Identity Attacks 2026: Logging In
3 min. reading time
75 percent of all security incidents in 2026 are based on stolen identities, not technical exploits. 50 percent more compromised credentials in the second half of 2025 compared with the previous year. Hackers no longer break in. They log in. The paradigm shift from perimeter security to identity security is no longer a forecast. It is reality.
The Key Points at a Glance
- 🔒 75 percent of all breaches in 2026 happen through stolen identities. Hackers log in instead of breaking in (Cloudflare, 2026).
- 📈 50 percent more compromised credentials in H2 2025 compared with the same period in the previous year.
- ⚠️ 97 percent of identity-based attacks use passwords as the entry vector.
- 🛡️ Multi-factor authentication alone is no longer enough: AiTM phishing (Adversary-in-the-Middle) systematically bypasses MFA.
- 🔧 Solution: passwordless authentication (passkeys, FIDO2), continuous verification, Identity Threat Detection and Response (ITDR).
Why Identities Are the New Battlefield
The Cloudflare report 2026 is clear: three out of four security incidents begin with a compromised identity. Not with a buffer overflow, not with a zero-day vulnerability, but with valid credentials that have fallen into the wrong hands. The trend has accelerated over the past two years. In the second half of 2025, 50 percent more credentials were compromised than in the same period in 2024.
Heise recently ran the headline: “Login as a Weapon.” The phrase gets to the heart of the matter. To security systems, an attacker with valid credentials looks like a legitimate user. They do not trigger alarms, pass through firewalls and network segmentation, and access sensitive data. Only once they escalate laterally or exfiltrate data do they become visible. Often too late.
The current Microsoft Teams campaign using A0Backdoor illustrates the pattern: initial access is gained through social engineering, not through an exploit. The attackers use trust, not vulnerabilities.
Why MFA Is No Longer Enough
For years, multi-factor authentication was the standard answer to credential theft. But 2025 and 2026 show that MFA is no longer a protective wall, but a hurdle that organized attackers systematically bypass. The tool is called AiTM phishing (Adversary-in-the-Middle).
In an AiTM attack, the attacker positions themselves between the user and the authentication server. The user enters their password and the second factor, but instead of reaching the real server, the data lands with the attacker. The attacker receives the session cookies and is authenticated. To the server, everything looks normal.
The EvilProxy phishing kit has industrialized AiTM attacks. It is available as a service, requires no technical expertise, and is actively being used against Microsoft 365 environments. Regulated industries that rely on MFA as a primary control need to reassess that assumption.
“The shift from network-based to identity-based attacks is the most significant change in the threat landscape since the emergence of ransomware.”
Cloudflare Security Report 2026, Executive Summary
The Path to Passwordless: Passkeys and FIDO2
The answer to identity-based attacks is no longer MFA, but eliminating the attack vector itself: the password. Passwordless authentication via passkeys and FIDO2 makes credential theft technically impossible because there are no longer any transferable credentials.
Passkeys use asymmetric cryptography: the private key never leaves the device. Even in a phishing attack, there is nothing to intercept that an attacker could reuse. Google, Microsoft, and Apple have supported passkeys natively in their operating systems since 2024.
For companies, the switch requires effort: identity providers must support FIDO2, endpoints must be compatible, and employees need training. But the ROI is clear: if 97 percent of identity-based attacks use passwords, passwordless eliminates 97 percent of the attack vector.
ITDR: The New Category of Identity Security
Alongside passwordless, a new product category is emerging: Identity Threat Detection and Response (ITDR). ITDR solutions do not monitor network traffic, but identity behavior. They detect anomalies such as: A user logs in from two countries at the same time. A service account suddenly accesses data it has never queried before. A login occurs from an unknown device at an unusual time.
Gartner predicts that by 2027, ITDR will become a mandatory module in every enterprise security stack. The challenge: ITDR is only as good as the data quality of the identity systems. Anyone who has not hardened Active Directory will not get clean signals from ITDR either.
5 Immediate Actions for Security Teams
- Plan the passkey rollout: Check whether the identity provider (Entra ID, Okta, Ping) supports FIDO2/passkeys. Define a pilot group. Goal: eliminate passwords for privileged accounts by Q3 2026.
- Enforce AiTM-resistant MFA: Make phishing-resistant MFA methods (FIDO2, Windows Hello) mandatory for all admin and C-level accounts. SMS and app-based OTPs are not AiTM-resistant.
- Implement session token hygiene: Shorten token lifetimes, tighten Conditional Access Policies (geolocation, device compliance, risk-based), and activate Continuous Access Evaluation.
- Evaluate ITDR: Check whether the existing security architecture detects identity-based anomalies. If not: evaluate an ITDR solution (CrowdStrike, Microsoft Defender for Identity, SentinelOne).
- Monitor credential exposure: Set up dark web monitoring for compromised corporate credentials. Regularly check your own domains against breach databases (Have I Been Pwned, SpyCloud).
Conclusion: The firewall of the future is identity
The paradigm shift is complete. The perimeter firewall no longer protects you when an attacker logs in with valid credentials. The answer has three layers: passkeys eliminate the attack vector, AiTM-resistant MFA secures the transition period, and ITDR detects the attackers who still get through. Security teams that are still investing primarily in network security in 2026 are investing on the wrong front.
Frequently Asked Questions
Every question is locked. A tap unlocks the answer.
What exactly are identity-based attacks?
Attacks that use stolen or compromised credentials (username + password, session tokens, API keys) to impersonate a legitimate user. Unlike technical exploits (buffer overflow, SQL injection), they do not exploit a vulnerability in the software, but abuse the trust of the authentication system.
Why is MFA no longer enough against phishing?
AiTM phishing (Adversary-in-the-Middle) places a proxy between the user and the authentication server. The user enters their password and second factor, and the attacker intercepts the session cookies. The result: The attacker is fully authenticated despite MFA. Only phishing-resistant methods (FIDO2, passkeys) are immune.
What are passkeys, and why are they more secure?
Passkeys use asymmetric cryptography: The private key remains on the user’s device and never leaves it. During login, a cryptographic proof is created; no password is transmitted. Even in a phishing attack, there is nothing to intercept that the attacker could reuse.
What is ITDR?
Identity Threat Detection and Response (ITDR) is a new category of security solutions that detects anomalies in identity behavior: simultaneous logins from different countries, unusual access times, sudden privilege escalations. ITDR adds the identity dimension to EDR and SIEM.
Which industries are particularly at risk?
Financial services providers and healthcare organizations are the main targets of identity-based attacks because they manage highly sensitive data and use Microsoft 365 across the board. But any organization with more than 100 employees and cloud services is a potential target.
Editorial Reading Recommendations
- Attack via Microsoft Teams: A0Backdoor – Current example of identity-based attacks (SecurityToday)
- Hardening Active Directory: 5 Immediate Measures – Foundation for identity security (SecurityToday)
- Cloud-native Identity: OAuth 2.1 and passkeys – Technical deep dive (cloudmagazin)
More from the MBF Media Network
- CIOs under pressure: AI governance crisis – IT leadership and risk (Digital Chiefs)
- AI paradox Germany: Deloitte study – Investments without transformation (MyBusinessFuture)
Cover image source: Tima Miroshnichenko / Pexels