Identity-based threats persist because legacy authentication still trusts secrets

At a glance

What this is: This article argues that identity-based threats remain the dominant enterprise attack path because traditional authentication still depends on shared secrets and human fallibility.

Why it matters: IAM and NHI practitioners should treat authentication design as a prevention control, not just an access step, because compromise often begins before detection can help.

By the numbers:

• credential and user-based attacks remain alarmingly prevalent, accounting for 50-80% of enterprise breaches.

👉 Read Beyond Identity's analysis of how to eliminate identity-based threats

Context

Identity-based threats are attacks that exploit how users and systems prove who they are. In practice, the problem is not limited to passwords. It includes phishing, adversary-in-the-middle attacks, help desk fraud, and device compromise, all of which can turn valid access into an entry point. For IAM and NHI governance, that means authentication design and recovery workflows are part of the attack surface, not just the front door.

The core weakness is that many access models still rely on shared secrets and human judgment at the moment of login. That approach can reduce risk, but it cannot fully prevent credential theft or misuse once an attacker has influenced the user or the help desk. The article's position is atypical in its confidence that phishing-resistant controls can eliminate, not merely contain, identity-based compromise.

Key questions

Q: How should security teams reduce identity-based breach risk?

A: Security teams should move beyond layered recovery and toward authentication methods that make common attacks technically difficult or impossible. The practical priority is phishing-resistant MFA, device binding, and strict fallback controls so that a stolen secret or social engineering attempt cannot easily produce valid access.

Q: What is the difference between reducing identity risk and eliminating it?

A: Reducing identity risk assumes some attacks will succeed and focuses on limiting damage after compromise. Eliminating identity risk means removing the main attack paths before they work, for example by using device-bound cryptographic credentials instead of reusable secrets that can be phished or replayed.

Q: Why do fallback and help desk processes matter in IAM security?

A: Fallback and help desk processes matter because attackers often target the least technical path into an account. If recovery relies on weak verification, social engineering can bypass strong login controls and give the attacker legitimate access without needing malware or credential cracking.

Q: How can organisations tell whether authentication is actually phishing-resistant?

A: Authentication is phishing-resistant when a stolen code, password, or proxy cannot be reused to satisfy the login flow. The control should bind the credential to the device or verifier, remove shared secrets from the critical path, and avoid fallback steps that reintroduce phishable factors.

Technical breakdown

Why shared secrets fail in modern authentication flows

Shared secrets create a brittle trust model because the verifier and the user both depend on something that can be copied, phished, replayed, or socially engineered. Once a password, OTP, or recovery code is exposed, the attacker does not need to break cryptography to gain access. That is why identity-based attacks often scale faster than traditional perimeter defenses can respond. For NHI governance, the same pattern appears in long-lived tokens and API keys: if the secret can be reused, the control can be bypassed.

Practical implication: replace reusable secrets with device-bound or hardware-backed credentials wherever the business risk justifies it.

How phishing-resistant MFA changes the threat model

Phishing-resistant MFA reduces exposure by binding authentication to a specific device and using asymmetric cryptography instead of a shared secret. The user still authenticates, but the credential cannot simply be copied into a fake site or replayed by a proxy. That matters because many attacks succeed through the authentication ceremony itself, not through malware or exploitation. In NHI terms, this is the difference between a secret that can be stolen and an identity binding that is much harder to transplant.

Practical implication: evaluate authentication methods by whether they can be phished, not only by whether they satisfy MFA checkboxes.

Why continuous validation matters after login

Authentication is not a one-time event. Device posture can drift after access is granted, and user context can change during the session. Continuous validation looks for that drift by re-checking risk signals over time and enforcing policy when the session no longer meets requirements. That design is relevant to NHI security because workloads, service accounts, and agents also operate in changing conditions, where initial trust can become stale long before access expires.

Practical implication: connect access decisions to ongoing risk signals so that trust can be withdrawn when posture changes.

Threat narrative

Attacker objective: The attacker aims to convert trusted identity access into durable internal access without triggering the kinds of controls that stop malware at the perimeter.

1. Entry begins when an attacker tricks a user into revealing credentials through phishing or intercepts the authentication exchange with an adversary-in-the-middle proxy.
2. Escalation follows when the attacker reuses the valid credentials or help desk recovery path to bypass stronger controls and obtain broader account access.
3. Impact occurs when the attacker uses that legitimate access to move laterally, exfiltrate data, or establish persistence inside the environment.

Breaches seen in the wild

• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.
• Reviewdog GitHub Action supply chain attack — reviewdog/action-setup GitHub Action supply chain attack exposed secrets.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Legacy identity control is a containment model, not an elimination model. The article's core claim is that reducing the impact of compromise is no longer the best available design point when stronger controls can prevent entire classes of attacks. That is an important shift for IAM and NHI governance because it moves the discussion from response maturity to architectural prevention. Practitioners should stop treating authentication as a tolerable loss boundary.

Ephemeral credentials do not solve trust unless the binding is non-phishable. Short-lived access reduces dwell time, but it does not automatically remove the trust assumptions built into how identities authenticate. This is the credential trust debt problem: if an ephemeral credential can still be replayed, relayed, or recovered through weak steps, the attack surface remains. Practitioners should evaluate whether access is merely temporary or actually bound to a trusted device and context.

Device state is part of identity assurance. The article correctly ties authentication to device security posture, which is where many identity programs stay too shallow. A user may be legitimate while the endpoint has drifted into an unsafe state, and the session should not keep full trust once that happens. For NHI programs, this is the same governance lesson that applies to workloads and agents: identity without continuous trust checks is incomplete.

Humans are still the control plane for many failures. Help desk recovery, fallback factors, and user confusion remain the places where strong authentication regresses into weak practice. The security architecture may be sound on paper, but operational exceptions reintroduce the attack path. Practitioners should design for the failure mode, not only for the ideal login flow.

From our research:

• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected, according to The 2024 ESG Report: Managing Non-Human Identities.
• Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, which shows how quickly one failure can repeat across systems and teams.
• For a broader breach pattern view, see the 52 NHI Breaches Analysis for the root causes that keep identity failures recurring.

What this signals

Identity programs are entering a stricter phase where authentication methods are being judged by whether they can actually stop the attack class, not merely reduce its impact. That changes the procurement and architecture conversation for IAM and NHI teams because shared secrets, fallback codes, and manual recovery now look like avoidable control debt rather than acceptable convenience.

The governance signal is clear: treat access recovery, device posture, and continuous validation as first-class identity controls. If those pieces are weak, the strongest login method in the world still collapses under operational exceptions and endpoint drift.

With 72% of organisations already reporting or suspecting an NHI breach according to The 2024 ESG Report: Managing Non-Human Identities, the broader lesson is that identity trust is already under pressure across both human and machine estates. Teams should use that pressure to harden trust boundaries now rather than wait for a second incident to justify change.

For practitioners

• Audit all fallback authentication paths Map password reset, help desk recovery, and account takeover procedures to find where weak verification still bypasses stronger authentication. Prioritise the flows attackers are most likely to target, especially those that rely on social engineering or manual exception handling.
• Prioritise phishing-resistant factors for high-risk access Require device-bound, phishing-resistant authentication for privileged users, administrators, and sensitive NHI control planes. Treat the ability to resist replay and proxy attacks as a baseline requirement for high-value access.
• Tie access to real-time device posture Use endpoint posture, encryption status, malware signals, and configuration drift as part of the access decision. When risk changes during a session, enforce step-up checks or revoke access instead of waiting for the next login.
• Review secrets that behave like identity Inventory API keys, service tokens, certificates, and long-lived credentials that function as standing trust. Replace them with hardware-backed or short-lived alternatives where the workflow can support it, and document exceptions where it cannot.

Key takeaways

• Identity-based attacks remain dominant because many authentication stacks still depend on secrets that can be stolen, relayed, or socially engineered.
• Phishing-resistant, device-bound authentication shifts the goal from reducing compromise impact to preventing the main compromise path altogether.
• IAM and NHI teams should treat recovery flows, device posture, and continuous validation as security controls, not administrative details.

Key terms

• Phishing-resistant MFA: Phishing-resistant MFA is multi-factor authentication designed so a stolen password or one-time code cannot be replayed to gain access. It binds the authentication ceremony to a trusted device or verifier, which makes proxy-based phishing and credential capture far less effective in practice.
• Device-bound credential: A device-bound credential is an identity artifact that can be used only from the approved device or secure hardware it was issued to. This reduces the value of theft because the credential is cryptographically tied to context, not just copied as a reusable secret.
• Authentication fallback: Authentication fallback is any alternate path used when the primary login method fails, such as recovery codes, help desk resets, or secondary factors. It often becomes the weakest part of the identity stack because attackers target the human process rather than the cryptographic control.
• Continuous validation: Continuous validation is the practice of re-checking user, device, or session risk after login instead of trusting access indefinitely. It recognizes that identity assurance can drift during a session, especially when endpoint state or user context changes after authentication.

Deepen your knowledge

Identity-based threats and phishing-resistant MFA are covered in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are redesigning authentication or recovery controls for human and non-human identities, it is a practical place to start.

This post draws on content published by Beyond Identity: How to Eliminate Identity-Based Threats. Read the original.