TL;DR: Prove’s State of Identity Report argues that point-in-time verification no longer matches modern user journeys, where trust drifts across sessions, devices, and channels, and fraud often appears after login, according to Prove Identity. The security shift is from checking identity once to maintaining it continuously as context changes.
NHIMG editorial — based on content published by Prove Identity: Prove’s State of Identity Report Highlights the New Rules of Digital Trust
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes , and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should organisations reduce fraud when sessions remain trusted for too long?
A: Organisations should move high-risk actions out of the default trust path and require fresh assurance when context changes.
Q: Why do authenticated sessions still create fraud risk after login?
A: Authenticated sessions still create fraud risk because authentication only proves entry, not continued legitimacy.
Q: What do security teams get wrong about point-in-time identity?
A: They often treat verification as a durable trust decision instead of a moment in a longer relationship.
Practitioner guidance
- Map trust decay points across the user journey Identify where sessions persist beyond the initial check, then document where account recovery, payout changes, support handoffs, and profile edits become the real control gaps.
- Add continuous signals to high-risk flows Use device continuity, behavioural consistency, and possession signals to trigger step-up checks only when risk changes materially.
- Separate authentication success from ongoing legitimacy Review your policies so a valid session token does not equal unrestricted trust.
What's in the full report
Prove Identity's full blog covers the operational detail this post intentionally leaves for the source:
- The report’s journey-by-journey explanation of where trust erodes after onboarding and login.
- The continuous identity model described in practical terms, including the signals used to maintain trust.
- The article’s examples of how fraud, UX, and security priorities change when identity becomes lifecycle-aware.
👉 Read Prove Identity’s report on why digital trust is moving beyond point-in-time verification →
Persistent identity and continuous trust: what changes for IAM teams?
Explore further
Point-in-time identity is a control designed for stable user behaviour, not for continuous trust drift. The article makes clear that modern users move across devices, channels, and time in ways that static verification cannot follow. That assumption fails when attackers and fraud workflows operate after login, because the original trust event no longer reflects current risk. The implication is that identity programmes must stop treating authentication as a durable state of legitimacy.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: Who is accountable when post-login fraud occurs in a customer journey?
A: Accountability usually spans identity, fraud, product, and customer support teams because the failure sits in the lifecycle, not just at authentication. The best governance model assigns ownership to the flows where trust decays, especially recovery, payout, and high-value change actions.
👉 Read our full editorial: Persistent digital identity is replacing point-in-time verification