Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Stolen credentials and breach patterns: what IAM teams need to change


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 12212
Topic starter  

TL;DR: Verizon’s 2023 DBIR analysis of 953,894 incidents found that stolen credentials remain the top breach entry method, accounting for 44.7% of breaches, while the human element appears in 74% of incidents. The real lesson is that identity programmes still over-rely on credential possession instead of stronger verification and access assurance.

NHIMG editorial — based on content published by 1Kosmos: analysis of Verizon DBIR breach patterns and credential risk

By the numbers:

Questions worth separating out

Q: How should security teams reduce breaches caused by stolen credentials?

A: They should make credential possession less decisive by adding stronger identity proofing, phishing-resistant authentication, tighter recovery controls, and narrower privilege scope.

Q: Why do stolen credentials remain such an effective attack path?

A: Stolen credentials work because many systems still treat a successful login as enough evidence of legitimacy.

Q: What do organisations get wrong about passwordless authentication?

A: They often assume removing passwords removes the identity problem.

Practitioner guidance

  • Separate assurance from possession in login design Require higher proofing for sensitive access paths, especially where a credential alone can unlock high-value systems.
  • Harden recovery and reset workflows Review password reset, account recovery, and help desk override processes for social engineering exposure.
  • Map the full human identity journey Assess enrolment, authentication, step-up checks, privilege approval, and offboarding as one continuous control chain.

What's in the full article

1Kosmos's full blog covers the operational detail this post intentionally leaves for the source:

  • Identity verification flow details for replacing credentials with verified identity across operating systems.
  • The ID+Selfie enrolment and access-request model used to bind authentication to a verified person.
  • Operational distinctions between passwordless authentication and identity verification in real deployments.
  • Vendor-specific implementation claims about IAL2 and AAL2 certification scope.

👉 Read 1Kosmos's analysis of Verizon DBIR breach patterns and credential risk →

Stolen credentials and breach patterns: what IAM teams need to change?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11787
 

Credential possession is not identity assurance: The article reinforces a basic governance failure in many IAM programmes, which is that a successful login is still treated as proof of the right actor. That assumption was designed for a world where credentials were hard to copy and easier to contain. It fails when attackers can steal, reuse, or socially engineer those credentials at scale. The implication is that access governance must treat possession and assurance as separate problems.

A few things that frame the scale:

A question worth separating out:

Q: Who is accountable when social engineering leads to credential compromise?

A: Accountability sits with the identity programme, the help desk, and the business process owners who define recovery and approval paths. Social engineering succeeds when identity controls are too easy to override, so governance has to cover the workflow, not just the authentication toolset.

👉 Read our full editorial: Credentials still drive most breaches, but verification is the real gap



   
ReplyQuote
Share: