Skip to main content
CybersecurityHacking

Device Security Must Complement Identity to Thwart Modern Threats

Person interacting with laptop and smartphone at a cluttered desk.

"Identity still matters. It just can no longer carry the full weight of an access decision on its own," Specops Software writes — a plain diagnosis that summarizes what security teams are seeing when authentication succeeds but breaches continue to happen.

The post-authentication blind spot

The central claim is direct: authentication has become a necessary but insufficient control. Phishing kits that proxy logins can capture session tokens after a user completes multi-factor authentication (MFA), meaning the attacker walks away with the cookie that proves a valid session. In that scenario, "the victim completes every security check exactly as intended. The attacker walks away with the cookie that proves it."

Compounding the risk, most organizations still treat identity as a one-time gate: identity is verified, MFA passes, a session begins, and trust persists until expiry. As the source puts it, "a session token in an attacker's browser looks identical to the same token in the user's browser." Verizon’s Data Breach Investigation Report is cited to underline the scale of the problem: stolen credentials are involved in 44.7% of breaches.

NIST SP 800-207 and where Zero Trust has not followed

Specops cites NIST Special Publication 800-207 — the foundational framework for Zero Trust architecture — which warned against relying on implied trust once a base authentication level is met, and explicitly calls for access decisions to account for device security posture. In practice, however, many Zero Trust deployments remain heavily identity-centric: they strengthen authentication, push MFA, and introduce risk-based sign-in policies while device checks are inconsistent.

That inconsistency shows up in several ways the source identifies: device verification often stops at login, it is mostly applied to modern browser-based conditional access flows, and legacy protocols, remote access tools, and API integrations can "inherit trust implicitly" once identity is established.

The device as the missing half of access decisions

According to the source, device posture answers questions identity cannot: is the device encrypted, is endpoint protection active, is the OS patched, has configuration drifted, is the hardware approved? Crucially, those answers must remain current across the entire session; conditions at login are not guaranteed to hold at hour three.

Continuous device verification, the argument continues, reduces the value of stolen credentials and intercepted tokens by binding access not only to a valid identity but to a "trusted, healthy endpoint." If endpoint protection is turned off mid-session or encryption is disabled, trust should adjust in real time.

Four practical principles for combining identity and device checks

  • Continuously verify both the user and the device: access should stay conditional on device health, not just identity proof.
  • Bind access to approved hardware: enroll trusted hardware and differentiate corporate, personal, and third‑party endpoints so valid credentials on unrecognized devices do not proceed unchallenged.
  • Apply proportionate enforcement: use conditional restrictions, reduced privileges, or time‑bound grace periods rather than defaulting to hard blocks that drive risky workarounds.
  • Enable self‑service remediation: provide guided fixes for encryption, OS updates, or endpoint protection so users can restore device trust without filing tickets or losing access.

Specops Device Trust: operationalizing continuous device verification

The source presents Specops Device Trust as an example of tooling that extends trust decisions beyond identity and maintains enforcement as conditions change. It is described as authenticating users and verifying their devices continuously across Windows, macOS, Linux, and mobile platforms — "not just at the point of login." The vendor frames this approach as a way to make stolen credentials, token replay, MFA fatigue attacks, and attacker‑operated endpoints less effective.

What this means for technologists, procurement leaders, and end users

  • Technologists and security teams: the piece argues for shifting from point-in-time authentication to continuous, posture-aware access decisions that combine identity signals with up‑to‑date device telemetry.
  • Procurement and IT leaders: purchasing decisions should weigh solutions that bind access to approved hardware, offer proportionate enforcement, and support self‑service remediation to reduce friction and ticket volume.
  • End users: where device health is part of trust, employees gain guided remediation paths (for encryption, updates, and endpoint protection) that let them restore access without escalations.

The source is explicit: identity must remain central, but it cannot carry the entire structural load of access security. When stolen credentials appear in nearly half of breaches and phishing proxies can capture tokens after MFA, the practical recourse is not to abandon identity controls but to bind them to continuous device verification and proportionate enforcement.

Read the original Specops Software-sponsored piece on BleepingComputer