Article Details

Who are you again? Infosec experiencing 'Identity crisis' amid rising login attacks. Vendor insists passkeys are the future, but getting workers on board is proving difficult. Infosec pros are losing confidence in their identity providers' ability to keep attackers out, with Cisco-owned Duo warning that the industry is facing what it calls "an identity crisis." Only a third (33 percent) of the 650 cybersecurity leaders in North America and Europe said they were unconcerned about the security their vendor offered against phishing and AI-assisted attacks, according to Duo. The identity and access management (IAM) biz thinks this can be explained by a number of factors, such as overly complex security solutions, a lack of visibility into potential weaknesses, and perhaps chief among all of them is that identity security is treated as an afterthought. The news follows fellow security shop eSentire's report in July when the vendor observed a 156 percent increase in cyberattacks targeting user logins, which are now the main focus of over half (59 percent) of all its investigations. MFA and the like are supposed to stop the large majority of these kinds of attacks from ever being successful. But workarounds are always being devised, social engineering and insider threats are always a danger, and that's not even accounting for when account security is implemented improperly. The Cisco offshoot said the majority of those in security leadership positions remain concerned that not all devices and apps used across the business are MFA-secured, and despite 87 percent reporting they prioritize solutions marketed as phishing-resistant, less than a third are satisfied with their efficacy. Can you keep up? Just to clear up any potential misunderstanding about the nomenclature here, vendors use different terminology to describe the types of MFA available nowadays. What used to be called 2FA is now more commonly referred to as "traditional" MFA (password plus more easily phished secondary authentication such as OTP codes and push notifications). Phishing-resistant MFA refers to things like passkeys, certificate-based authentication, and biometrics to offer a little more protection when credentials are exposed. The consequences of credentials becoming compromised when strong MFA isn't there to safeguard users include costly and convincing business email compromise (BEC) schemes as well as ransomware attacks. Passwordless authentication has been touted as the answer to these kinds of calamities for years now, but many remain unconvinced that solutions such as passkeys are even a worthwhile successor to the humble password. Contrary to many Reg commenters, Duo insists there is "clear support for passwordless access" among industry pros, but with MFA already being too complex to implement perfectly, instigating such an authentication revolution in the real world is proving difficult. Only 19 percent of those surveyed have adopted FIDO2 hardware tokens as a means to combat identity attacks, and 61 percent said they want to move to passwordless but fear the hurdles ahead of them. Worries center on integrating new authentication tech with legacy systems and how well the workforce will adapt. The biggest tech companies are starting to enforce passkeys as the default authentication method. Microsoft is one of these, recently stating that passkeys will be the new de facto sign-in method for consumer-facing accounts going forward. Google and Apple are also big fans. Passkeys are seen by their advocates as the future of passwords, linking physical devices to digital accounts. You sign into one while proving you have physical access to the other. Think of it like using hardware keys, but your phone, laptop, or tablet all act as the proof of identity. You don't have to buy or carry anything else around, and if you lose one, just use another to register the replacement. Duo said: "Amid identity sprawl, shadow IT, and irregular identity lifecycles, today's unpredictable security landscape presents significant challenges – but companies also have valuable opportunities to strengthen their defenses and take proactive steps to address these issues." In addition to passkeys, which might take a little while for staff to get on board with, the vendor pitched unified telemetry, identity threat detection and response (ITDR), and phishing-resistant MFA solutions as the answer, despite the difficulties in deploying them. "Cisco Duo's survey data paints a concerning picture of identity security readiness in 2025: complexity, fragmentation, and underutilized tools are exposing organizations to avoidable risks," the company said. "Yet with rising budget support and growing executive awareness, the opportunity is ripe for transformation. Organizations that adopt integrated, security-first IAM strategies stand to leap ahead in resilience and readiness."