Identity modernization is failing under deepfakes and stolen credentials

At a glance

What this is: This is 1Kosmos's argument that legacy identity models built on passwords, centralized credential stores, and static verification are too exposed to modern impersonation and credential abuse.

Why it matters: It matters because IAM, PAM, and identity lifecycle teams need controls that reduce reliance on recoverable secrets and make verification resilient against impersonation, fraud, and social engineering.

By the numbers:

• Enterprises using 1Kosmos have reduced fraud losses by 90%.
• 1Kosmos closed a $57 million Series B funding round.

👉 Read 1Kosmos's analysis of identity modernization, deepfakes, and credential theft

Context

Identity security is under pressure because the oldest assumptions in IAM still depend on secrets, help desks, and centralized records. Deepfakes, credential harvesting, and impersonation attacks now exploit those assumptions directly, which makes legacy identity processes a target rather than a safeguard.

For IAM, PAM, and identity lifecycle programmes, the problem is not only authentication strength. It is the wider trust model: how identity is proofed, how credentials are stored, how recovery works, and how much sensitive data the enterprise keeps in one place.

Key questions

Q: How should security teams reduce reliance on passwords and help-desk recovery for identity assurance?

A: Security teams should first identify the identity journeys that still depend on reusable secrets, call-back verification, or manual recovery. Then they should replace those steps with stronger proofing, device binding, and phishing-resistant authentication where the business risk justifies it. The goal is not only fewer resets, but fewer opportunities for impersonation to become access.

Q: Why do centralized identity stores create more risk in impersonation attacks?

A: Centralized stores create more risk because they combine credentials, recovery data, and authoritative identity records into one target. If attackers compromise that store or the processes that depend on it, they can use the same trust source to impersonate users, reset access, or extend their reach across connected systems.

Q: What do organisations get wrong about digital wallet identity models?

A: They often treat the wallet as a privacy feature only, when it is also a governance change. Moving credentials to the user device reduces some central exposure, but it creates new dependence on device assurance, revocation, and recovery design. Without those controls, the risk shifts instead of disappearing.

Q: How do I know whether identity modernisation is actually reducing fraud risk?

A: Look for evidence that high-risk identity events are using stronger verification paths, that manual recovery is shrinking, and that fraud outcomes are falling without increasing user friction. A good programme reduces both stored-secret exposure and the number of places an attacker can impersonate a legitimate user.

Technical breakdown

Why centralized identity stores concentrate risk

Traditional identity architectures place credentials and profile data into centrally managed systems so applications can validate access quickly. That concentration simplifies administration, but it also creates a high-value failure domain. When an attacker breaches the store, the blast radius can include authentication data, recovery paths, and downstream systems that trust the directory. In a fraud or impersonation scenario, the identity layer becomes both the target and the enabler. Centralisation also makes recovery processes attractive to social engineers because help desks often rely on the same identity records they are trying to protect.

Practical implication: reduce dependence on a single credential repository and treat recovery workflows as attack surface, not back-office plumbing.

How digital wallets change credential custody

A digital wallet model moves verified credentials to the user device and shifts verification to presentation of proof rather than storage of raw identity data. The enterprise validates authenticity without holding the underlying sensitive record in the same way a central database would. That changes the trust chain: the organisation is no longer asking a directory to be the long-term custodian of everything, only to validate that a credential or biometric factor is genuine at the point of use. The architectural benefit is lower mass-exposure risk if a backend system is compromised.

Practical implication: evaluate where your programme can replace stored identity data with user-held proofs and shorter-lived verification.

Why AI-driven impersonation outpaces static controls

AI has changed the speed and realism of identity fraud by making synthetic voices, faces, and written interactions cheap to generate at runtime. Static controls such as knowledge-based checks, reusable secrets, and human recognition cues do not scale against this pattern because the attacker can adapt each attempt. The result is a mismatch between a dynamic adversary and an identity process that still expects fixed answers. In practice, this affects onboarding, recovery, and high-risk approval flows most severely because those steps still assume a person can be reliably recognised through weak signals.

Practical implication: move sensitive identity decisions away from human-recognition cues and toward stronger proofing and phishing-resistant verification.

Threat narrative

Attacker objective: The attacker aims to convert identity trust into access, fraud, or downstream breach impact by making the enterprise validate the wrong subject.

1. Entry begins when attackers use deepfakes, social engineering, or harvested credentials to impersonate a trusted person or service and reach identity workflows.
2. Escalation follows when they exploit static credentials, weak recovery steps, or centralized identity data to obtain broader access or fraudulent approval.
3. Impact lands as account takeover, fraudulent transactions, large-scale data exposure, or identity-driven breach propagation across connected systems.

Breaches seen in the wild

• MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
• Shai Hulud npm malware campaign — Shai Hulud campaign: npm malware exposed secrets on GitHub.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Centralized identity is now a concentration risk, not just an administration model. When usernames, passwords, and recovery data live in a shared store, the enterprise has built a single failure domain for both access and fraud. That design made sense when threats were slower and more local. It is weaker now because attackers target the store, the recovery flow, and the human process around it in one chain. Practitioners should treat identity repositories as high-value compromise targets, not neutral infrastructure.

Identity proofing must be designed for adversarial impersonation, not just enrolment efficiency. Deepfakes and synthetic voice attacks change the trust problem from confirming identity once to resisting continuous deception across channels. That means proofing models that depend on memory, recognition, or call-back procedures no longer map cleanly to the threat environment. The implication is that identity assurance needs to be stronger at the first decision point and less dependent on reversible secrets later in the lifecycle.

Decentralised credential custody reduces mass exposure, but it also shifts governance to device trust and recovery design. Moving verified credentials into a wallet changes where breach consequences sit, not whether governance is needed. The new control question becomes who can recover the wallet, how device binding is proven, and what happens when a device is lost or replaced. Organisations should recognise that decentralisation removes one class of central breach while introducing tighter dependency on endpoint assurance and lifecycle controls.

Fraud and identity security are converging into the same control problem. The article shows that impersonation attacks, credential theft, and account abuse are no longer separate domains. They are different expressions of the same failure to verify the right actor at the right time with enough confidence. Identity programmes that still split fraud prevention from IAM will keep missing the combined risk pattern. Practitioners should align identity, fraud, and PAM teams around one assurance model.

Privacy-first identity only works when lifecycle governance is as strong as the proofing layer. If credentials are user-held but recovery, revocation, and recovery exceptions remain weak, the organisation has only moved the risk boundary. The field needs to stop treating user control as a finish line and start treating it as a governance model that depends on tightly managed issuance, revocation, and device recovery. Practitioners should evaluate lifecycle controls with the same scrutiny as authentication controls.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, with 46% confirmed and 26% suspected.
• That pattern reinforces why practitioners should also review Ultimate Guide to NHIs for lifecycle, visibility, and rotation controls that complement identity-proofing work.

What this signals

Identity assurance is becoming a fraud-control discipline as much as an IAM discipline. The practical shift for programmes is to treat proofing, recovery, and privileged workflows as a single assurance chain rather than separate teams' responsibilities. The enterprises that do this best will cut the number of places where a synthetic identity or social engineer can convert deception into access.

Static secret models create an identity sprawl problem that hidden recovery paths only make worse. As more services, users, and identity proofs accumulate, the real issue becomes not whether an account exists, but whether the organisation can still explain who can recover it, who can revoke it, and who can attest to it. That is where programme maturity will increasingly be measured, not by login convenience alone.

With 72% of organisations having experienced or suspecting an NHI breach, per our 2024 ESG report on non-human identities, identity teams should expect attackers to keep exploiting trust workflows rather than just stealing passwords. The next control boundary is the interface between proofing, recovery, and device trust, not only the authentication prompt.

For practitioners

• Map every recovery path as an attack path Review help-desk resets, identity proofing exceptions, and escalation rules to identify where a social engineer can substitute for a legitimate user. Replace knowledge-based checks and informal approvals with stronger, auditable verification steps.
• Reduce stored identity data wherever verification can be presented instead Identify which credentials, attestations, and proofing artefacts can be moved out of centralized repositories and into user-held or device-bound forms. Prioritise the highest-value identity attributes first, especially those that are reused across multiple applications.
• Harden high-risk identity events with phishing-resistant verification Apply stronger controls to onboarding, recovery, and privileged access requests, where impersonation risk is highest. Use device binding, cryptographic verification, and step-up checks that do not depend on voice recognition or reusable secrets.
• Align fraud, IAM, and PAM around one assurance model Create one operating view of identity risk so fraud loss, account takeover, and privilege misuse are investigated together. Shared telemetry makes it easier to spot when the same impersonation pattern is moving from customer identity into enterprise access.

Key takeaways

• Legacy identity design still depends too heavily on centralized secrets, and that concentration now magnifies fraud and breach exposure.
• The evidence points to a shifting risk model where impersonation, help-desk abuse, and recovery weaknesses matter as much as password theft.
• Modern identity programmes should reduce stored sensitive data, strengthen proofing, and align fraud and IAM controls around the same assurance model.

Key terms

• Digital Wallet: A digital wallet is a user-held container for verified identity credentials that can be presented to an organisation without the enterprise storing the raw credential in a central database. In identity programmes, it changes custody, verification, and recovery responsibilities rather than removing governance needs.
• Identity Proofing: Identity proofing is the process of establishing that a person is who they claim to be before granting access or issuing credentials. Strong proofing uses multiple evidence sources and controlled workflows, while weak proofing can be undermined by deepfakes, impersonation, and social engineering.
• Recovery Workflow: A recovery workflow is the set of steps used to restore access when a user loses a factor, device, or credential. These workflows are often high-risk because attackers target them when they cannot break primary authentication, so they must be treated as part of the security control plane.
• Centralized Credential Store: A centralized credential store is a system that holds identity data, authentication material, or recovery information for many users in one place. It simplifies administration but creates concentration risk because a single compromise can expose many identities, reset paths, or downstream trust relationships.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by 1Kosmos: Identity has become one of the most vulnerable parts of the digital world. Read the original.