Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Bot-driven login attacks: are your sign-in controls keeping up?


(@lalit)
Member Admin
Joined: 1 year ago
Posts: 164
Topic starter  

TL;DR: Credential stuffing can account for up to 44% of all login attempts in a single day for some organisations, according to the Verizon 2025 Data Breach Investigations Report, and Descope says adding Arkose Bot Manager signals into authentication flows helps block automated attacks before session creation. Traditional sign-in controls fail when the attacker presents valid credentials but abnormal behaviour.

NHIMG editorial — based on content published by Descope: Strengthen Sign-In Security With Descope and Arkose Bot Manager Connectors

By the numbers:

Questions worth separating out

Q: How should security teams stop credential stuffing without blocking legitimate users?

A: Security teams should combine behavioural risk scoring with adaptive enforcement at the authentication layer.

Q: Why do valid credentials still lead to account takeover risk?

A: Valid credentials can still be dangerous because they prove only that a username and password match, not that the person or script using them is authorised.

Q: What do security teams get wrong about low-and-slow login attacks?

A: Teams often focus on IP frequency and request volume, but low-and-slow attacks are designed to stay below those thresholds.

Practitioner guidance

  • Add behavioural signals to sign-in policy Feed device reputation, interaction telemetry, and network context into login decisions so the authentication layer can distinguish real users from automation before session creation.
  • Correlate attempts by device, not only IP Track repeated login activity across IP rotation, user-agent changes, and account targets so low-and-slow campaigns remain visible even when infrastructure is distributed.
  • Use step-up controls selectively Challenge suspicious sessions with MFA or bot enforcement only when risk signals justify it, so legitimate users are not forced into blanket friction.

What's in the full article

Descope's full blog post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step Descope flow logic for evaluating credentials, Arkose signals, and enforcement decisions in parallel
  • Connector configuration detail for device fingerprinting, bot detection, and adaptive authentication policies
  • Practical examples of how to tune allow, challenge, and block outcomes for suspicious login traffic
  • Use case walkthroughs for credential stuffing, account takeover, low-and-slow attacks, and automation reconnaissance

👉 Read Descope's analysis of Arkose Bot Manager connectors for sign-in security →

Bot-driven login attacks: are your sign-in controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Behavioural validation is becoming a core identity control, not a fraud add-on. Authentication no longer starts and ends with password correctness. When attackers can industrialise login abuse with valid credentials, the decisive control becomes the ability to evaluate device, network, and interaction context before a session is issued. Practitioners should treat behavioural analysis as part of access decisioning, not an optional overlay.

A few things that frame the scale:

  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.

A question worth separating out:

Q: How do account takeover controls differ from fraud detection at sign-in?

A: Account takeover controls focus on preventing unauthorised access to a user session, while fraud detection often looks for broader abuse patterns after access is obtained. At sign-in, both need to converge on the same decision point, because a successful automated login can be the first step in fraud, data theft, or lateral misuse.

👉 Read our full editorial: Behavioral bot controls are closing gaps in sign-in security



   
ReplyQuote
Share: