By NHI Mgmt Group Editorial TeamPublished 2025-07-29Domain: Governance & RiskSource: Descope

TL;DR: Leaked-credential checks and IOC enrichment can now be built into login flows so teams can block or step up access before account takeover, using threat intelligence from dark web sources and breach data, according to Descope. The real shift is that authentication decisions become risk-aware, not just password-aware.


At a glance

What this is: This is a Descope analysis of how external threat intelligence can be wired into login flows to identify leaked credentials and suspicious infrastructure before access is granted.

Why it matters: It matters because IAM teams increasingly need to combine authentication with risk signals when identity compromise, credential reuse, and malicious infrastructure are part of the access decision.

By the numbers:

👉 Read Descope's analysis of threat intelligence at login and account takeover prevention


Context

Account takeover often succeeds because identity controls inspect the login attempt in isolation and ignore the wider threat environment. When leaked credentials, malware infrastructure, and actor infrastructure are visible elsewhere on the internet, a static authentication decision is no longer enough for customer identity programmes.

The governance gap is not authentication itself. It is the failure to bring external risk signals into the moment of access so IAM and security teams can distinguish a normal login from one that is already compromised or operating from known malicious infrastructure.


Key questions

Q: How should security teams use leaked-credential checks in login flows?

A: Security teams should run leaked-credential checks before access is established and use the result to decide whether to allow, challenge, or block the login. That keeps compromised identities from reaching the session layer and reduces reliance on post-login detection. The control works best when it is tied to policy, not handled as a separate investigation step.

Q: Why do external threat signals matter for account takeover prevention?

A: External threat signals matter because many account takeover attempts are not visible from the login form alone. If a credential has already appeared in breach data or the source infrastructure is tied to malware or criminal activity, the identity decision should change. Without that context, organisations are treating known exposure as if it were normal access.

Q: What do teams get wrong about MFA in high-risk login scenarios?

A: Teams often treat MFA as a universal answer when it is really a response mechanism. MFA can add a useful step, but it does not tell you whether the credential is already exposed or whether the login is coming from hostile infrastructure. The better pattern is to combine risk signals first, then decide whether MFA should be invoked.

Q: Who should own threat intelligence inside customer identity workflows?

A: Ownership should sit with the identity and security functions together, because the control affects both access policy and threat response. Identity teams need to define when a login is challenged or blocked, while security teams need to maintain the signals and escalation logic. That shared ownership prevents the connector from becoming a disconnected security add-on.


Technical breakdown

Leaked-credential checks inside login flows

Leaked-credential lookups add external breach intelligence to the authentication sequence. Instead of treating an email address or username as a neutral input, the flow checks whether that identity has appeared in exposed credential sets across a defined time window. That matters because account takeover usually depends on password reuse, not exotic exploitation. In practice, the control is a risk signal, not a guarantee. It can trigger step-up authentication, block access, or notify the user, but only if the identity system can make that decision before session creation completes.

Practical implication: wire exposure checks into the pre-authentication path so risk is evaluated before access is issued.

IOC enrichment for risky login infrastructure

IOC enrichment adds context around the IP, domain, or hash associated with a login attempt. The point is not simply to classify a source as suspicious, but to connect the identity event to known malware, threat actors, or criminal infrastructure already tracked in threat intelligence feeds. That creates a more durable control than location-only rules or static reputation scoring. For customer identity teams, the value is in changing the decision from who is trying to log in to what infrastructure the login is coming from and whether that infrastructure already carries hostile context.

Practical implication: enrich authentication events with threat intel so unfamiliar infrastructure can drive adaptive challenge or denial.

Adaptive MFA as a response layer, not the primary control

Adaptive MFA works best here as an enforcement response to risk, not as a standalone control. If leaked credentials or malicious infrastructure are detected, the flow can require a stronger factor or deny access entirely. That is different from deploying MFA broadly and hoping it absorbs all account takeover attempts. The architecture is important because it keeps trusted users moving while escalating friction only when the threat context justifies it. In other words, the intelligence feed determines whether the identity event deserves extra scrutiny.

Practical implication: use adaptive challenge logic as the decision layer after threat intel, not as a substitute for it.



NHI Mgmt Group analysis

Credential intelligence at login is becoming a baseline identity control, not a niche fraud tactic. Authentication flows that ignore breached credentials and malicious infrastructure are making decisions with incomplete context. Once that gap exists, the login page becomes the wrong place to treat identity as a closed system. Practitioners should treat external threat intel as part of the access decision, not an enrichment reserved for SOC workflows.

Threat-aware authentication narrows account takeover risk, but it also changes the governance boundary for customer identity. The control is no longer just password verification or MFA enforcement. It is a policy decision about whether the surrounding threat context is hostile enough to deny or challenge access. That shifts identity teams toward risk-based orchestration across IAM and security operations. Practitioners need to govern the decision path, not just the credential.

Identity programmes that do not ingest external intelligence are leaving exposure on the table. The article’s core lesson is that leaked credentials and suspicious infrastructure are already observable before a breach becomes visible internally. That makes delayed detection a structural problem, not merely an operational one. The implication for IAM leaders is clear: the access stack must be able to consume third-party threat signals where the login happens.

Risk-based login controls are converging with a broader identity blast-radius model. Identity blast radius: the amount of damage a stolen or reused identity can cause before containment. If a compromised credential can still reach production systems because the login path lacks external intelligence, the blast radius is being set at authentication time. Practitioners should view every uninspected login as a potential expansion point for compromise.

From our research:

  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to Ultimate Guide to NHIs.
  • Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, which shows how weak lifecycle governance remains.
  • If you are also mapping where identity risk begins, review Top 10 NHI Issues for the broader control patterns that let exposed credentials persist.

What this signals

Leaked-credential intelligence will become a standard input to identity decisions as customer identity stacks converge with security telemetry. The organisations that keep login policy isolated from threat intel will continue to over-trust credentials that have already been exposed elsewhere. That is a governance failure, not just a tooling gap.

With 96% of organisations storing secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, per Ultimate Guide to NHIs, the same exposure logic is now appearing in human and machine identity flows alike.

Identity blast radius: the practical limit of damage a compromised identity can cause before controls intervene. Teams should watch whether high-risk logins are being challenged early enough to keep that blast radius small.


For practitioners

  • Add breached-credential checks to the pre-authentication path Check email addresses, usernames, or domains against breach intelligence before the session is established so compromised identities can be challenged or blocked early. Keep the control inside the login flow, not as a post-authentication audit step.
  • Use IOC context to drive adaptive challenge decisions Enrich IPs, domains, and hashes associated with login attempts with threat intelligence and feed the result into step-up authentication, denial, or additional verification. This is most effective when the decision happens before access is granted.
  • Separate trusted-user convenience from high-risk access handling Keep the default login experience fast for low-risk users, but route exposed credentials, high-risk infrastructure, and anomalous patterns into stronger checks. This avoids forcing blanket friction across the population.
  • Extend identity governance to customer-facing authentication flows Treat consumer login decisions as part of identity risk management, not just fraud operations. Define ownership for threat intel inputs, escalation thresholds, and what happens when a login is linked to known malicious activity.

Key takeaways

  • Threat intelligence at login turns authentication into a risk decision, which is increasingly necessary when exposed credentials and hostile infrastructure are already known before access starts.
  • The scale of the problem is material, with over $15 billion in ATO fraud losses in 2024 and more than 80 percent of breaches involving detectable indicators of compromise.
  • IAM teams should push external signals into pre-authentication policy so compromise is handled before session creation, not after the damage begins.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST Zero Trust (SP 800-207) and NIST SP 800-63 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-7Threat-aware login decisions support access enforcement based on context.
NIST Zero Trust (SP 800-207)SP 800-207Zero Trust requires continuous evaluation of identity and device context.
NIST SP 800-63Identity assurance decisions change when exposure and risk signals inform authentication.

Adjust authentication policy when breach exposure or suspicious context raises assurance requirements.


Key terms

  • Account takeover: Account takeover is the unauthorised use of a legitimate identity after an attacker obtains valid credentials or bypasses normal authentication. In identity programmes, it is a governance problem as much as a fraud problem because the attacker acts through an account that still appears authentic to the system.
  • Threat intelligence connector: A threat intelligence connector is an integration that brings external risk data into an operational workflow so decisions can use context beyond the local system. In identity systems, it can enrich logins with leaked-credential findings, malicious infrastructure indicators, or other signals that change access policy in real time.
  • Adaptive authentication: Adaptive authentication changes the access challenge based on risk signals rather than applying the same step to every login. It is most useful when combined with external intelligence, because the system can respond differently to normal users, exposed credentials, and suspicious infrastructure.
  • Identity blast radius: Identity blast radius is the amount of damage a compromised identity can cause before containment or revocation. In practice, it depends on privilege scope, detection speed, and whether the access decision already accounts for exposure signals at login time.

What's in the full article

Descope's full blog post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step examples of how the Bitsight connector is wired into Descope Flows
  • The exact flow logic for leaked-credential checks, step-up authentication, and access blocking
  • IOC enrichment examples for IPs, domains, and hashes inside the login sequence
  • How the connector pairs with other integrations such as Forter, Fingerprint, and Telesign

👉 Descope's full post shows the connector logic, login flow examples, and adaptive challenge paths.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2025-07-29.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org