Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Credential stuffing, adaptive MFA, and passkeys: what changes now?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: Credential stuffing still succeeds because attackers reuse breached credentials at scale, with success rates of 0.1% to 4%, while AI agents are helping them bypass CAPTCHAs and mimic legitimate behaviour, according to Authsignal. The real defence is to move beyond static login flows toward adaptive authentication and passkeys, not to rely on rate limiting alone.

NHIMG editorial — based on content published by Authsignal: How to actually stop credential stuffing in 2025

By the numbers:

Questions worth separating out

Q: How should security teams reduce credential stuffing risk without making login unusable?

A: Use adaptive authentication, not blanket friction.

Q: Why do reused passwords still create such a large account takeover problem?

A: Because attackers do not need to guess passwords when they can replay credential pairs stolen elsewhere.

Q: How do teams know whether MFA is actually stopping credential stuffing?

A: Look beyond prompt volume and measure whether suspicious logins are challenged at the right time.

Practitioner guidance

  • Replace fixed MFA with adaptive step-up policies Trigger additional verification only when signals change, such as a new device, unusual geography, abnormal login velocity, or repeated failures followed by success.
  • Prioritise passkeys for high-reuse login journeys Move customer and workforce populations that generate the most reset traffic or account takeover exposure to passkeys first.
  • Treat bot evasion as an identity control problem Combine device fingerprinting, behavioural signals, and login telemetry so that a single low-confidence attempt does not look the same as normal use.

What's in the full article

Authsignal's full article covers the operational detail this post intentionally leaves for the source:

  • Step-by-step guidance for tuning adaptive MFA policies around risk signals such as device, location, and login frequency.
  • Practical comparison points between push authentication, behavioural biometrics, and passkeys for different user journeys.
  • Implementation detail on how passkeys affect account recovery, help desk load, and sign-in friction in production environments.
  • Concrete deployment examples for teams moving from password-based login to phishing-resistant authentication.

👉 Read Authsignal's analysis of how to stop credential stuffing in 2025 →

Credential stuffing, adaptive MFA, and passkeys: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Password reuse is still the fuel source for credential stuffing. The article's core finding is not that attackers are clever, but that organisations continue to tolerate the same reusable-credential pattern across consumer and workforce login journeys. That makes credential stuffing a governance failure as much as an authentication failure, because the underlying identity policy still accepts shared secrets as normal. Practitioners should treat password reuse as a lifecycle and access-risk issue, not just a help desk nuisance.

A few things that frame the scale:

A question worth separating out:

Q: What is the difference between adaptive MFA and passkeys for account protection?

A: Adaptive MFA changes the challenge based on risk, while passkeys remove the reusable password that stuffing depends on. Adaptive MFA limits abuse during sign-in, but passkeys reduce the attack surface itself. Most teams need both, with passkeys as the structural fix and adaptive MFA as the transition control.

👉 Read our full editorial: Credential stuffing in 2025: why passwords still fail



   
ReplyQuote
Share: