer a sufficient trust boundary when fraud tooling can mimic legitimate identity behavior. The article shows why credentials alone do not prove user legitimacy, especially when attackers combine stolen logins, proxy networks, and device spoofing. That shifts the governance problem from password strength to trust evaluation across the entire user journey. Practitioners should treat authentication as one signal inside a broader identity decision model.

Device intelligence is a governance control, not just a fraud feature. Persistent device correlation helps teams detect repeat abuse across accounts, which is exactly where simple login defenses fail. The important shift is that device reuse and spoofing are identity patterns, not only security anomalies. For IAM and CIAM programmes, this makes device telemetry part of lifecycle and risk governance, not a bolt-on checkout rule.

Adaptive authentication works only when risk decisions are made before the journey closes. If scoring happens after the account is created or the transaction is complete, the control is already behind the attacker. The article reinforces a broader NHI and IAM lesson: runtime trust decisions must be tied to the moment of action, not to a static entry checkpoint. The practitioner implication is to design flows that can still interrupt abuse while the session is live.

Account takeover and fake account creation reveal an identity blast radius problem. Once fraud actors establish trusted-looking identities, the damage spreads across onboarding, login, promotions, and transactions. This is not a single control failure. It is a chain of trust failures across the customer journey, which means governance has to follow the full path of identity use rather than a single authentication event.

Behavioral and device signals create a named concept we should track: journey-level identity trust. That means trust is evaluated at each material step in signup or sign-in, not assumed at the edge of authentication. The article shows why this matters for modern identity programmes: the more fraud adapts, the more identity decisions need to be contextual, continuous, and tied to observed behavior.

From our research:

  • Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation, according to AI Agents: The New Attack Surface report.
  • 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems, inappropriately sharing sensitive data, and revealing access credentials.
  • That pattern makes OWASP Agentic Applications Top 10 a useful next reference when identity decisions move from static login checks to runtime behavior analysis.

What this signals

The market signal here is that identity and fraud teams are moving toward journey-aware controls because static authentication no longer tells the full story. When device reuse and behavioral anomalies can be observed at the point of action, trust can be evaluated continuously instead of assumed once at the edge. That makes contextual identity controls part of the core programme, not an optional enhancement.

Journey-level identity trust: the useful pattern is to treat signup, login, and transaction steps as separate trust decisions rather than one authentication event. That matters because fraud often enters through a valid credential or a believable registration, then expands into account abuse later. Teams that cannot distinguish those stages will keep over-focusing on the login screen.

The broader implication is that fraud prevention and identity governance are converging. The more organizations instrument device integrity and behavioral telemetry, the more they can connect abuse patterns across accounts and sessions, which is especially relevant where customer journeys are high-volume and attacker economics favor automation.


For practitioners

  • Embed device signals into authentication flows Send browser, session, and device integrity data into the login or signup flow so the system can evaluate risk before access is granted. Use the result to route users to allow, step-up verification, or block decisions.
  • Correlate repeat device patterns across accounts Look for device reuse, spoofing, emulation, and other persistent markers that connect apparently separate registrations or logins to the same fraud infrastructure.
  • Map risk scores to explicit journey outcomes Define which thresholds trigger extra verification, which trigger deny, and which trigger record-only handling so adaptive authentication behaves consistently under attack.
  • Separate legitimate friction from fraud friction Tune controls so trusted users on known devices experience minimal interruption while suspicious sessions receive additional checks, especially at signup and high-risk transactions.

Key takeaways

  • Valid credentials are not enough to prove legitimacy when attackers can combine automation, proxy networks, and spoofed devices.
  • The cited 76% rise in account takeover cases shows that fraud pressure is already high enough to justify stronger journey-level controls.
  • Teams should tie device and behavioral signals directly to allow, challenge, or block decisions so identity controls can stop abuse while the session is still live.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Authentication decisions must account for fraud signals beyond credentials.
NIST CSF 2.0DE.AE-2Behavioral anomalies and device reuse are detection signals for abuse.
NIST Zero Trust (SP 800-207)3.2Continuous verification fits the article's context-driven authentication model.

Use contextual signals to continuously re-evaluate trust during the session, not only at sign-in.


Key terms

  • Behavioral Risk Scoring: Behavioral risk scoring is the process of evaluating how a user or session behaves during a journey and translating that into a trust decision. It looks at signals such as navigation patterns, typing cadence, velocity, and scripted interaction to detect fraud or automation.
  • Device Profiling: Device profiling is the creation of a persistent identity for the browser or endpoint used in a session. It helps teams recognize spoofing, emulation, reuse, and tampering across logins or registrations, even when the attacker changes credentials or IP address.
  • Adaptive Authentication: Adaptive authentication is a control model that changes the user journey based on observed risk. Instead of using one fixed challenge for every session, it can allow access, require step-up verification, or block the attempt when signals suggest fraud or compromise.
  • Journey-Level Identity Trust: Journey-level identity trust is the practice of treating signup, login, and transaction stages as separate trust decisions. It recognizes that identity risk can change during the session, so controls must evaluate behavior and context continuously rather than assuming trust from the first successful authentication.

What's in the full article

Descope's full blog post covers the operational detail this post intentionally leaves for the source:

  • Flow-level examples showing how device checks and behavioral scoring are inserted into signup and login journeys.
  • The connector data path between Descope Flows and Darwinium risk signals for adaptive decisions.
  • Specific risk signals such as proxy usage, browser spoofing, device reuse, and low-and-slow automation.
  • The practical split between allow, challenge, and block outcomes inside the authentication flow.

👉 The full Descope post shows how the connector behaves across signup, login, and high-risk journey steps.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-03-06.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org