Under Attack with Our Own Keys: Why Modern Authentication Is Failing

Cybersecurity Awareness Month is nearly over – but it's NEVER too late for a reality check.

The identity security strategies many of us have relied on are collapsing under the weight of modern threats. Modern identity architecture has become a complex web where vulnerabilities compound rather than isolate, according to the August 2025 newsletter by CybersecurityHQ. Single Sign-On solutions face renewed threats from SAML signature wrapping attacks. CVE-2024-45409 in the Ruby SAML library allowed authentication as any user, while similar flaws in GitHub Enterprise Server enabled complete authentication bypass.

Multi-Factor Authentication (MFA), considered the gold standard for security enhancement, faces sophisticated social engineering attacks. The "MFA fatigue" technique, cataloged as MITRE ATT&CK technique T1621, has been deployed by nation-state actors including the Nobelium group. Attackers spam users with authentication requests until frustration leads to approval, transforming security features into attack vectors.

The integration challenges extend to Zero Trust architectures. While 63% of organizations claim Zero Trust implementation, the reality reveals significant gaps. Many passwordless implementations authenticate once rather than continuously, lack risk-based adjustments, and do not monitor authentication patterns for anomalies. The promise of “continuous verification” remains largely theoretical today.

We continue to build the perfect digital castle, complete with high walls, moat, and internal vault, only to hand the attackers the master key. The data on this is sobering and demands immediate attention.

The Identity Gaps: Simple Flaws, Massive Risk

We talk about sophisticated nation-state actors, but the truth is, a terrifying number of breaches start with painfully basic security failures. The 2025 Orchid Security Identity Gap Report exposed application-level weaknesses that are nothing short of shocking:

• Nearly half (48%) of applications are still storing hard-coded, clear-text credentials or using laughably weak hashing. We know better, yet we’re doing this.
• 44% of authentication paths are actively bypassing the corporate Identity Provider—creating shadow entrances for attackers.
• Basic hygiene is missing: 40% lack essential controls like rate limiting, account lockout, and password complexity.

This weak foundation is why the 2025 Verizon Data Breach Investigations Report found that a staggering 88% of basic web application attacks still involve stolen credentials. That’s the highest percentage ever recorded. When 12.7 million instances of hardcoded credentials are sitting in public GitHub repositories, the size of the problem is clear. This convenient habit creates a critical advantage for attackers, as these exposed certificates and keys become "master keys" for lateral movement—too often providing legitimate credentials and nullifying additional security controls. The old threats haven't gone away; we've just made them easier to execute.

The Great Passwordless Paradox

The promise of passwordless authentication was simple: eliminate passwords, eliminate password-based attacks. The reality is that attackers simply shifted their focus.

While FIDO2 and WebAuthn are fantastic at reducing phishing, they haven't closed the door; they've just forced the attacker to look elsewhere:

1. Session Hijacking: Researchers have shown that attackers can steal session tokens post-authentication, completely bypassing the FIDO2 guarantees. If an application does not validate the device binding for the session token, that token—stolen SAML or OIDC—remains valid for hours. You can use the most secure login in the world and still get owned by a stolen cookie.
2. MFA Fatigue: Even Multi-Factor Authentication (MFA), the supposed gold standard, is being weaponized. Again, the "MFA fatigue" social engineering technique (MITRE ATT&CK T1621) involves relentlessly spamming a user with authentication requests until, frustrated or confused, they hit "Approve," transforming your security feature into the attack vector.

The financial cost of this confusion is enormous, according to IBM’s Cost of a Data Breach Report. Identity-related breaches now average $4.88 million globally, and the detection gap is almost a year—292 days—of persistent access for attackers to move through your network undetected.

The Unseen Army: Machine Identities are Our Greatest Threat

If human identities are a problem, machine identities are an existential crisis.

Non-human identities now outnumber human identities by a terrifying 45:1 in enterprise environments, soaring from 50,000 per enterprise in 2021 to 250,000 today, according to research by CybersecurityHQ. And we are utterly failing to secure them.

• 83% of enterprises experienced at least one machine account takeover in the past year.
• 80% of identity-related breaches involved compromised non-human identities.

Why? Because security teams are still hyper-focused on human logins, leaving this vast, exponentially growing attack surface largely undefended.

This problem is being turbocharged by Agentic AI. AI agents spin up and down in seconds, chaining requests across dozens of systems. Our traditional Identity and Access Management (IAM) systems—designed for static users and manual provisioning—simply cannot cope with machine speed and autonomy.

Why Least Privilege Fails

The principle of Least Privilege is non-negotiable in a zero trust context, but applying it at the machine level is proving nearly impossible for many:

1. Granularity Mismatch: AI agents need per-request scoping, not OAuth tokens that last for 3,600 seconds. Our current tools issue tokens measured in hours, not seconds, creating a massive window of opportunity for an attacker who steals one.
2. Context Blindness: True least privilege is context-dependent: "Allow this database agent read access only during business hours, only when initiated for workflow Z." Current IAM relies on static roles (i.e. DatabaseReader, SystemAdmin), which are incapable of expressing the nuance required to secure autonomous AI.

The result is massive over-provisioning: only 2% of granted cloud permissions are used, yet we continue granting broad access for operational convenience.

Defending Forward: Embrace the Complexity

We can't rely on simple authentication solutions anymore. Success in modern identity security demands a fundamental shift tied to continuous monitoring:

• Treat Identity as the New Perimeter: Acknowledge its porous nature and move beyond one-time authentication.
• Target Machine Identity: Implement Just-in-Time (JIT) access models to eliminate standing privileges, which can reduce the attack surface by up to 90%. Focus on automated certificate lifecycle solutions like the ACME protocol, binding keys to specific hardware for the ~250,000 machine identities you manage.
• Adopt True Continuous Verification: Zero Trust is a continuous process, not a one-time login. We must move beyond static authentication and implement risk-based adjustments that continuously monitor authentication patterns for anomalies.

It’s a pivotal time. We must acknowledge that passwordless authentication reduces some risks while creating others, and that machine identities are a greater threat than human ones. CISOs who build adaptive, intelligence-driven identity programs will navigate this chaos successfully. Those seeking simple solutions or upholding the status quo will find themselves perpetually vulnerable to the next zero-day discovery and likely its next victim.

Your Answer to the Stolen Identity Threat: NetIQ Advanced Authentication by OpenText^™

The threats are complex, but your defensive strategy doesn't have to be a gamble. To combat session hijacking, MFA fatigue, and the vulnerabilities inherent in machine-speed identity, you need a solution that is technically complete and strategically aligned with Zero Trust principles.

NetIQ Advanced Authentication (AA) by OpenText offers a modern, robust Multi-Factor Authentication platform that directly addresses the core gaps exposed in modern identity architecture.

NetIQ MFA Framework by OpenText

Core Defense: Hardware Device Binding

We know that attackers are shifting focus to stolen session tokens post-authentication. The defense against this requires proof that the user—and the device—are who they claim to be. NetIQ AA uses the inherent security of FIDO2 to deliver a true, hardware-bound defense:

• FIDO2 Device Binding: NetIQ AA fully supports FIDO2/WebAuthn. This protocol uses public-key cryptography where the private key never leaves the specific authenticator (security key, Windows Hello, etc.). When a user signs in, the device cryptographically proves possession of the key, making the credential inherently bound to that hardware/software combination.
• Enforcing Resident Keys: For the strongest protection, NetIQ AA allows administrators to require Resident Keys (also known as discoverable credentials). These keys are stored directly on the FIDO2 device itself, enforcing a strong form of binding that eliminates the need for a server-side username and further secures the login process.
• Platform Authenticator Support: The platform integrates seamlessly with Platform Authenticators (like Windows Hello or Touch ID), binding the authentication session directly to the specific device and its operating system.

Strategic Alignment: Fortifying Zero Trust Architecture

For Department of Defense (DoD) environments, another challenge is demonstrating compliance with mandated security frameworks like the DoD CIO’s Zero Trust Architecture (ZTA). For these environments, NetIQ AA is not just an MFA tool; it's a foundational DoD ZTA component:

• Continuous and Dynamic Risk Scoring: The platform moves beyond simple "yes/no" authentication. It combines deterministic rule-based policies with advanced behavioral analytics to assign a real-time risk score to every access attempt, enabling continuous, adaptive verification.
• Mission-Critical Support: It provides comprehensive multi-factor support (industry-leading 35+ methods), critically including the CAC/PIV smartcards essential for government and defense operations.
• Proactive, Adaptive Defense: By providing a layered defense that integrates dynamic risk scoring with its comprehensive authentication capabilities, NetIQ AA directly fortifies the "User" pillar with advanced activity support, offering a non-disruptive pathway to a more resilient, adaptive and identity-centric security posture.

Redefining Trust in the Age of Identity Chaos

As cyber threats evolve faster than traditional defenses, the real battleground has currently shifted to identity. Success now depends on continuous, adaptive trust—where authentication isn’t a moment in time but an ongoing process of verification. By embracing risk-aware, hardware-bound, and dynamically scored authentication models, agencies and departments can close the identity gap attackers are actively exploiting every day.

With MFGS, Inc. and NetIQ Advanced Authentication by OpenText, organizations can transform to an identity-based perimeter and fortify a priority line of defense.