TL;DR: Credential stuffing can account for up to 44% of all login attempts in a single day for some organisations, according to the Verizon 2025 Data Breach Investigations Report, and Descope says adding Arkose Bot Manager signals into authentication flows helps block automated attacks before session creation. Traditional sign-in controls fail when the attacker presents valid credentials but abnormal behaviour.
At a glance
What this is: This is Descope’s analysis of integrating Arkose Bot Manager into sign-in flows to detect and block credential stuffing, account takeover, and low-and-slow automation before a session is created.
Why it matters: It matters because IAM teams need controls that evaluate behavioural risk at login, not just credential validity, across human identity, fraud-adjacent abuse, and downstream access paths.
By the numbers:
- Credential stuffing accounted for up to 44% of all login attempts in a single day for certain organizations.
- 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
- Only 5.7% of organisations have full visibility into their service accounts.
- NHIs outnumber human identities by 25x to 50x in modern enterprises.
👉 Read Descope's analysis of Arkose Bot Manager connectors for sign-in security
Context
Credential stuffing and automated login abuse exploit a basic sign-in weakness: many authentication systems still trust valid credentials too much and behavioural context too little. When attackers reuse stolen passwords, rotate infrastructure, and spread attempts across time, traditional rate limits and WAF rules often miss the pattern.
For IAM teams, the issue is not just account takeover. Once automated access gets through the login layer, it can become the entry point for fraud, data exposure, and broader access governance problems across user sessions, downstream applications, and related non-human workflows.
Key questions
Q: How should security teams stop credential stuffing without blocking legitimate users?
A: Security teams should combine behavioural risk scoring with adaptive enforcement at the authentication layer. That means evaluating device reputation, interaction patterns, and network context before session creation, then using step-up MFA or block decisions only when the risk is high enough to justify friction. Static rate limits alone are not enough against distributed automation.
Q: Why do valid credentials still lead to account takeover risk?
A: Valid credentials can still be dangerous because they prove only that a username and password match, not that the person or script using them is authorised. Attackers reuse breached passwords, rotate infrastructure, and mimic normal login behaviour. Once a session is created, downstream applications often trust it as legitimate.
Q: What do security teams get wrong about low-and-slow login attacks?
A: Teams often focus on IP frequency and request volume, but low-and-slow attacks are designed to stay below those thresholds. The more reliable signal is infrastructure reuse across time, accounts, and network changes. Device fingerprinting and behavioural consistency matter more than raw login velocity in these cases.
Q: How do account takeover controls differ from fraud detection at sign-in?
A: Account takeover controls focus on preventing unauthorised access to a user session, while fraud detection often looks for broader abuse patterns after access is obtained. At sign-in, both need to converge on the same decision point, because a successful automated login can be the first step in fraud, data theft, or lateral misuse.
Technical breakdown
Behavioural risk scoring at authentication time
Behavioural risk scoring evaluates device signals, interaction patterns, network reputation, and historical fraud indicators during the login attempt itself. The point is not to identify a perfect human, but to separate normal user behaviour from scripts, emulators, browser automation, and bot networks. When the login layer has access to both client-side telemetry and server-side analysis, it can make a decision before the session is established. That matters because credential stuffing often succeeds with valid usernames and passwords, which makes credential quality a weak signal on its own.
Practical implication: move beyond password validation and require a risk signal that can challenge or block automated sign-in attempts in real time.
Device fingerprinting and attack infrastructure reuse
Device fingerprinting gives security teams a way to recognise the same automation infrastructure across different IP addresses, accounts, and time windows. Unlike IP reputation alone, device identity can expose low-and-slow attacks that intentionally distribute activity to stay below rate thresholds. In practice, this means the attacker’s tooling becomes the anchor point for detection, not the individual login attempt. A persistent device profile can also reveal cross-account abuse patterns that would otherwise look like unrelated failed logins.
Practical implication: correlate login events by device identity so distributed attacks do not disappear when attackers rotate IPs.
Adaptive authentication flows and enforcement
Adaptive authentication combines risk scoring with policy enforcement, so the response can shift between allow, challenge, and block. This is different from static MFA because the control decision is based on current context rather than a fixed rule applied to every user. In the article’s flow model, the authentication system evaluates credentials and bot signals in parallel, then applies step-up checks or enforcement only when the risk score justifies it. That keeps legitimate users moving while increasing friction for automation.
Practical implication: wire behavioural signals into policy decisions so authentication can respond proportionally instead of treating all logins the same.
Threat narrative
Attacker objective: The attacker aims to turn stolen or tested credentials into authenticated sessions that can be used for account takeover, fraud, and downstream compromise.
- Entry occurs when attackers submit stolen username and password pairs into the authentication flow, often at scale across many accounts and services.
- Credential access is abused when the platform accepts the credentials as valid even though the behavioural context shows automation, proxy rotation, or emulator use.
- Impact follows when the attacker gains account access for takeover, fraud, or lateral abuse across downstream services that trust the authenticated session.
Breaches seen in the wild
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
- IOS app secrets leakage report — iOS apps leaking hardcoded secrets and credentials endangering user privacy.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Behavioural validation is becoming a core identity control, not a fraud add-on. Authentication no longer starts and ends with password correctness. When attackers can industrialise login abuse with valid credentials, the decisive control becomes the ability to evaluate device, network, and interaction context before a session is issued. Practitioners should treat behavioural analysis as part of access decisioning, not an optional overlay.
Identity blast radius starts at the sign-in layer. A successful automated login is not a contained event. It can create downstream access that bypasses app-level controls, pollute fraud telemetry, and weaken trust in every session created from the same credential set. The more systems accept a login as proof of legitimacy, the more one compromised credential pair can fan out across the environment. IAM teams need to think in terms of session consequence, not just authentication success.
Bot networks expose a control gap that static thresholds cannot close. Rate limiting, IP blocking, and WAF rules were designed for noisy abuse patterns, not distributed human-like automation. Arkose-style telemetry shows why the attacker’s true unit of reuse is often the device fingerprint or automation environment, not the source IP. Practitioners should recognise that infrastructure-aware detection changes the economics of abuse far more than threshold tuning alone.
Account takeover and credential stuffing are converging at the same trust boundary. The same sign-in flow now has to answer two questions at once: is this a legitimate user, and is this access attempt part of an automated abuse campaign? Those questions require different evidence, but they meet at the same policy point. IAM programmes that separate authentication from abuse detection are leaving the trust boundary too wide.
Human login controls are increasingly being asked to govern machine behaviour. The article’s problem is not human misuse alone. It is the use of automation that mimics human sign-in patterns closely enough to pass legacy controls. That means identity teams need governance models that recognise behavioural impersonation as a first-class risk. Practitioners should reframe sign-in security around proof of intent, not just proof of possession.
From our research:
- 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
- Ultimate Guide to NHIs, Lifecycle Processes for Managing NHIs shows why lifecycle control has to match identity type, not just access volume.
What this signals
Behavioural authentication is becoming a governance issue, not just an anti-bot feature. Once login decisions depend on device reputation and interaction context, IAM teams need a clearer policy boundary between identity verification and abuse detection. That boundary should be explicit in control design, logging, and incident response so a successful login does not become an invisible trust grant.
Credential abuse is now a session-level risk rather than a perimeter event. The practical effect is that teams must watch for access paths that assume a valid session is safe by default. That assumption weakens quickly in modern applications where one authenticated session can unlock multiple services, APIs, and privileged workflows.
For organisations already struggling with NHI governance, the lesson is structural. If 71% of NHIs are not rotated within recommended time frames, according to the Ultimate Guide to NHIs, then trust at sign-in is only one part of a larger lifecycle problem. Identity programmes need to treat access creation, access reuse, and access retirement as connected controls, not isolated tasks.
For practitioners
- Add behavioural signals to sign-in policy Feed device reputation, interaction telemetry, and network context into login decisions so the authentication layer can distinguish real users from automation before session creation.
- Correlate attempts by device, not only IP Track repeated login activity across IP rotation, user-agent changes, and account targets so low-and-slow campaigns remain visible even when infrastructure is distributed.
- Use step-up controls selectively Challenge suspicious sessions with MFA or bot enforcement only when risk signals justify it, so legitimate users are not forced into blanket friction.
- Review downstream access assumptions Map which applications trust the authenticated session without additional checks, then tighten those paths where a successful automated login would create disproportionate impact.
Key takeaways
- Automated login abuse succeeds when authentication trusts credentials without enough behavioural context.
- Device fingerprinting and adaptive enforcement shift detection from static thresholds to reusable attacker infrastructure.
- IAM teams should treat sign-in as a policy decision point that can block account takeover before session creation.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Login decisions rely on authentication evidence and context. |
| NIST Zero Trust (SP 800-207) | PR.AC-7 | Continuous verification aligns with adaptive authentication at sign-in. |
| NIST SP 800-63 | Digital identity assurance is central to distinguishing legitimate users from automated abuse. |
Apply assurance-based sign-in controls that distinguish proof of possession from proof of legitimacy.
Key terms
- Behavioural risk scoring: Behavioural risk scoring evaluates login context such as device reputation, network signals, and interaction patterns to estimate whether an access attempt is legitimate. In identity programmes, it adds evidence that passwords alone cannot provide, especially when automated abuse reuses valid credentials at scale.
- Device fingerprinting: Device fingerprinting is the practice of recognising a device or automation environment using technical and behavioural characteristics that persist across sessions. For IAM teams, it helps connect repeated abuse across changing IPs, usernames, and time windows, making distributed attacks easier to detect.
- Adaptive authentication: Adaptive authentication changes the access decision based on risk, rather than applying the same control to every login. It can allow, challenge, or block a session using live signals, which makes it more suitable for environments where legitimate users and automated attackers may look similar at first glance.
- Credential stuffing: Credential stuffing is an attack in which stolen username and password combinations are tested against other services to find reused credentials. It works because authentication systems often cannot tell whether a valid credential pair is being used by the rightful user or by an automated attacker.
What's in the full article
Descope's full blog post covers the operational detail this post intentionally leaves for the source:
- Step-by-step Descope flow logic for evaluating credentials, Arkose signals, and enforcement decisions in parallel
- Connector configuration detail for device fingerprinting, bot detection, and adaptive authentication policies
- Practical examples of how to tune allow, challenge, and block outcomes for suspicious login traffic
- Use case walkthroughs for credential stuffing, account takeover, low-and-slow attacks, and automation reconnaissance
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2026-01-27.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org