Despite significant investments in advanced technologies and employee training programs, credential and user-based attacks remain alarmingly prevalent, accounting for 50-80% of enterprise breaches (Mandiant 2024,Verizon DBIR 2024). However, even though identity-based attacks dominate as the leading cause of breaches, the standard approach is still threat reduction – implementing layers of controls to reduce risk while accepting that some attacks will succeed. This methodology relies on detection, response, and recovery capabilities to minimize damage after a breach has already occurred, but it does not prevent the possibility of successful attacks. 

Today, technology exists to not just reduce but completely eliminate the risk of identity-based threats like phishing, adversary-in-the-middle, 2FA bypass, brute force attacks, and more. It is based on device-bound asymmetric credentials (passkeys) to deliver phishing-resistant MFA. Learn more about the strategies to eliminate identity-based threats in your organization. 

What are Identity-Based Threats?

Identity-based threats represent the most significant attack surface in enterprise environments. According to IBM's 2024 Cost of a Data Breach Report, phishing and stolen credentials were the 2 most prevalent attack vectors and ranked among the top 4 costliest types with an average of $4.8 million. Using valid credentials allows attackers to move laterally within the system, making them a prime objective for threat actors. In total, identity-based attack vectors, including phishing, stolen or compromised credentials, business email compromise, and social engineering, accounted for almost 50% of breaches.  

The problem persists because traditional authentication mechanisms rely on two flawed mechanisms for authentication –  shared secrets and tasking the user with the responsibility of maintaining security.  Let’s break down the problem:

• Phishing Attacks: With the rise of AI tools, attackers can easily craft highly convincing traps, tricking users into revealing their credentials through emails, fake websites, and social media messages. No matter how complex or unique a password is, once the user is deceived, the attacker gains access.
• Verifier Impersonation: Users cannot detect with 100% accuracy the difference between a spoofed or legitimate site. By intercepting the authentication process with malicious proxies, attackers can intercept credentials without the user ever realizing they’ve been compromised. 
• Password Reset Flows: The processes designed to help users regain access after forgetting or compromising a password have become major attack vectors, especially when executed against IT teams. Attackers exploit social engineering tactics, leveraging bits of information gathered from social media or purchased on the dark web to manipulate these workflows, bypass security measures, and take control of accounts.
• Device Compromise: It’s not just the user that logs in, it’s also their device. In other words, you can protect identities and credentials all day but if a user’s device is unencrypted, has malware, or is vulnerable to a zero day CVE, your data and resources remain in danger. 
  

Characteristics of an Access Solution that Eliminates Identity-Based Threats

Legacy authentication systems fail to prevent identity-based attacks because they rely on security through obscurity, layering on weak factors, shared secrets, and human decision-making. The true elimination of identity-based threats requires an authentication architecture that makes entire classes of attacks technically impossible. This is achieved through strong cryptographic controls, hardware-backed security measures, and continuous validation to ensure ongoing trustworthiness throughout the authentication process.The following core characteristics define an access solution designed to achieve complete elimination of identity-based threats.

Phishing-Resistance MFA

Modern authentication architectures must eliminate the possibility of credential theft through phishing attacks. This requires:

• Complete elimination of shared secrets across the authentication chain
• Cryptographic binding of credentials to authenticated devices
• Automated authentication flows that remove human decision points
• Hardware-backed credential storage, preventing extraction
• No fallback to weaker authentication factors that reintroduce vulnerabilities

Verifier Impersonation Resistance

Recognizing legitimate links is impossible for human beings. To address this, Beyond Identity authentication relies on a Platform Authenticator, which verifies the origin of access requests. This method helps prevent attacks that rely on mimicking legitimate sites.To fully resist verifier impersonation, access solutions must incorporate:

• Strong origin binding for all authentication requests
• Cryptographic validation of verifier identity
• Prevention of request redirection or manipulation
• Elimination of phishable verification processes

Device Security Compliance

During authentication, it’s not just the user that’s logging in, it’s also their device. Thus, appropriate device security posture checks at time of authentication is critical to ensuring that all devices that login are secure and compliant to your risk policies. To deliver device security compliance, a complete access solution should provide:

• Customizable, precise, fine-grained access policy
• Evaluation of real-time user and device risk posture
• Ability to evaluate both natively collected risk signals and integrated risk signals from MDMs, EDRs, SASE, ZTNA, and other IT and security tools
• Ability to enforce access decisions based on policy at time of access and continuously

Continuous, Risk-Based Access Control

Authenticating the user and validating device compliance at the point of access is an important first step, but what happens if a user changes their device configurations? Even legitimate users can unknowingly create risks by disabling the firewall, downloading malicious files, or installing software with known vulnerabilities. Given the prevalence of configuration drifts, continuous evaluation of both device and user risks is essential to ensure that no exploitable device becomes a gateway for bad actors. Key characteristics of continuous authentication include:

• Re-evaluations of real-time user and device risk on a short time interval (minutes, not hours or days)
• Run in the background without active user interaction to preserve the user experience (with the option to prompt user action only if risk dictates)
• Ability to evaluate both natively collected and integrated risk signals
• Ability to enforce access policy if a user or device falls out of compliance during active session

Don’t burden but don’t forget the humans

For all we’ve discussed about taking humans out of the authentication loop, it is ultimately to free them up for productivity. However, it is important to note that dazzling technological features are not useful if the end-user can’t figure out how to use it or if the administrators can’t manage it. We want to impart that, during evaluations of access solutions, it’s important to note both the user experience and administrator experience. Some key characteristics of highly humane access solutions are:

• Single-device phishing-resistant MFA so users don’t have to bother with a second device every time they login
• Universal operating system support even for older browsers and devices to ensure a consistent user experience and even deployment
• No certificate authority setup or management for credentials or integrations to minimize administrative burden
• Simple deployments that administrators can easily monitor, troubleshoot, and manage
• Secure defaults so administrators don’t have to guess at best practice

Conclusion

We live in a unique time when the technology to deploy phishing-resistant MFA at scale to all users on any device is possible. What this means is that identity-based attacks can be eliminated, not just reduced, from corporate environments. Successfully achieving this task helps us to move the digital world forward as a safer place to transact, do business, and connect.