3 min Reading Time<\/p>\n
75 percent of all security incidents in 2026 stem from stolen identities, not technical exploits. A 50 percent increase in compromised credentials in the second half of 2025 compared to the previous year. Hackers aren\u2019t breaking in anymore. They\u2019re logging in. The paradigm shift from perimeter security to identity security is no longer a prediction. It\u2019s reality.<\/strong><\/p>\n The 2026 Cloudflare report is clear: three out of four security incidents begin with a compromised identity. Not a buffer overflow, not a zero-day vulnerability – but valid login credentials that have fallen into the wrong hands. This trend has accelerated over the past two years. In the second half of 2025, 50 percent more credentials were compromised than in the same period in 2024.<\/p>\n Heise recently headlined: \u201cLogin as a Weapon.\u201d The phrase captures the essence. An attacker with valid credentials appears to security systems as a legitimate user. They trigger no alarms, pass through firewalls and network segmentation<\/a>, and access sensitive data. Only when they move laterally or exfiltrate data do they become visible – often too late.<\/p>\n The recent Microsoft Teams campaign involving A0Backdoor<\/a> exemplifies the pattern: initial access is achieved through social engineering, not a software exploit. Attackers exploit trust, not technical vulnerabilities.<\/p>\n For years, multi-factor authentication (MFA) was the standard defense against credential theft. But 2025 and 2026 show: MFA is no longer a protective wall, but an obstacle that organized attackers systematically bypass. The tool? AiTM-Phishing (Adversary-in-the-Middle).<\/p>\n In an AiTM attack, the attacker positions themselves between the user and the authentication server. The user enters their password and second factor – but instead of reaching the real server, the data goes to the attacker. The attacker captures the session cookies and gains authenticated access. To the server, everything appears normal.<\/p>\n The EvilProxy phishing kit has industrialized AiTM attacks. Available as a service, it requires no technical expertise and is actively used against Microsoft 365 environments. Regulated industries<\/a>, which rely on MFA as a primary control, must reevaluate this assumption.<\/p>\n \n\u201cThe shift from network-based to identity-based attacks is the most significant change in the threat landscape since the rise of ransomware.\u201d The response to identity-based attacks isn\u2019t stronger MFA – it\u2019s eliminating the attack vector itself: the password. Passwordless authentication using Passkeys and FIDO2 makes credential theft technically impossible, because there are no transferable credentials left to steal.<\/p>\n Passkeys use asymmetric cryptography: the private key never leaves the user\u2019s device. Even during a phishing attack, there\u2019s nothing for an attacker to intercept and reuse. Google, Microsoft, and Apple have natively supported Passkeys in their operating systems since 2024.<\/p>\n For enterprises, the transition requires effort: identity providers must support FIDO2, end-user devices must be compatible, and employees need training. But the ROI is clear: if 97 percent of identity-based attacks rely on passwords, passwordless authentication eliminates 97 percent of that attack surface.<\/p>\n Alongside passwordless, a new product category is emerging: Identity Threat Detection and Response (ITDR). ITDR solutions don\u2019t monitor network traffic – they analyze identity behavior. They detect anomalies such as: a user logging in simultaneously from two countries, a service account suddenly accessing data it has never accessed before, or a login from an unknown device at an unusual time.<\/p>\n Gartner predicts that by 2027, ITDR will be a mandatory component in every enterprise security stack. The challenge: ITDR is only as effective as the data quality of the identity systems. Organizations that haven\u2019t hardened Active Directory<\/a> won\u2019t get clean signals, even with ITDR.<\/p>\n The paradigm shift is complete. The perimeter firewall no longer protects when the attacker logs in with valid credentials. The response is threefold: Passkeys eliminate the attack vector, AiTM-resistant MFA secures the transition period, and ITDR detects attackers who slip through anyway. Security teams that in 2026 still primarily invest in network security are investing in the wrong front line.<\/p>\n Attacks that use stolen or compromised credentials (username + password, session tokens, API keys) to impersonate legitimate users. Unlike technical exploits (buffer overflow, SQL injection), no software vulnerability is exploited – instead, the attacker abuses the trust of the authentication system.<\/p>\n AiTM-Phishing (Adversary-in-the-Middle) inserts a proxy between the user and the authentication server. The user enters their password and second factor, and the attacker captures the session cookies. Result: the attacker is fully authenticated – even with MFA. Only phishing-resistant methods (FIDO2, Passkeys) are immune.<\/p>\n Passkeys use asymmetric cryptography: the private key remains on the user\u2019s device and never leaves it. During login, a cryptographic proof is generated – no password is transmitted. Even in a phishing attack, there\u2019s nothing for the attacker to intercept and reuse.<\/p>\n Identity Threat Detection and Response (ITDR) is a new category of security solutions that detect anomalies in identity behavior: simultaneous logins from different countries, unusual access times, sudden privilege escalations. ITDR adds the identity dimension to EDR and SIEM.<\/p>\n Financial institutions and healthcare organizations are the primary targets of identity-based attacks due to their highly sensitive data and widespread use of Microsoft 365. But any organization with more than 100 employees and cloud services is a potential target.<\/p>\n Header Image Source: Tima Miroshnichenko \/ Pexels<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"3 min Reading Time 75 percent of all security incidents in 2026 stem from stolen identities, not technical exploits. A 50 percent increase in compromised credentials in the second half of 2025 compared to the previous year. Hackers aren\u2019t breaking in anymore. They\u2019re logging in. The paradigm shift from perimeter security to identity security is […]","protected":false},"author":55,"featured_media":5411,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_yoast_wpseo_focuskw":"identity attacks","_yoast_wpseo_title":"","_yoast_wpseo_metadesc":"Identity attacks 2026: Stop hackers who log in, not break in. Protect against 75% of breaches from stolen credentials. Learn how to defend now.","_yoast_wpseo_meta-robots-noindex":"","_yoast_wpseo_meta-robots-nofollow":"","_yoast_wpseo_meta-robots-adv":"","_yoast_wpseo_canonical":"","_yoast_wpseo_opengraph-title":"","_yoast_wpseo_opengraph-description":"","_yoast_wpseo_opengraph-image":"","_yoast_wpseo_opengraph-image-id":0,"_yoast_wpseo_twitter-title":"","_yoast_wpseo_twitter-description":"","_yoast_wpseo_twitter-image":"","_yoast_wpseo_twitter-image-id":0,"footnotes":""},"categories":[251],"tags":[],"class_list":["post-7616","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news"],"wpml_language":"en","wpml_translation_of":5412,"_links":{"self":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7616","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/users\/55"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/comments?post=7616"}],"version-history":[{"count":3,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7616\/revisions"}],"predecessor-version":[{"id":10167,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/posts\/7616\/revisions\/10167"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media\/5411"}],"wp:attachment":[{"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/media?parent=7616"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/categories?post=7616"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securitytoday.de\/en\/wp-json\/wp\/v2\/tags?post=7616"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}TL;DR<\/h2>\n
\n
Why Identities Are the New Battlefield<\/h2>\n
Why MFA Is No Longer Enough<\/h2>\n
\nCloudflare Security Report 2026, Executive Summary<\/cite>\n<\/p><\/blockquote>\nThe Path to Passwordless: Passkeys and FIDO2<\/h2>\n
ITDR: The New Category in Identity Security<\/h2>\n
5 Immediate Actions for Security Teams<\/h2>\n
\n
Conclusion: The Firewall of the Future Is Identity<\/h2>\n
Frequently Asked Questions<\/h2>\n
What exactly are identity-based attacks?<\/h3>\n
Why is MFA no longer effective against phishing?<\/h3>\n
What are Passkeys and why are they more secure?<\/h3>\n
What is ITDR?<\/h3>\n
Which industries are most at risk?<\/h3>\n
Editor\u2019s Reading Recommendations<\/h2>\n
\n
More from the MBF Media Network<\/h2>\n
\n