In a recent webcast hosted by Enterprise Security Weekly host Adrian Sanabria and sponsored by ID Dataweb, Sanabria spoke with Dr. Torsten George, Cybersecurity Evangelist at ID Dataweb, about why identity threat detection has become critical — and why any form of multifactor authentication (MFA), once considered a near-silver bullet, is no longer enough.Just 18 months ago, George said, MFA was still highly effective, with bypass rates below 1%. Today, he said, those rates have climbed into double digits as attackers refine their tactics."It's crucial to understand attackers increasingly log in rather than break in," he said. "The old vision of a legion of people sitting in a room and trying to hack in, that's a picture of the past that that no longer happens."Instead of exploiting software vulnerabilities directly, he added, adversaries focus on stealing or abusing credentials and trusted sessions to move laterally and escalate privileges.Sanabria noted that nearly every breach he has analyzed in recent years involved some form of credential abuse. Even when a software exploit is used, attackers almost always pivot to identities afterward.Phishing remains a primary entry point, he added, but it has grown more dangerous with the weaponization of AI. Well-written, convincing phishing emails are now trivial to generate, eliminating the poor grammar and obvious red flags that defenders once relied on.Beyond phishing, George discussed less well-known attack vectors, such as SIM swapping and exploiting recycled phone numbers.With tens of millions of phone numbers reassigned each year, he explained, attackers can inherit MFA backup numbers tied to old employee accounts. Deepfakes, synthetic identities, and outright bribery — offering insiders large sums of money for access — have also resurfaced as effective tactics.This evolution forces a shift in defensive thinking: A successful login can no longer be assumed to be legitimate. As Sanabria explained, an attack may look like a normal authentication event.Identity threat detection, George said, addresses this by analyzing behavior and context rather than trusting credentials alone.George explained that identity threat detection goes beyond traditional identity and access management (IAM). It augments IAM by monitoring user behavior across the organization, correlating activity, detecting anomalies, and responding dynamically based on risk.The key distinction is scope: identity verification evaluates a single transaction, while identity threat detection looks at patterns across many transactions."If I look at a single tree in a forest to determine if the forest is in bad shape, I don't get any indication," George said. "But if I look at the entire forest… I can make an assessment if it's still in good shape or not."This holistic view lets defenders spot patterns that might otherwise go unnoticed, such as a single IP address logging into dozens of unrelated accounts. It also enables adaptive controls that match friction with risk. A low-risk login may pass with minimal challenge, while a high-risk action, such as a large wire transfer or profile change, triggers additional verification requirements.George and Sanabria also examined why all forms of MFA are ultimately insufficient. Knowledge-based questions, such as which high school you attended, can often easily be answered by looking at a target's social-media accounts.Email-based one-time passcodes can be intercepted. SMS-based MFA is vulnerable to SIM swaps. Even phishing-resistant MFA, such as passkeys and hardware keys, can be bypassed through session token theft or help desk social engineering. Groups like Scattered Spider have exploited help desks, impersonated executives, and pressured staff into resetting MFA under urgent pretenses.George emphasized that defenders must assume individual controls will fail. To compensate, they must design layered, resilient systems."We need to trust that the person behind the credential is the right person," he said, stressing the importance of combining multiple verification methods — biometrics, telecom data, government-backed identity sources — and continuously evaluating behavior over time.Resilience and user experience are also important, he stressed. Overly rigid security can drive customers away or overwhelm internal teams.George shared a real-world example where an identity-verification outage prevented hotel bookings for hours, costing revenue and damaging trust. He argued that identity solutions must include automated failover between verification methods to maintain availability without sacrificing security.George and Sanabria also touched on blind spots such as non-human identities — service accounts, APIs, and autonomous agents — that may lack meaningful monitoring. As organizations adopt agentic AI, these identities multiply, making behavioral analytics just as important for machines as for people.The takeaway: George urged organizations to reassess their identity strategies now, not later. With attackers adapting rapidly, static authentication controls can’t keep pace.Identity threat detection, powered by behavioral analytics and continuous risk assessment, offers a way to narrow that gap. As George cautioned, no solution offers perfect protection, but agility and visibility are what let defenders keep up with their adversaries.
Identity, Phishing, Decentralized identity and verifiable credentials
Beyond MFA: Securing the human element with identity threat detection
(Adobe Stock)
Paul Wagenseil
Paul Wagenseil is a custom content strategist for CyberRisk Alliance, leading creation of content developed from CRA research and aligned to the most critical topics of interest for the cybersecurity community. He previously held editor roles focused on the security market at Tom’s Guide, Laptop Magazine, TechNewsDaily.com and SecurityNewsDaily.com.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds