secure identity – Credential theft jumped 160% in 2025 and now plays a role in one in five data breaches. With attackers increasingly using AI to slip past traditional defenses, security teams are being pushed to rethink identity verification—from stronger MFA and safer helpdes
In 2025. credential theft surged by 160%. and it’s now linked to one in five data breaches as attackers increasingly lean on AI-driven methods to bypass traditional defenses. The uncomfortable shift for security teams is simple: verifying who someone is can’t just be a box-tick exercise anymore. It has to be secure enough to stop attackers—and smooth enough that legitimate users aren’t forced into constant friction.
The result is a new focus on modern identity verification and the resilience of access controls across networks. Weak onboarding processes, overreliance on static credentials, and inconsistent authentication policies are creating openings for attackers to exploit. In practice, the work isn’t only about adding more tools. It’s about tightening how identity is checked at every step—especially when the pressure is on.
One of the clearest starting points is multi-factor authentication, but the quality of it matters. Multi-factor authentication remains one of the most effective ways to strengthen identity verification and reduce account compromise risk. The basic idea is straightforward: users verify identity using two or more factors from different categories rather than leaning on a password alone.
Those categories include something a person knows—like a password or PIN; something they have—such as a smartphone, authenticator app, or hardware security key; and something they are—like a fingerprint or facial scan.
NIST guidance cited here is that MFA is strongest when it combines factors from separate categories. A password paired with a hardware token or authenticator app provides significantly stronger protection than relying on multiple knowledge-based factors such as passwords and security questions. Still, MFA is not immune to exploitation. Weaker implementations can be susceptible to attacks like prompt bombing and SIM swapping.
That’s why the guidance pushes organizations to move away from legacy SMS or email-based one-time passcodes (OTPs). which are more vulnerable to interception. phishing. and social engineering attacks. It also emphasizes phishing-resistant MFA methods, including FIDO2 security keys, passkeys, or certificate-based authentication. For authenticator apps, it calls out using apps that generate local OTPs rather than push-based approval prompts where appropriate.
The urgency behind this push is reflected in breach patterns. Verizon’s Data Breach Investigation Report found stolen credentials are involved in 44.7% of breaches.
But MFA alone doesn’t solve everything. Another pressure point sits where attackers have always found opportunity: the service desk.
Helpdesks remain a frequent target for social engineering attacks because they sit at the intersection of identity, access, and urgent user requests. Attackers impersonate employees to persuade support staff to gain access to accounts, often by steering conversations toward reset requests.
What’s changing is the sophistication of the impersonation. Threat actors are using AI-enabled deepfake audio and publicly available information to make requests look legitimate. In several high-profile breaches—including Marks and Spencers (M&S) and Clorox—service desk compromise was described as the first step toward ransomware deployment or broader lateral movement.
In the case of M&S, the attack led to a five-day suspension of sales, averaging daily losses of £3.8 million.
The key issue isn’t usually the absence of security tools. It’s inconsistent identity verification during high-pressure support interactions. The fix being recommended is to embed secure identity verification directly into helpdesk workflows. Specialized solutions like Specops Secure Service Desk are described as requiring users to verify their identity through trusted authentication methods before password resets. MFA changes. or other sensitive actions can be completed. The goal is to give support teams a safer path to handle requests without letting attackers route around controls.
For especially high-risk actions at the service desk, the recommendation is to add further checks through Specops Verified ID, which is described as including government document scanning and biometric liveness detection.
Beyond credentials and helpdesk processes. the guidance argues that identity verification can’t rely on login details alone—because attackers have learned how to borrow sessions. Stolen session cookies and MFA tokens can break the authentication process. making it harder to tell whether the login belongs to a real user or a compromised account.
That’s where device trust comes in. More organizations are bringing device trust into authentication and access decisions, using it to verify not just who is attempting to log in, but what they’re logging in from.
The signals to evaluate include whether a device is corporate-managed or unmanaged; operating system version and patch status; presence of endpoint protection or EDR tools; device certificates or cryptographic identifiers; browser reputation and session integrity; and signs of compromise such as malware. rooting. or jailbreaking.
The intended effect is clear: a login from a recognized, compliant device on a corporate network may require minimal friction. The same credentials used from an unmanaged device or a suspicious IP range could trigger step-up authentication, restricted access, or a blocked session entirely.
Passwords are still part of the story, but the direction is shifting. Passkeys are presented as one of the most widely adopted passwordless options. Built on FIDO2 and WebAuthn standards, passkeys use public-key cryptography to authenticate users without transmitting passwords across the network. The private key stays securely stored on the user’s device. making passkeys resistant to phishing. credential theft. and password reuse attacks.
Because there’s no password to remember or rotate, passkeys can also reduce friction for both employees and IT teams. The guidance also makes an important boundary explicit: passkeys aren’t a complete replacement for passwords yet. Passwords still remain necessary as fallback authentication methods, particularly during account recovery or when users switch devices. That’s why strong password policies and phishing-resistant MFA still matter wherever passwords remain in use.
For organizations turning to biometrics, the recommendation is to protect biometric data with a different urgency than passwords. Biometric authentication—through fingerprint scans, facial recognition, or voice verification—can strengthen identity verification when implemented properly. But unlike passwords, biometric data can’t simply be reset if it’s compromised.
The best practices outlined here include avoiding storing raw biometric data wherever possible. Instead, organizations should store encrypted biometric templates and perform authentication locally on trusted devices where feasible. It also points to privacy-preserving technologies increasingly used in high-security environments. such as homomorphic encryption. which is described as enabling biometric matching without exposing the underlying biometric data itself—reducing both security and privacy risks.
Taken together, the message isn’t just that identity verification needs to be stronger. It’s that the attack surface is now tied to every moment people try to access systems—during onboarding, through helpdesk workflows, at login time, and in how biometric data is handled.
As attackers continue to target credentials and exploit weaknesses in authentication workflows, reviewing and modernizing identity verification controls is being framed as a priority for security teams.
Specops positions its suite as a way to help strengthen identity verification workflows, saying it can be used by organizations looking to modernize their approach. The company invites readers to contact it or book a demo to see its solutions in action.
identity verification credential theft multi-factor authentication MFA service desk security social engineering deepfake audio device trust passkeys FIDO2 WebAuthn biometric protection homomorphic encryption
So basically hackers just steal your login again? Great.
160%?? That sounds made up but if it’s real then why aren’t companies doing MFA by default already. I swear every site still makes you use some dumb password reset loop.
I don’t get how identity checks fix anything if the help desk people can just reset stuff. Like if attackers get into an account, won’t they just pass whatever new check too? Also “AI-driven methods” sounds like they’re blaming the computer, not the fact people reuse passwords.
All these identity verification tips always sound like more hassle for normal folks. If they make MFA stricter then people will just complain and click through anyway. And how is “tightening at every step” not just more policies managers never enforce, you know? Also 1 in 5 data breaches linked to this… so like every other breach is credential theft? Seems sus.