Kasey Cromer, Netlok | May 13, 2026
As we move through 2026, the corporate world is facing an existential crisis of trust. The ‘identity surface’ has exploded, but the tools we use to defend it are crumbling under the weight of generative AI. For years, we relied on the human eye and ear as the ultimate backstop for security. We believed that if we could see a person’s face, hear their voice, or provide the correct password or codes, we knew who they were.
That era is over.
Today, deepfakes allow bad actors to impersonate anyone — from a frontline support agent to the CFO — with terrifying precision. Legacy authentication methods like biometrics and SMS codes were never designed to withstand AI powered impersonation. To survive this era, executives and investors must stop viewing identity as an application feature and start viewing it as a foundational layer. Photolok provides that layer, offering a visual identity solution that remains resilient even when faces and voices can no longer be trusted.
In early 2024, global engineering firm Arup’s Hong Kong office lost approximately $25 million after an employee joined a video conference where every other participant — including the CFO — was a deepfake. The attacker used AI generated video and audio to convincingly simulate multiple executives and authorize a series of fraudulent transfers.
(Source: CNN, February 2024, SCMP initial report, February 2024, SCMP follow‑up naming Arup, May 2024, CNN follow‑up naming Arup, May 2024)
At the time, many viewed this as an outlier. By 2026, it has become a standard tactic.
Several high profile incidents since then illustrate how quickly synthetic identity attacks have matured:
What changed between then and now is scale, cost, and realism.
According to CrowdStrike’s 2026 Global Threat Report, AI powered impersonation attacks increased by 89% year over year from 2024 to 2025, with continued acceleration into 2026.
The FBI’s Internet Crime Complaint Center (IC3) reported that business email compromise alone accounted for over $3 billion in losses in 2025, with total cyber crime losses exceeding $20 billion — a 26% increase from the prior year.
This is no longer about isolated fraud attempts. It is a systemic shift. Attackers are no longer breaking into systems — they are manipulating people first through social engineering, then using that legitimate access to exfiltrate sensitive data at machine speed, not human speed.
The same technology targeting CFOs is now targeting your employees at home. In 2026, deepfake celebrity scams on Facebook and TikTok have become industrialized — AI generated videos of Taylor Swift promoting fake investment schemes, doctors appearing to endorse miracle cures. According to Surfshark, celebrity and public figure impersonations account for more than half of all financial damage linked to deepfakes. Employees conditioned to trust video content in their personal lives carry that assumption into the workplace. When a deepfake ‘executive’ calls with an urgent request, the instinct is to comply — because seeing has always meant believing.
The industry is now confronting what can be described as the biometric paradox. For years, biometrics were positioned as the gold standard because they were ‘uniquely you.’ In 2026, that uniqueness is a liability.
Publicly available data — social media videos, earnings calls, podcast appearances — provides the perfect training set for AI systems to replicate voice and facial patterns.
The numbers reinforce how quickly this model is breaking. Across recent reports, a consistent pattern emerges:
Meanwhile, attackers who flood users with repeated MFA approval requests create fatigue that overrides caution — and continue to succeed because the vulnerability is human, not technical. When combined with a convincing deepfake voice or video, even security aware employees comply.
Traditional identity and access management was built for a world of static credentials and human users. It has no answer for synthetic voices, fabricated video, or AI generated impersonation.
We are entering a period where ‘seeing is believing’ is no longer just outdated — it is dangerous.
This erosion of trust creates friction across every business function:
Microsoft’s Digital Defense Report highlights that nation state groups are already experimenting with synthetic media for influence and intrusion campaigns.
When the visual layer is compromised, the entire remote work security model begins to collapse.
To solve this, we must address a fundamental misunderstanding in the cybersecurity industry.
There is a critical distinction the security industry often fails to make: identity providers are not applications. An identity provider is the system that verifies who you are before you ever touch an application. It issues the proof of identity that connected applications rely on. Photolok is an identity provider — not just another tool in the SaaS portfolio, but the layer that sits beneath all of them.
The average enterprise now manages more than 305 SaaS (software as a service) applications. (Source: Okta Businesses at Work Report, January 2026) When identity is treated as just another app within that sprawl, it fails. Identity is not an app — it is the layer beneath the apps.
This distinction matters more in the AI era because SaaS apps are multiplying rapidly, AI agents are becoming new identity actors, and authentication must happen before any interaction with systems or agents.
Photolok is a passwordless identity provider built for a world where biometrics can be faked. It meets 2026 standards for phishing resistant authentication while adding something most identity tools ignore: protection for the person, not just the credential. Photolok integrates with platforms like Okta Workforce and acts as the secure front door for your online environment. Users must prove who they are before accessing any application or interacting with AI systems.
Photolok shifts authentication away from public, replicable signals toward private, human knowledge that AI cannot infer.
The shift to AI driven impersonation requires more than incremental fixes. It requires rethinking how identity is verified across the organization.
Each of these steps addresses a different failure point exposed by AI driven impersonation — not just technical vulnerabilities, but human ones.
In 2026, the identity surface is the new perimeter.
As attackers use AI to manufacture trust and exfiltrate sensitive data at machine speed, not human speed, organizations must respond with identity systems designed for this new reality.
Photolok represents a shift away from spoofable biometrics and toward private, human centered authentication. It restores trust not by improving detection, but by changing what is being verified.
We are no longer just protecting systems. We are protecting people. And in an era where anyone can be faked, that distinction matters more than ever.
Request Your Personalized Demo
Kasey Cromer is Director of Customer Experience at Netlok.
[1] CrowdStrike. ‘2026 Global Threat Report.’ February 2026. crowdstrike.com/global-threat-report
[2] Adaptive Security. ‘Voice Cloning Threat Report.’ 2026. adaptivesecurity.com
[3] Microsoft. ‘Digital Defense Report 2025.’ October 2025. microsoft.com
[4] IRONSCALES. ‘Fall 2025 Threat Report: Beyond Detection.’ October 2025. ironscales.com
[5] FBI IC3. ‘2025 Internet Crime Report.’ February 2026. ic3.gov
[6] Pindrop. ‘Voice Intelligence Report.’ March 2026. pindrop.com
[7] Mandiant. ‘M-Trends 2026.’ November 2025. mandiant.com
[8] Okta. ‘Businesses at Work Report.’ January 2026. okta.com
[9] DeepMedia. ‘State of Deepfake Detection.’ February 2026. deepmedia.ai
[10] iProov. ‘Threat Intelligence Report 2025.’ January 2025. iproov.com
[11] Surfshark. ‘Deepfake Statistics.’ 2025. surfshark.com
[12] Netlok. ‘How Photolok Works.’ netlok.com
Kasey Cromer, Netlok | April 29, 2026
In 2026, most enterprises are running more applications than they can realistically govern, and AI is accelerating the problem. Zylo’s 2026 SaaS Management Index reports that the average organization manages 305 SaaS (software as a service) applications and spends $55.7 million annually on SaaS apps. Even though the number of SaaS apps being used appears flat at roughly 300 tools per organization, the specific apps inside that portfolio are constantly changing as teams add, replace, and experiment with new tools. AI‑native applications, in particular, are growing at more than 100 percent year over year, driving significant app turnover and creating a major challenge for IT to keep up, while multiplying the identity surface where accounts, credentials, and tokens can be abused.
AI itself has gone mainstream. Netskope’s 2025 Generative AI Report shows that 98 percent of organizations use apps with AI features, while 90 percent use generative AI apps. Among those organizations, the volume of data sent to genAI apps has increased more than thirtyfold over the past year. This combination of app sprawl and AI powered functionality has created a sprawling, often ungoverned identity surface where every account, credential, and token becomes another way in. CrowdStrike’s 2026 Global Threat Report confirms: cloud focused intrusions increased 37 percent over last year, and valid account abuse now drives 35 percent of cloud incidents.
The answer to intrusion is not yet another standalone security product. It is a dedicated identity provider (IdP) linked with an authentication server that can deliver phishing resistant, passwordless authentication across this entire landscape and protect the person behind the account.
Over the past decade, SaaS has become the default way to deliver business capabilities. Finance, HR, marketing, engineering, sales, and operations all run on specialized applications that are easy to procure and constantly updated. Zylo’s 2026 data shows where this ends up: the typical enterprise now uses 305 SaaS applications, and that count has effectively plateaued at a very high level.
However, “plateaued” does not mean stable. Within large organizations, teams still add an average of 21 new applications each month, often chasing new features and AI capabilities, while removing an equal number of “outdated” apps. Average SaaS spend has climbed to $55.7 million per year, up 8 percent even without a meaningful increase in app count, as AI native tools and usage based pricing push costs higher.
Shadow IT magnifies this complexity. Lansweeper’s 2025 research finds that 42 percent of company applications exist outside formal approval. Even worse, the average company now has 975 cloud services untracked by IT, compared to just 108 known services tracked by IT, which means roughly 90 percent of cloud services are effectively invisible to central teams.
Employee behavior reinforces the trend. According to 1Password’s Access Trust Gap report, 52 percent of employees have downloaded apps without IT approval, and 42 percent bypass IT specifically to boost productivity. Yet every unsanctioned app that asks for credentials or OAuth tokens becomes another entry point for bad actors that the organization does not control. Even where organizations have invested in single sign on (SSO), coverage is incomplete: 30 to 34 percent of applications are not protected by SSO at all. That is the environment into which AI has arrived.
AI is no longer a side project; it is now a core part of daily work. Microsoft’s AI Economy Institute reports that by late 2025, 16.3 percent of people globally were using generative AI tools, with usage in advanced economies reaching 24.7 percent of the working age population. Many of those people are employees asking AI to draft content, analyze data, or write code.
Netskope’s 2025 Generative AI Cloud and Threat Report shows what this looks like at the application level. Netskope tracks 317 distinct genAI apps across its customer base and reports that the amount of data sent to genAI in prompts and uploads has increased more than 30 fold in a year, including source code, regulated data, intellectual property, and secrets.
The governance story is more troubling. While 90 percent of organizations use genAI apps, roughly 72 percent of genAI use in enterprises is classified as shadow AI. That means only 28 percent is company‑approved, with the rest driven by employees using personal accounts, free tiers, and unsanctioned tools. 1Password’s research shows that 73 percent of employees say they are encouraged to use AI, but roughly a third admit they do not always follow AI policies.
From an attacker’s perspective, this environment is ideal. AI assistants and copilots are often granted wide permissions so they can read mailboxes, browse documents, search code repositories, or update CRM records on behalf of users. If a bad actor can obtain a valid credential or compromise an OAuth token, they can operate as the user or as the AI agent with very little friction and can exfiltrate sensitive data at machine speed, not human speed.
CrowdStrike’s 2026 Global Threat Report confirms this is already happening. Cloud focused intrusions increased by 37 percent, with a 266 percent increase among nation-state threat actors. At the same time, 1Password observes that enterprises now have 82 to 144 non human identities for every human identity, including service accounts, API keys, SaaS bots, and AI agents. Traditional IAM was never designed for that ratio.
Most organizations did not design their IAM strategies for a world with 300 plus SaaS applications, hundreds of genAI tools, and more than 100 machine identities for each person. They built their strategies for a smaller number of core systems and human users who logged in a few times a day.
SaaS security posture management (SSPM) tools emerged to help, but they tackle a different problem: configuration and policy hygiene inside each SaaS application. Those controls matter, but they do not change how a user proves who they are and they do not stop attackers from abusing valid credentials.
The governance gap is clear in the data. The Cloud Security Alliance’s 2025 State of SaaS Security report shows that 58 percent of organizations struggle to enforce privileges, 54 percent lack automation for identity lifecycle management, and 46 percent struggle to monitor non human identities. Meanwhile, 66 percent of employees admit to poor password habits, and compromised credentials remain the primary cause of 53 percent of substantial breaches. MFA fatigue attacks compound the problem. Traditional IAM cannot keep up with app sprawl and AI driven identity risk.
In this environment, “yet another security SaaS app” is not the answer. The key question is not “Which app can we buy to protect our apps?” but “How do we shift security back to the identity layer?”
Identity providers (IdP) are the first login step in Identity and Access Management (IAM) solutions and are not Software as a Service (SaaS) programs. Unfortunately, the cybersecurity industry has failed to explain this critical difference, which causes confusion among online users. An identity provider (IdP) is the identity system that verifies who a user is and issues trusted tokens that applications use for access decisions. IdP systems include passwords, biometrics, passkeys, etc. SaaS programs include common programs like Office 365, financial software, calendars, video games, etc.
Photolok is an emerging passwordless identity provider (IdP) designed to meet 2026 industry standards for phishing resistant authentication while adding capabilities that protect the person, not just the user’s credentials. Photolok sits at the identity layer, integrates with existing identity providers such as Okta Workforce, and becomes the place where users prove who they are before accessing SaaS applications, AI tools, and AI agents. Instead of creating more app sprawl, Photolok acts as the secure front door for your online environment, simplifying and standardizing how the user can logon safely across their app sprawl.
Photo based authentication across all apps. Photolok replaces passwords with photo based authentication that can be applied across all of your applications. Because Photolok sits at the identity layer, this authentication can be integrated with your existing SSO and Okta Workforce policies rather than implemented separately for each app.
1 Time Photo: defending against AI powered credential capture. With 1 Time Photo, users can create up to five single use photos for authentication. When a 1 Time Photo is active, only the first panel is shown during login — the user’s regular photos never appear on screen. Once used, a 1 Time Photo cannot be reused, and an attacker who captures the screen or records the session gains no knowledge of the user’s standard photo set.
Duress Photo: protecting the person in coercion scenarios. Photolok’s Duress Photo gives employees a way to signal danger even when they are forced to authenticate. Duress Photo is a special visual panic button that looks like a normal login but acts as a silent alarm that sends an alert to IT and security teams. If a user is coerced to log in, the Duress Photo alerts responders while not tipping off the person doing the coercing. This is a human safety and duty of care capability that IAM tools do not address.
Simplified authentication that reduces fatigue. Photolok provides point and click interactions, autosaves where appropriate, and integrates with Okta Workforce. By consolidating authentication into a single phishing resistant flow, you can reduce password fatigue and MFA fatigue across your entire app portfolio.
Your challenge is to reassert control at the identity layer without undermining the productivity gains that SaaS and AI deliver. The following practices can help.
In the age of AI, apps have become a primary security risk not because any single SaaS tool is uniquely dangerous on its own, but because together they create an identity surface that is too large and too dynamic for traditional IAM to manage alone. Threat actors have already adapted: cloud focused intrusions and valid account abuses are rising sharply, and compromised credentials drive 53 percent of substantial breaches while a third of apps remain outside SSO.
The strategic move is to consolidate authentication at the identity layer with a phishing resistant identity provider that works across your SaaS and AI environment. Photolok is an emerging passwordless identity provider and authentication server designed to meet 2026 industry standards while adding capabilities that protect the person, not just the account. By integrating with Okta Workforce, applying photo based authentication, 1 Time Photo, and Duress Photo across apps, Photolok helps you regain control of the identity and authentication surface without fighting the tide of app and AI adoption. To fully realize that benefit, you also need a program focused on discovering shadow IT and onboarding those apps to your primary identity provider.
The question for security leaders is no longer whether app and AI sprawl will happen — it already has. The question is whether your identity layer is ready for the world you are already in.
Request Your Personalized Demo
Kasey Cromer is Director of Customer Experience at Netlok.
[1] Zylo. “2026 SaaS Management Index.” February 2026. zylo.com
[2] Lansweeper. “Effective Shadow IT Management in 2025.” June 2025. lansweeper.com
[3] 1Password. “Annual Report 2025: The Access Trust Gap.” October 2025. 1password.com
[4] 1Password. “AI and the Rise of Credential Sprawl.” April 2026. 1password.com
[5] Netskope. “Cloud and Threat Report: Generative AI 2025.” March 2026. netskope.com
[6] Microsoft AI Economy Institute. “Global AI Adoption in 2025.” April 2026. microsoft.com
[7] CrowdStrike. “2026 Global Threat Report.” March 2026. crowdstrike.com
[8] Cloud Security Alliance. “The State of SaaS Security: 2025–2026.” April 2025. cloudsecurityalliance.org
[9] Netlok. “How Photolok Works.” netlok.com
Kasey Cromer, Netlok | April 10, 2026
Geopolitical escalation reliably coincides with surges in phishing, credential theft, and identity abuse, especially where state sponsored actors target workers in defense, critical infrastructure, and technology supply chains. Newly released 2026 findings from leading threat intelligence teams show that attackers increasingly “log in” with stolen credentials, reused passwords, or credentials from coerced employees instead of “breaking in” with exploits or malware.
Across these reports, identity has effectively become the primary attack surface, with valid account abuse, social engineering, and misused login processes driving a large share of initial access. Agencies and large vendors now describe phishing resistant authentication as the gold standard for protecting high value accounts and urge enterprises to phase out legacy MFA that depends on passwords, one time codes, or generic push approvals.
At the same time, the industry is shifting from a narrow focus on protecting accounts to a broader mandate to protect the person behind those accounts. This blog examines that identity crisis, compares common identity and access management (IAM) approaches, and introduces Photolok’s photo based, phishing resistant authentication as an example of how to protect both the account and the individual.
Over the past decade, multiple conflicts have shown that geopolitical escalation and cyber campaigns move in lockstep. State sponsored groups consistently use phishing and credential theft as low cost, high yield tactics to gain footholds in targeted environments.
Newly published findings from Palo Alto Networks Unit 42 show that identity abuse has become the dominant pathway into enterprises. Their Global Incident Response Report 2026, based on 2025 investigations, reports that identity based techniques accounted for nearly two thirds of initial intrusions, and that identity weaknesses played a significant role in nearly 90 percent of investigations. This underscores that many modern attacks begin with misuse of legitimate access, not exploitation of software flaws.
In parallel, early 2026 reporting from Google’s threat intelligence team, analyzing campaigns observed through 2025, highlights sustained pressure on the defense industrial base from Russia and China linked actors. These campaigns often go after individual employees rather than network defenses, using spear phishing, fake recruitment efforts, and other social engineering to reach both corporate and personal accounts. Enterprises become downstream targets even when they are not directly party to a geopolitical flashpoint.
Newly released 2026 threat reports, analyzing 2025 activity, emphasize that intrusions are increasingly identity based. Large incident response and threat intelligence teams describe campaigns where adversaries focus on obtaining valid credentials, abusing login sessions, and hijacking login processes instead of exploiting unpatched vulnerabilities.
CrowdStrike’s 2026 Global Threat Report shows a sharp rise in cloud focused attacks. According to the report’s newly released 2026 findings on 2025 activity, cloud focused attacks increased by 37 percent, and state sponsored attackers driving these intrusions increased their activity by 266 percent. Valid account abuse accounts for roughly 35 percent of cloud incidents, underscoring that many attacks now start with a login rather than an exploit.
Mandiant’s M Trends 2026 report, based on 2025 incidents, underscores how quickly attackers can use stolen credentials. The report notes that the median time between initial access and passing that access to another attacker has fallen to just 22 seconds. Once an attacker gains a foothold using stolen identity data, they can immediately pass that access to other actors, compressing defenders’ window to detect and contain a breach.
Analysis of MFA fatigue campaigns published in early 2026, reflecting 2025 trends, shows attackers exploiting human overload rather than technical weaknesses. Organizations report sustained waves of push prompts and social engineering calls that pressure users into approving malicious sign ins. Even where multifactor authentication is present, adversaries look for ways to turn user behavior into a vulnerability.
Facing this identity focused threat environment, major vendors and agencies are reorienting their strategies around the idea that identity is the new perimeter. Microsoft’s Secure Future Initiative guidance positions phishing resistant authentication as essential for reducing credential based risk. As of mid 2025, Microsoft reported that 92 percent of employee productivity accounts were protected by phishing resistant methods, and 2026 guidance treats this as a baseline for modern enterprises rather than a stretch goal.
Okta’s 2026 guidance on phishing resistant authentication likewise recommends phishing resistant authentication as non-negotiable for high value accounts. They urge organizations to enroll administrators and sensitive users into hardware security keys, smart cards, or other device based methods, and to reduce reliance on SMS, email codes, and generic push notifications that can be abused in vishing (voice phishing) and MFA fatigue attacks.
CISA and aligned industry commentary describe phishing resistant multi factor authentication as the gold standard for high assurance access, and point to hardware security keys and certificate based login methods as primary mechanisms to achieve it. Phishing resistant authentication is treated as a foundational requirement in modern security frameworks, not an optional enhancement.
Despite this progress, there is a growing recognition that protecting accounts is not enough. Google’s early 2026 analysis of 2025 campaigns notes that state sponsored actors deliberately target personnel through personal devices, personal email accounts, and recruitment platforms, not just enterprise systems. Yet mainstream IAM platforms and standards still lack built in duress signals that allow a user to complete a login under threat while silently requesting help.
Against this backdrop, security leaders are being asked to make choices among several common authentication approaches, each with its own tradeoffs.
Passwords. Familiar and widely supported, but highly phishable, frequently reused across sites, vulnerable to credential stuffing (attackers using stolen passwords across multiple sites), and expensive to reset at enterprise scale.
SMS and email MFA. Adds a second factor beyond passwords, but phishable via fake login pages, exposed to SIM swapping (hijacking phone numbers), and often kept as a backup login method that undermines stronger methods.
Push based MFA. Convenient and user friendly, but susceptible to MFA fatigue and vishing, where attackers bombard users with prompts or call them to persuade approval.
Passkeys and FIDO2. Phishing resistant and passwordless by design, backed by major platforms. However, they require compatible hardware, create challenges around recovery and portability, and do not offer an inherent duress signal if a user is coerced.
Photolok. Photo based, phishing resistant, passwordless login that replaces static text credentials with user selected images. Includes 1 Time Photo and duress capabilities designed to protect the person as well as the account.
During periods of geopolitical escalation, these tradeoffs determine whether state sponsored actors can turn social engineering into valid logins.
This gap between where the industry is headed (phishing resistant, passwordless, tied to specific devices) and what attackers are exploiting (human behavior, coercion, and backup login methods) defines the identity crisis: enterprises are modernizing authentication but often still leave the person exposed.
Photolok is an emerging passwordless identity provider designed to meet 2026 industry standards for phishing resistant authentication while adding capabilities that protect the person, not just the account. Instead of typing usernames and passwords, users authenticate by selecting their account photos from a randomized photo panel.
Netlok positions Photolok as a solution that meets the 2026 industry standard for phishing resistant authentication and goes further by addressing coercion, visual credential theft, and person level safety.
Treat geopolitical escalation as an automatic trigger for stronger authentication. Tie specific geopolitical or sector advisories to predefined changes in authentication policy, such as enforcing phishing resistant methods for affected users, tightening session lifetimes, and increasing monitoring of high value accounts.
Measure phishing resistance, not just MFA coverage. Move beyond reporting “percentage of users with MFA” and explicitly track what share of workforce access uses phishing resistant methods versus passwords with legacy MFA. Focus first on administrators, developers, and business users who can move money, change configurations, or access sensitive data.
Assess whether your IAM stack protects the person. Review your identity and access vendors for capabilities that address the human layer: protections on personal devices and personal email, detection of unusual sign in behavior, and any mechanisms that allow users to signal duress during login. Identify where your current stack assumes the user is always safe and in control.
Model coercion and visual credential theft as explicit identity threats. Add scenarios involving shoulder surfing, screen recording, MFA fatigue, vishing, and physical coercion into your identity threat modeling. Ask, “If an employee is forced to log in in front of someone, or harassed with prompts until they approve, what options does our current authentication give them?”
Brief leadership on the shift from protecting accounts to protecting people. When you talk to executives and boards, frame identity risk as a human safety problem, not just a technical one. Explain that state sponsored actors now go after employees as individuals, often outside corporate networks, and that investing in phishing resistant, person aware authentication is part of protecting both company assets and staff.
Geopolitical tensions will continue to drive spikes in credential theft, identity abuse, and downstream attacks on enterprises, especially in sectors tied to defense, critical infrastructure, and technology supply chains. Newly released 2026 threat reports, documenting 2025 activity, reinforce that most intrusions now begin with some form of identity misuse, and that the window between credential theft and active exploitation is shrinking.
In response, agencies and major vendors are converging on phishing resistant, passwordless authentication as the standard for high value access. But phishing resistance alone does not solve for coercion, duress, and the reality that employees themselves are being targeted and pressured. To resolve this identity crisis, organizations need authentication that protects the person as well as the account — combining phishing resistant methods with features like visual shielding and duress signaling.
Request Your Personalized Demo
Kasey Cromer is Director of Customer Experience at Netlok.
[1] CrowdStrike. “2026 Global Threat Report: AI Accelerated Adversaries.” February 23, 2026. crowdstrike.com
[2] Palo Alto Networks Unit 42. “Global Incident Response Report 2026.” February 16, 2026. cyberscoop.com
[3] Industrial Cyber. “Identity Loopholes Drive Nearly 90% of Unit 42 Investigations.” February 19, 2026. industrialcyber.co
[4] Mandiant. “M Trends 2026 Report.” March 23, 2026. helpnetsecurity.com
[5] Google Cloud. “Threats to the Defense Industrial Base.” February 9, 2026. cloud.google.com
[6] Microsoft. “Phishing Resistant MFA (Secure Future Initiative).” August 2025. learn.microsoft.com
[7] Okta. “Why Basic MFA Isn’t Enough to Defeat Modern Phishing.” January 14, 2026. okta.com
[8] IDDataWeb. “Inside CISA’s Phishing Resistant MFA Playbook.” August 2025. iddataweb.com
[9] SentinelOne. “What Is Phishing Resistant MFA?” March 1, 2026. sentinelone.com
[10] The Hacker News. “9 Identity Security Predictions for 2026.” February 8, 2026. thehackernews.com
[11] Smarter MSP. “MFA Fatigue Continues to Be a Threat in 2026.” January 26, 2026. smartermsp.com
[12] Netlok. “How Photolok Works.” netlok.com
Kasey Cromer, Netlok | March 31, 2026
Executive Summary
Traditional authentication was designed to answer one question: should this login succeed? It was not designed to ask whether the person behind the login is safe. In 2026, that gap is becoming a liability.
Attackers are no longer just stealing credentials. They are threatening employees in person, harvesting login data by watching screens, and exploiting the sheer complexity of enterprise identity systems to slip through undetected. The threats have become personal, but the defenses have not kept pace.
This blog examines three 2026 realities that 1) demands a “protect the person, not just the account” mindset; 2) explains why traditional authentication falls short, and; 3) outlines what security leaders can do now to close the gap.
Three 2026 Realities Security Leaders Must Address
1. Protecting the person and account
2. Why Traditional Authentication Falls Short
Traditional authentication systems were built to verify identity, not to protect the person behind it. They have no mechanism for an employee to signal that they are being coerced. They rely on credentials that can be observed, captured, and replayed. They add friction through multiple factors without reducing the underlying exposure.
The core assumption that the person logging in is doing so freely and privately, no longer holds in many real world scenarios. When a teller is threatened, when a phone is stolen, when someone watches you type your password in an airport, traditional MFA does nothing to help.
3. How Photolok Addresses the “Protect the Person” Gap
Photolok Passwordless IdP was designed with these realities in mind. It replaces passwords with photo based authentication that addresses coercion, observation, and complexity at the identity layer:
Figure: Traditional authentication offers only two paths during coercion. Photolok creates a third.
Because Photolok sits at the identity provider and authentication layer, it complements existing security controls without requiring a redesign of downstream systems.
What Security Leaders Should Do Now
Establish duress protocols across security, IT, HR, and physical safety teams. Coercion scenarios do not fit neatly into IT incident response. Work with HR, legal, and workplace safety stakeholders to define what happens when an employee signals distress during authentication. Who gets notified? What access gets constrained? How is the employee protected?
Add coercion and device theft scenarios to incident response playbooks. Most playbooks cover phishing and malware. When an employee is physically threatened, the first priority is personal safety, followed by immediately disabling their account access and coordinating across security, HR, and physical safety teams. When a laptop is stolen with active sessions, response must happen in minutes: log out all devices, reset passwords, and remotely erase the device. Document the response steps now, before you need them.
Implement a credential reset policy after travel or public exposure. Employees who work in airports, conferences, coffee shops, or client sites are at elevated risk for shoulder surfing. Consider requiring credential rotation or one time use authentication for sensitive systems after travel.
Review remote wipe and device lockdown procedures. When a phone or laptop is stolen, how quickly can you revoke access? Test your identity provider integrations to ensure you can lock out a compromised device within minutes, not hours.
Evaluate whether your authentication gives employees any way to protect themselves. Ask a simple question: if an employee is being coerced right now, does your authentication system give them any option other than compliance or refusal? If the answer is no, explore solutions that build human safety into the authentication flow.
The Bottom Line
In 2026, identity is personal. Attackers target people, not just accounts, through coercion, device theft, and the noise of sprawling identity systems. Traditional authentication was built to decide whether a login should succeed, not whether the human behind it is safe.
The organizations that adapt will be those that treat “protect the person, not just the account” as a design principle for every authentication decision they make.
Request Your Personalized Demo
About the Author
Kasey Cromer is Director of Customer Experience at Netlok.
Sources
[1] CENTEGIX. “Healthcare Safety Trends Report 2026.” centegix.com
[2] Campus Safety. “How Wearable Panic Buttons Will Improve Hospital Workplace Safety in 2026.” campussafetymagazine.com
[3] Crisis24. “Increasing Rates of Phone Thefts Worldwide Pose Significant Data Security Risks.” crisis24.com
[4] Kensington. “Study Highlights Prevalence of Device Theft and the Impacts on Data Security.” kensington.com
[5] SpyCloud. “2026 Identity Exposure Report.” prnewswire.com
[6] 1Password. “Credential Sprawl: How AI Increases the Risks.” 1password.com
[7] GitGuardian. “The State of Secrets Sprawl 2026.” gitguardian.com
[8] Avatier. “Passwordless Security Based Systems.” avatier.com
[9] Thales. “2026 Data Threat Report.” cpl.thalesgroup.com
[10] Netlok. “How Photolok Works.” netlok.com
Kasey Cromer, Netlok | March 18, 2026
Executive Summary
The identity and authentication methods that enterprises rely on today were not designed for AI powered attackers. Deepfakes now defeat facial recognition at scale. Voice clones bypass call center verification in seconds. AI generated phishing harvests credentials faster than security teams can respond. What worked five years ago is now a liability.
This is not a future threat. It is happening now in 2026. As Gartner anticipated, 30 percent of enterprises now consider face biometrics unreliable in isolation due to AI generated deepfakes. Deepfake fraud attempts have surged over 3,000 percent since 2022. Voice cloning attacks increased 680 percent in the past year alone. The authentication crisis is here.
Security leaders and boards need to understand that legacy identity and authentication has become a material enterprise risk. Photolok Passwordless IdP and authentication offers an alternative designed for this threat landscape, replacing passwords and biometrics with photo based identity and authentication that gives AI attackers nothing to clone, nothing to phish, and nothing to replay.
The Authentication Crisis: What AI Has Changed
AI has fundamentally broken the assumptions behind traditional identity and authentication. The methods enterprises have relied on for decades, passwords, one time codes, facial recognition, and voice verification, all assume that attackers are human and that fakes are easy to spot. Neither assumption holds in 2026.
Deepfakes are defeating facial recognition. Attacks using face swap deepfakes to bypass biometric authentication have increased over 700 percent in recent years, and the problem continues to accelerate. The volume of deepfakes shared online has grown 16 fold in just two years, reaching an estimated 8 million in 2025 (Fortune). In Q1 2025 alone, financial losses from deepfake enabled fraud exceeded $200 million in North America. The Arup incident, where a finance worker was tricked into wiring $25 million after a video call with deepfake executives, demonstrated that attackers can now fabricate entire multi person video conferences. When shown high quality deepfake videos, humans correctly identify them as fake only 24.5 percent of the time.
Voice clones are bypassing verification. Voice cloning now requires just three seconds of audio to produce a convincing replica, complete with natural intonation, emotion, and breathing patterns. Voice deepfakes rose 680 percent in the past year (Pindrop). AI generated voice scams have surged 148 percent in 2025, with major retailers reporting over 1,000 AI scam calls per day. Synthetic voices no longer carry the obvious flaws that once made them easy to detect. CEO fraud using voice clones now targets at least 400 companies daily.
AI generated phishing is harvesting credentials at unprecedented scale. AI crafted phishing emails achieve 54 percent click through rates compared to 12 percent for traditional phishing, making them 4.5 times more effective (Microsoft Digital Defense Report). Microsoft estimates AI can make phishing operations up to 50 times more profitable through higher engagement and automation efficiency. The FBI has warned that AI greatly increases the speed, scale, and automation of phishing schemes. Over the holiday season in late 2025, AI generated phishing attacks surged 14 fold, representing 56 percent of all reported phishing attacks (Hoxhunt).
The speed and scale of AI attacks outpace human defenses. AI tools allow threat actors to accelerate reconnaissance, create convincing phishing messages, and scale their operations far beyond what was previously possible (CrowdStrike 2026 Global Threat Report). Average breakout time for cyber intrusions has collapsed to just 29 minutes, with the fastest observed at 27 seconds from initial access to lateral movement. By the time security teams detect an incident, the damage is often done.
Figure: Average Breakout Time Is Shrinking — CrowdStrike 2026 Global Threat Report.
Average Breakout Time Is Shrinking
Why Traditional Defenses Are Failing
Passwords remain the dominant login method, and they are still easily compromised. The Verizon 2025 DBIR found that stolen credentials were the initial access vector in 22 percent of breaches, more than any other category. In basic web application attacks, 88 percent involved stolen credentials. Analysis shows that only 3 percent of compromised passwords met basic complexity requirements. Credential stuffing now accounts for 19 percent of all authentication attempts at the median enterprise, rising to 25 percent at large organizations.
SMS and app based one time codes are vulnerable at every step. SIM swapping, real time phishing, and social engineering all defeat these controls. Prompt bombing, where users are bombarded with MFA requests until they approve one out of frustration, appeared in 14 percent of incidents in the 2025 DBIR. Adversary in the middle attacks intercept both passwords and session tokens after legitimate MFA authentication. Phishing as a service kits like Tycoon2FA and EvilProxy are specifically designed to bypass modern MFA controls.
Biometrics, once seen as the answer, are now being defeated by synthetic media. Deepfakes now account for 40 percent of all biometric fraud attempts. One in 20 identity verification failures in 2025 is linked to deepfake usage (Keepnet Labs). Attackers use face swap deepfakes and inject pre recorded or real time manipulated video streams via virtual cameras to fool liveness detection. The technology gap between attack and defense is widening.
The core issue is that these methods assume attackers are human. When AI can perfectly replicate a face, a voice, or a writing style, authentication that relies on “something you are” or “something you know” becomes fundamentally compromised. Enterprises need identity and authentication that AI cannot fake.
Why Photolok Addresses the AI Identity and Authentication Threat
Photolok is not another point solution. It is a Passwordless Identity Provider (IdP) and authentication server that functions as the front door for your apps and systems. It is not a SaaS product. Photolok works with existing systems including Okta Workforce and other identity platforms. As an identity provider, Photolok verifies user identities before granting access to any application. By replacing passwords at this identity layer, Photolok secures authentication across every app and system where your employees use Photolok. The apps themselves never see or store credentials. They simply trust Photolok’s verification.
What makes Photolok different is that it gives AI attackers nothing to work with:
Because Photolok sits at the identity provider layer, it complements existing fraud analytics, transaction monitoring, and security controls.
What Security Leaders Should Do Now
The Bottom Line
AI has broken the identity and authentication model that enterprises have relied on for decades. Passwords are stolen at scale. Biometrics are defeated by deepfakes. Voice verification falls to cloning. Attacks now unfold in minutes, not hours. The methods designed for human attackers cannot withstand AI powered adversaries.
The strategic response is to adopt authentication that gives AI nothing to exploit. Photolok Passwordless IdP replaces passwords and biometrics with photo based, session specific identity and authentication that cannot be cloned, or replayed. It integrates with existing platforms like Okta Workforce.
Want to see how Photolok can protect your organization against AI powered authentication attacks?
Request Your Personalized Demo
About the Author
Kasey Cromer is Director of Customer Experience at Netlok.
Sources
[1] Gartner. “Predicts 30% of Enterprises Will Consider Identity Verification Unreliable Due to Deepfakes by 2026.” gartner.com
[2] Verizon. “2025 Data Breach Investigations Report.” verizon.com/dbir
[3] Fortune. “2026 Will Be the Year You Get Fooled by a Deepfake.” December 2025. fortune.com
[4] Pindrop. “2025 Voice Intelligence and Security Report.” pindrop.com
[5] Microsoft. “Digital Defense Report 2025.” microsoft.com
[6] CrowdStrike. “2026 Global Threat Report.” crowdstrike.com
[7] Keepnet Labs. “Deepfake Statistics and Trends 2026.” keepnetlabs.com
[8] Hoxhunt. “Phishing Trends Report 2026.” hoxhunt.com
[9] World Economic Forum. “Global Cybersecurity Outlook 2025.” weforum.org
[10] Netlok. “How Photolok Works.” netlok.com
Kasey Cromer, Netlok | February 28, 2026
Executive Summary
“Pig butchering” refers to scams where fraudsters build trust over weeks or months before steering victims into fake investment schemes, “fattening” them with false gains before the “slaughter” when scammers empty accounts and disappear (TRM Labs). Pig butchering has evolved from fringe consumer crypto fraud into an industrialized scam industry that steals billions globally each year.
These operations increasingly target employees with access to corporate funds and data. What once looked like a consumer romance problem has become a material enterprise risk that blends payment fraud, business email compromise, and targeted social engineering. Traditional controls relying on users spotting red flags or password centric authentication are struggling against well resourced adversaries operating at global scale with near zero enforcement risk (Huntress).
Security leaders need to treat pig butchering as a systemic identity and payments problem, not merely a user awareness issue. That means reducing the blast radius when employees are socially engineered. Leaders need to assume that scammers will eventually obtain credentials or convince someone to approve a transaction and need to adjust accordingly. Photolok Passwordless IdP helps close this gap by taking passwords off the table and making it significantly harder for scammers to steal or manipulate their way into your systems.
The Pig Butchering Threat Landscape
Pig butchering operations combine relationship building, fake investment platforms, and crypto infrastructure. Scammers cultivate trust over weeks or months across messaging apps, dating platforms, and social networks before steering victims into high yield “opportunities” that are actually scam websites or apps they control. Once funds are deposited, money moves quickly through crypto infrastructure designed to obscure its origins, often crossing multiple jurisdictions in volumes that are difficult to trace in real time or, for that matter, over time.
The scale and professionalization are hard to ignore. The FBI IC3 reported a record $16.6 billion in total cybercrime losses in 2024, an increase of about 33 percent compared to 2023. TRM Labs notes that nearly 150,000 IC3 complaints in 2024 involved digital assets, with $9.3 billion in losses tied to crypto enabled fraud. Of that $9.3 billion, approximately $5.8 billion (62 percent) came from cryptocurrency investment scams. Pig butchering is the largest driver of this category.
Blockchain analytics show that pig butchering remains a dominant component of crypto scam activity. Chainalysis reports that pig butchering revenue in 2024 grew nearly 40 percent year over year and that the number of victim payments to scammers grew by almost 210 percent. At the same time, the average deposit amount declined by more than half, which suggests that scammers are widening the victim pool and accepting smaller amounts in exchange for more total victims.
The infrastructure behind pig butchering has become a service industry. Researchers describe “pig butchering as a service” in Southeast Asia where providers sell kits with preregistered SIM cards, stolen social media accounts, fake finance apps, and multilingual scripts for scam workers. These offerings remove much of the overhead of building scams and lower the entry barrier for new actors. A 2025 US Treasury action against Funnull Technology revealed that one company’s infrastructure hosted hundreds of thousands of domains used in crypto investment fraud, including pig butchering schemes.
For executives, the picture is clear. Pig butchering is no longer a niche romance scam that only affects consumers. It is a professionalized fraud ecosystem that blends human trafficking, social engineering, crypto infrastructure, and scalable technology, and it increasingly touches employees and customers who interact with your organization’s money and systems.
Why Traditional Defenses Are Failing
Many organizations still treat pig butchering primarily as a consumer issue. That framing creates blind spots in enterprise risk management and identity strategy.
User awareness by itself is not enough. Scam operators use detailed scripts, share playbooks, and increasingly rely on generative AI to craft realistic personas in multiple languages. They build rapport across personal channels such as WhatsApp, Telegram, dating apps, and social media long before a victim’s work identity is even mentioned. By the time a fraudulent “investment opportunity” appears, the victim may feel a strong emotional bond and is less likely to question unusual requests. CNBC reports that AI is accelerating these scams by enabling scammers to operate in multiple languages and at greater scale than ever before.
Controls tend to focus on channels rather than relationships. Security teams invest heavily in email filtering, secure web gateways, and endpoint protection, but pig butchering conversations often never touch corporate email or networks. The scam starts on personal channels. By the time fraudsters ask employees to move funds or share access, the request bypasses corporate email and security tools entirely.
Authentication remains easy to observe and easy to coerce. Once a victim trusts the scammer, the adversary needs one of three outcomes: the person sends money, shares credentials, or approves an action. Passwords can be phished through fake login pages that resemble investment or banking portals. SMS codes can be requested “for verification” and entered by the scammer in real time. The FBI notes that scammers increasingly coach victims through authentication steps in real time, turning even multi factor authentication into a vulnerability when the user is complicit. Even stronger methods such as passkeys or biometrics can be abused when a victim is persuaded that an approval is safe, routine, or urgently required.
Fraud and security functions are often siloed. Fraud teams monitor anomalies in payment flows and counterparties. Security teams monitor logins, session behavior, and application access. Pig butchering cases frequently straddle both domains. A payment might be technically authorized from a familiar device, but the authorization itself is the product of social engineering. When fraud and security teams don’t share data, these incidents get written off as legitimate user decisions instead of organized crime.
Law enforcement is scaling up but cannot keep pace. The Department of Justice announced the largest ever seizure of funds related to crypto confidence scams in 2025, yet the cross border nature of these networks means many operators still face minimal consequences. For security leaders this reinforces a core design assumption: your defenses must work even when the external environment remains saturated with pig butchering operations.
Traditional perimeter controls and awareness campaigns are necessary but insufficient. You need to redesign how high value identity and payment flows work so that even a socially engineered user cannot easily hand over reusable secrets or authorize high impact actions.
Why Photolok Addresses the Pig Butchering Landscape
Once you see where traditional controls fall short, the answer is to strengthen the one layer pig butchering cannot bypass: identity.
Pig butchering succeeds when scammers can convert social trust into access. That access may be to cash, credentials, or systems. The strategic question is how to reduce damage when an employee trusts the wrong person.
Photolok is not another point solution. It is a Passwordless Identity Provider (IdP) that functions as the front door for your apps and systems. It works with existing systems including Okta Workforce and other identity platforms. As an identity provider, Photolok verifies who users are before granting access to any application. By replacing passwords at this identity layer, Photolok secures authentication across every app and system your employees use. The apps themselves never see or store credentials. They simply trust Photolok’s verification.
• Steganographic photo based authentication with AES 256 encryption. Photolok embeds encrypted codes inside photos. Each session generates a new AES 256 key that is never presented as a visible password or one time code. Users authenticate by selecting photos they recognize rather than typing secrets.
• Randomized recognition challenges. Photolok presents a different set of photos and challenge patterns each session. There is no fixed credential or predictable sequence for attackers to script against. Even when scammers coach a victim through authentication on a live call, they get nothing they can use again.
• Device approval and fingerprinting. Photolok lets organizations control which devices may authenticate. Combined with device fingerprinting, this prevents logins from unknown endpoints even if scammers convince a victim to attempt access from unfamiliar devices.
• Situational security with Duress Photo and 1 Time Photo. The Duress Photo allows a user to appear to authenticate while silently signaling distress and triggering security alerts. The 1 Time Photo becomes invalid after a single use, resisting shoulder surfing and live coaching. These features are specifically designed for scenarios where attackers are actively coaching victims through authentication.
• User friendly and cost effective. No passwords means no resets, no help desk tickets, and no hardware tokens, reducing authentication costs. Photolok leverages the brain’s picture superiority effect for faster recall even under stress.
Because Photolok sits at the identity provider layer, it complements existing fraud analytics, transaction monitoring, and security controls.
What Security Leaders Should Do Now
1. Incorporate pig butchering into threat models and exercises. Update fraud playbooks to include scenarios where employees are groomed on personal channels before being asked to move company money or share sensitive access. Run tabletop exercises with finance, treasury, and customer success teams.
2. Map high value identity and payment paths. Identify roles that can move money, change settlement instructions, or grant high privilege access. Use that list to prioritize which users and workflows need stronger authentication first. Document how authentication works today and where scammers could realistically insert themselves.
3. Move critical flows to observation resistant authentication at the identity provider layer. Prioritize high value users and transactions. Photolok Passwordless IdP can sit in front of existing IdPs to harden sensitive paths without redesigning downstream systems.
4. Align fraud, security, and AML perspectives. Ensure teams share data and define clear triggers for escalation, such as large transfers to new counterparties combined with logins from unfamiliar devices or locations.
5. Provide targeted education for high risk staff. Pair training on scammer tactics with strong identity controls so users can ask for help without blame when something feels off.
These steps signal a shift from blaming victims to designing systems that assume sophisticated adversaries will eventually reach your people.
The Bottom Line
Pig butchering is now a major driver of global cybercrime losses. It is fueled by industrialized scam operations, cryptocurrency infrastructure, and “pig butchering as a service” offerings that let new scammers come online quickly. Scammers win when they can convince someone to send cash, share credentials, or access systems.
The strategic response is to assume some employees will be deceived and design authentication so that deception does not automatically translate into compromise. Photolok Passwordless IdP helps close that gap by turning authentication into a photo based, session specific process that gives attackers nothing to steal, copy, or exploit. It integrates with existing platforms like Okta Workforce.
Want to see how Photolok can help harden your high risk identity flows against pig butchering?
Request Your Personalized Demo
About the Author
Kasey Cromer is Director of Customer Experience at Netlok.
Sources
[1] FBI IC3. “2024 IC3 Annual Report.” ic3.gov
[2] TRM Labs. “Key Findings from the FBI’s 2024 IC3 Report.” trmlabs.com
[3] Chainalysis. “Crypto Scam Revenue 2024: Pig Butchering Grows 40% YoY.” chainalysis.com
[4] CNBC. “Crypto Scams Thrive in 2024 on Back of Pig Butchering and AI.” cnbc.com
[5] Huntress. “What Is a Pig Butchering Scam.” huntress.com
[6] US Department of the Treasury. “Treasury Takes Action Against Cyber Scam Facilitator.” treasury.gov
[7] US Department of Justice. “Largest Ever Seizure of Funds Related to Crypto Confidence Scams.” justice.gov
[8] Netlok. “How Photolok Works.” netlok.com
Member – Insider GovTech
FOLLOW US ON SOCIAL MEDIA
©2015-2026 Netlok. All rights reserved.