Rethink authentication to take away the burden on customers
Attackers exploit human nature, making authentication a main goal. The Snowflake information breach is a transparent instance – hackers used stolen buyer credentials, many which lacked multi-factor authentication (MFA), to breach a number of buyer accounts, steal delicate information and reportedly extort dozens of corporations. This incident highlights how one seemingly small, compromised credential can have extreme penalties.
Phishing scams, credential stuffing, and account takeovers all succeed as a result of authentication nonetheless will depend on customers making safety choices. However no quantity of safety coaching can utterly cease individuals from being tricked into handing over their credentials, downloading malware that steals login data, or reusing passwords that may be simply exploited. The issue isn’t the consumer; it’s the system that requires them to be the final line of protection.
With agentic AI set to introduce a surge of non-human identities (NHIs) – bringing an added layer of complexity to an already sophisticated IT surroundings – enterprises must rethink authentication, eradicating customers from the method as a lot, and as quickly, as potential.
Identification and entry administration’s (IAM) evolution: From gatekeeper to open door
The explosion of cloud purposes, programs and information has made id safety extra complicated and significant than ever earlier than. At this time, the common enterprise manages a number of cloud environments and round 1,000 purposes, making a extremely fragmented panorama, which attackers are actively capitalising on. Actually, IBM’s 2025 Menace Intelligence Index discovered that many of the cyber assaults investigated final 12 months have been attributable to cybercriminals utilizing stolen worker credentials to breach company networks.
With AI-driven assaults set to make this downside even worse, id abuse exhibits no indicators of a slowdown. Massive language fashions (LLMs) can automate spear-phishing campaigns and scrape billions of uncovered credentials to gas automated id assaults. With AI enabling attackers to scale their techniques, the transition away from credential-based safety should grow to be a precedence for companies.
Past credentials: Letting know-how deal with authentication
The way forward for safe fashionable authentication requires lowering the consumer burden from the id paradigm by transferring away from passwords and knowledge-based authentication.
Passwordless authentication, based mostly on the FIDO (Quick Identification On-line) normal replaces conventional passwords with cryptography keys certain to a consumer’s account on an software or web site. As an alternative of selecting and remembering a password, customers authenticate with biometrics or a hardware-backed credential, that is sometimes supplied by the machine (laptop computer or cellular machine) and their working system. These credentials (passkeys) are protected by the working programs, browsers and password managers, considerably lowering the danger of phishing assaults and stolen credentials. A contemporary method to authenticate, passkeys are phishing resistant, provide a greater consumer expertise and enhance safety posture.
Whereas not a brand new or novel idea, passwordless is sluggish to realize traction due to perceived complexity and lack of clear migration paths. Nevertheless, the FIDO alliance introduced in late 2024 new assets which are set to assist speed up the adoption of passkeys by making them simpler for organizations and shoppers to make use of. For instance, FIDO’s new proposed specs allow organisations to securely transfer passkeys and different credentials from one supplier to a different. This helps present flexibility to organisations by eradicating vendor lock-in.
Digital credentials are one other know-how that helps take away the burden of safety choices from customers. Whereas passwordless authentication gives a safe method to entry assets, digital credentials (generally known as verifiable credentials) present a safe method to share non-public information. Digital credentials – similar to digital worker badges or cellular driver’s licences – enable organisations to validate customers with out exposing pointless or delicate private information.
For instance, a digital driver’s licence lets customers show their age for restricted purchases with out revealing pointless private data like their dwelling tackle and even their precise birthday. Equally, digital paystubs enable customers to substantiate wage necessities for a mortgage with out disclosing their precise wage. This resolution additionally helps put the ability of knowledge sharing again into the customers’ fingers – permitting them to decide on what sort of data is supplied, to who and when.
Defending id within the AI period
The transfer in direction of passwordless and digital credentials isn’t just about stopping at the moment’s attackers – it’s about getting ready for what’s subsequent.
- AI-powered assaults: Attackers are already utilizing generative AI (GAI) to create phishing campaigns which are practically as efficient as human-generated ones, automate social engineering at scale, and bypass conventional safety controls. Passwordless eliminates one of the crucial frequent assault vectors – phishable credentials – making AI pushed assaults a lot more durable to execute.
- Non-human Identities – As agentic AI advances and takes on extra roles within the enterprise – whether or not in software program design or IT automation – id safety should evolve in tandem. Digital credentials enable organisations to authenticate NHIs with the identical stage of cryptographic safety as human customers, making certain that AI brokers interacting with company programs are verifiable and authorised.
Organisations should begin getting ready now for what lies forward. Whereas passwordless and digital credentials usually are not the one steps that must be taken to fight the surge in id assaults, by deploying these applied sciences organisations can modernize a strained mannequin – eradicating safety choices from customers, enhancing the consumer expertise and in the end serving to IAM take again its position as gatekeeper.
Patrick Wardrop is govt director of product, engineering and design for the Confirm IAM product portfolio at IBM Software program.
