TL;DR: SANS data shows 35% of organisations cite credential phishing or stolen credentials in identity attacks, 24% report brute force or credential stuffing, and 47% still rely on on-premises Active Directory or legacy applications for critical identities, according to Enzoic. The login workflow is now a control surface, not just a checkpoint, because compromised credentials can satisfy authentication while already being unsafe.
NHIMG editorial — based on content published by Enzoic: Pre-Authentication Risk Is Reshaping the Login Workflow
By the numbers:
- 35% of organizations cited credential phishing or stolen credentials as a contributing factor in identity-related cyberattacks.
- 24% reported brute force or credential stuffing activity.
- 55% of organizations experienced at least one identity-related attack leading to unauthorized access.
Questions worth separating out
Q: How should security teams reduce pre-authentication risk in login workflows?
A: Start by checking whether the credential is already exposed before the session is accepted.
Q: Why do exposed credentials make MFA less effective on its own?
A: MFA still matters, but it does not remove the fact that the first factor may already belong to an attacker.
Q: What do organisations get wrong about credential stuffing?
A: They often treat it as a brute-force problem instead of a credential provenance problem.
Practitioner guidance
- Screen credentials before authentication succeeds Integrate exposure checking into sign-in, password reset, and account recovery workflows so compromised credentials are flagged before a session is created.
- Map the accounts most exposed to credential stuffing Identify internet-facing login paths, high-reuse customer accounts, and any workforce identities protected only by password plus MFA.
- Treat Active Directory as a pre-authentication risk domain Review which critical identities still rely on on-premises Active Directory or legacy apps, then determine whether those paths can accept exposed credentials without a separate safety check.
What's in the full article
Enzoic's full post covers the operational detail this analysis intentionally leaves at the strategy level:
- Workflow-level options for checking whether a password or credential has already been exposed before authentication succeeds
- Operational trade-offs between manual breach-data investigation and real-time exposure screening across login paths
- How organisations can layer password safety checks into reset, recovery, and sign-in journeys without adding blanket friction
- Why legacy Active Directory and hybrid identity estates make pre-authentication controls harder to enforce consistently
👉 Read Enzoic's analysis of pre-authentication risk in the login workflow →
Pre-authentication risk and login workflow controls: are yours keeping up?
Explore further
Pre-authentication risk is an identity governance problem, not just a login problem. The article correctly shows that the security decision is increasingly made before the authentication event is visible to session monitoring or ITDR. That means governance must account for credential provenance, not just successful authentication. Teams that measure identity risk only after login are already behind the failure point.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared with nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when compromised credentials are accepted as legitimate logins?
A: Accountability sits with the identity and security owners who control authentication policy, exposure monitoring, and account recovery. If those processes do not screen for known compromised credentials, the organisation is effectively accepting pre-authentication compromise as normal login behaviour.
👉 Read our full editorial: Pre-authentication risk is reshaping identity login controls