Attackers exploit human nature, making authentication a chief goal. The Snowflake information breach is a transparent instance – hackers used stolen buyer credentials, many which lacked multi-factor authentication (MFA), to breach a number of buyer accounts, steal delicate information and reportedly extort dozens of firms. This incident highlights how one seemingly small, compromised credential can have extreme penalties.
Phishing scams, credential stuffing, and account takeovers all succeed as a result of authentication nonetheless will depend on customers making safety selections. However no quantity of safety coaching can utterly cease individuals from being tricked into handing over their credentials, downloading malware that steals login data, or reusing passwords that may be simply exploited. The issue isn’t the consumer; it’s the system that requires them to be the final line of protection.
With agentic AI set to introduce a surge of non-human identities (NHIs) – bringing an added layer of complexity to an already difficult IT surroundings – enterprises must rethink authentication, eradicating customers from the method as a lot, and as quickly, as attainable.
Identification and entry administration’s (IAM) evolution: From gatekeeper to open door
The explosion of cloud functions, methods and information has made identification safety extra complicated and demanding than ever earlier than. At the moment, the common enterprise manages a number of cloud environments and round 1,000 functions, making a extremely fragmented panorama, which attackers are actively capitalising on. The truth is, IBM’s 2025 Menace Intelligence Index discovered that many of the cyber assaults investigated final yr have been brought on by cybercriminals utilizing stolen worker credentials to breach company networks.
With AI-driven assaults set to make this downside even worse, identification abuse reveals no indicators of a slowdown. Giant language fashions (LLMs) can automate spear-phishing campaigns and scrape billions of uncovered credentials to gasoline automated identification assaults. With AI enabling attackers to scale their ways, the transition away from credential-based safety should develop into a precedence for companies.
Past credentials: Letting know-how deal with authentication
The way forward for safe trendy authentication requires decreasing the consumer burden from the identification paradigm by shifting away from passwords and knowledge-based authentication.
Passwordless authentication, primarily based on the FIDO (Quick Identification On-line) customary replaces conventional passwords with cryptography keys sure to a consumer’s account on an software or web site. As an alternative of selecting and remembering a password, customers authenticate with biometrics or a hardware-backed credential, that is sometimes supplied by the machine (laptop computer or cell machine) and their working system. These credentials (passkeys) are protected by the working methods, browsers and password managers, considerably decreasing the chance of phishing assaults and stolen credentials. A contemporary option to authenticate, passkeys are phishing resistant, provide a greater consumer expertise and enhance safety posture.
Whereas not a brand new or novel idea, passwordless is gradual to realize traction due to perceived complexity and lack of clear migration paths. Nevertheless, the FIDO alliance introduced in late 2024 new sources which might be set to assist speed up the adoption of passkeys by making them simpler for organizations and customers to make use of. For instance, FIDO’s new proposed specs allow organisations to securely transfer passkeys and different credentials from one supplier to a different. This helps present flexibility to organisations by eradicating vendor lock-in.
Digital credentials are one other know-how that helps take away the burden of safety selections from customers. Whereas passwordless authentication gives a safe option to entry sources, digital credentials (generally known as verifiable credentials) present a safe option to share non-public information. Digital credentials – resembling digital worker badges or cell driver’s licences – permit organisations to validate customers with out exposing pointless or delicate private information.
For instance, a digital driver’s licence lets customers show their age for restricted purchases with out revealing pointless private data like their house tackle and even their precise birthday. Equally, digital paystubs permit customers to verify wage necessities for a mortgage with out disclosing their precise wage. This resolution additionally helps put the ability of information sharing again into the customers’ fingers – permitting them to decide on what kind of knowledge is supplied, to who and when.
Defending identification within the AI period
The transfer in direction of passwordless and digital credentials is not only about stopping at present’s attackers – it’s about getting ready for what’s subsequent.
- AI-powered assaults: Attackers are already utilizing generative AI (GAI) to create phishing campaigns which might be practically as efficient as human-generated ones, automate social engineering at scale, and bypass conventional safety controls. Passwordless eliminates one of the vital widespread assault vectors – phishable credentials – making AI pushed assaults a lot tougher to execute.
- Non-human Identities – As agentic AI advances and takes on extra roles within the enterprise – whether or not in software program design or IT automation – identification safety should evolve in tandem. Digital credentials permit organisations to authenticate NHIs with the identical stage of cryptographic safety as human customers, making certain that AI brokers interacting with company methods are verifiable and authorised.
Organisations should begin getting ready now for what lies forward. Whereas passwordless and digital credentials are usually not the one steps that needs to be taken to fight the surge in identification assaults, by deploying these applied sciences organisations can modernize a strained mannequin – eradicating safety selections from customers, enhancing the consumer expertise and finally serving to IAM take again its function as gatekeeper.
Patrick Wardrop is govt director of product, engineering and design for the Confirm IAM product portfolio at IBM Software program.