TL;DR: Credential stuffing still succeeds because attackers reuse breached credentials at scale, with success rates of 0.1% to 4%, while AI agents are helping them bypass CAPTCHAs and mimic legitimate behaviour, according to Authsignal. The real defence is to move beyond static login flows toward adaptive authentication and passkeys, not to rely on rate limiting alone.
NHIMG editorial — based on content published by Authsignal: How to actually stop credential stuffing in 2025
By the numbers:
- Success rates hover between 0.1% to 4%.
- Passkey authentication takes an average of 8.5 seconds compared to 31.2 seconds with traditional MFA.
- Among major platforms that have deployed passkeys, 36% of accounts now have passkeys enrolled.
Questions worth separating out
Q: How should security teams reduce credential stuffing risk without making login unusable?
A: Use adaptive authentication, not blanket friction.
Q: Why do reused passwords still create such a large account takeover problem?
A: Because attackers do not need to guess passwords when they can replay credential pairs stolen elsewhere.
Q: How do teams know whether MFA is actually stopping credential stuffing?
A: Look beyond prompt volume and measure whether suspicious logins are challenged at the right time.
Practitioner guidance
- Replace fixed MFA with adaptive step-up policies Trigger additional verification only when signals change, such as a new device, unusual geography, abnormal login velocity, or repeated failures followed by success.
- Prioritise passkeys for high-reuse login journeys Move customer and workforce populations that generate the most reset traffic or account takeover exposure to passkeys first.
- Treat bot evasion as an identity control problem Combine device fingerprinting, behavioural signals, and login telemetry so that a single low-confidence attempt does not look the same as normal use.
What's in the full article
Authsignal's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step guidance for tuning adaptive MFA policies around risk signals such as device, location, and login frequency.
- Practical comparison points between push authentication, behavioural biometrics, and passkeys for different user journeys.
- Implementation detail on how passkeys affect account recovery, help desk load, and sign-in friction in production environments.
- Concrete deployment examples for teams moving from password-based login to phishing-resistant authentication.
👉 Read Authsignal's analysis of how to stop credential stuffing in 2025 →
Credential stuffing, adaptive MFA, and passkeys: what changes now?
Explore further
Password reuse is still the fuel source for credential stuffing. The article's core finding is not that attackers are clever, but that organisations continue to tolerate the same reusable-credential pattern across consumer and workforce login journeys. That makes credential stuffing a governance failure as much as an authentication failure, because the underlying identity policy still accepts shared secrets as normal. Practitioners should treat password reuse as a lifecycle and access-risk issue, not just a help desk nuisance.
A few things that frame the scale:
- 59.8% of organisations see value in a solution that simplifies non-human access management and introduces dynamic ephemeral credentials, according to the 2024 Non-Human Identity Security Report.
- Only 19.6% of security professionals express strong confidence in their organisation's ability to securely manage non-human workload identities, according to the 2024 Non-Human Identity Security Report.
A question worth separating out:
Q: What is the difference between adaptive MFA and passkeys for account protection?
A: Adaptive MFA changes the challenge based on risk, while passkeys remove the reusable password that stuffing depends on. Adaptive MFA limits abuse during sign-in, but passkeys reduce the attack surface itself. Most teams need both, with passkeys as the structural fix and adaptive MFA as the transition control.
👉 Read our full editorial: Credential stuffing in 2025: why passwords still fail