Credential theft surged by 160% in 2025 and contributed to one in five data breaches, as attackers employed AI-driven techniques to bypass traditional defenses.
Why multi-factor authentication must be fatigue-resistant
MFA remains a cornerstone of modern identity verification: the source notes it is “one of the most effective ways to strengthen identity verification and reduce the risk of account compromise.” It stresses combining factors from separate categories — something you know, something you have, something you are — and cites NIST guidance that a password paired with a hardware token or authenticator app is far stronger than stacking knowledge-based factors like passwords and security questions.
But MFA is not invulnerable. The source warns of prompt bombing and SIM swapping as active exploitation vectors and recommends moving away from legacy SMS or email-based one‑time passcodes because they are “more vulnerable to interception, phishing, and social engineering attacks.” It urges prioritizing phishing‑resistant methods — FIDO2 security keys, passkeys, or certificate‑based authentication — and using authenticator apps that generate local OTPs rather than push‑based approval prompts where appropriate. Verizon’s Data Breach Investigation Report is cited: stolen credentials are involved in 44.7% of breaches.
Hardening the service desk against social engineering
The helpdesk is repeatedly described as a frequent and effective target for attackers. Service desks “sit at the intersection of identity, access, and urgent user requests,” and attackers impersonate employees to convince support staff to perform resets or other privileged actions. The source says AI‑enabled deepfake audio and publicly available information are making these impersonations more convincing.
It draws lessons from named incidents: in breaches that included Marks and Spencers (M&S) and Clorox, service‑desk compromise was the first step toward ransomware or lateral movement. The M&S incident is noted to have caused a five‑day suspension of sales, with average daily losses of £3.8 million. The source argues the failure is rarely lack of tools but inconsistent identity verification during high‑pressure interactions, and highlights specialized solutions such as Specops Secure Service Desk to embed verification into helpdesk workflows and Specops Verified ID for government document scanning and biometric liveness checks on especially high‑risk actions.
Device trust and the limits of credentials alone
The report emphasizes that valid credentials do not guarantee a legitimate user: attackers also steal session cookies and MFA tokens. To reduce false positives and stop account takeover, organizations are advised to bring device trust into access decisions. Device signals listed include whether a device is corporate‑managed, its OS version and patch status, presence of endpoint protection or EDR, device certificates or cryptographic identifiers, browser reputation and session integrity, and signs of compromise such as malware or rooting/jailbreaking.
Those signals, the source says, allow adaptive responses — low friction for recognized compliant devices, step‑up authentication or restricted access for unmanaged or suspicious devices, and outright blocking when appropriate.
Passkeys, passwords, and practical fallbacks
Passkeys are presented as a widely adopted passwordless option built on FIDO2 and WebAuthn standards. The source explains passkeys use public‑key cryptography so the private key stays on the user’s device, making them resistant to phishing, credential theft, and password reuse attacks, and reducing friction because there is no password to remember or rotate.
At the same time, the piece cautions that passkeys are not yet a complete replacement: organizations still rely on passwords for account recovery or when users switch devices. Consequently, the source insists strong password policies and phishing‑resistant MFA remain necessary wherever passwords persist. A promotional line in the material also claims benefits for Active Directory—blocking “4+ billion compromised passwords” among other gains—underscoring how vendors position these controls as part of broader identity hygiene.
Protecting biometric data and privacy‑preserving techniques
Biometrics strengthen verification, but the source flags a critical distinction: unlike passwords, biometric identifiers cannot be reset. It recommends avoiding storage of raw biometric data, preferring encrypted biometric templates and local authentication on trusted devices wherever feasible. The piece also points to privacy‑preserving approaches such as homomorphic encryption that allow biometric matching without exposing the underlying biometric data, reducing both security and privacy risks.
What this means for security teams, enterprise IT, and end users
- Security teams should prioritize phishing‑resistant MFA, harden helpdesk workflows, and incorporate device‑level signals into conditional access decisions to reduce automated and AI‑enabled attacks.
- Enterprise IT and procurement leaders will need to balance adoption of passkeys and FIDO2 solutions with robust fallback plans for account recovery, while protecting biometric templates and considering local processing or homomorphic techniques for sensitive matching.
- End users should expect changes to reduce password reliance but also continued use of strong password policies where passkeys cannot be applied, and may see tighter verification steps for high‑risk service‑desk transactions.
As attackers continue to target credentials and exploit weaknesses in authentication workflows, the source urges organizations to review and modernize identity verification controls. The vendor cited in the material offers integrated products and invites organizations to contact it or book a demo to see its solutions in action.
Original story: https://www.bleepingcomputer.com/news/security/the-5-best-practices-for-secure-identity-verification/
