Kasey Cromer, Netlok | April 10, 2026
Geopolitical escalation reliably coincides with surges in phishing, credential theft, and identity abuse, especially where state sponsored actors target workers in defense, critical infrastructure, and technology supply chains. Newly released 2026 findings from leading threat intelligence teams show that attackers increasingly “log in” with stolen credentials, reused passwords, or credentials from coerced employees instead of “breaking in” with exploits or malware.
Across these reports, identity has effectively become the primary attack surface, with valid account abuse, social engineering, and misused login processes driving a large share of initial access. Agencies and large vendors now describe phishing resistant authentication as the gold standard for protecting high value accounts and urge enterprises to phase out legacy MFA that depends on passwords, one time codes, or generic push approvals.
At the same time, the industry is shifting from a narrow focus on protecting accounts to a broader mandate to protect the person behind those accounts. This blog examines that identity crisis, compares common identity and access management (IAM) approaches, and introduces Photolok’s photo based, phishing resistant authentication as an example of how to protect both the account and the individual.
Over the past decade, multiple conflicts have shown that geopolitical escalation and cyber campaigns move in lockstep. State sponsored groups consistently use phishing and credential theft as low cost, high yield tactics to gain footholds in targeted environments.
Newly published findings from Palo Alto Networks Unit 42 show that identity abuse has become the dominant pathway into enterprises. Their Global Incident Response Report 2026, based on 2025 investigations, reports that identity based techniques accounted for nearly two thirds of initial intrusions, and that identity weaknesses played a significant role in nearly 90 percent of investigations. This underscores that many modern attacks begin with misuse of legitimate access, not exploitation of software flaws.
In parallel, early 2026 reporting from Google’s threat intelligence team, analyzing campaigns observed through 2025, highlights sustained pressure on the defense industrial base from Russia and China linked actors. These campaigns often go after individual employees rather than network defenses, using spear phishing, fake recruitment efforts, and other social engineering to reach both corporate and personal accounts. Enterprises become downstream targets even when they are not directly party to a geopolitical flashpoint.
Newly released 2026 threat reports, analyzing 2025 activity, emphasize that intrusions are increasingly identity based. Large incident response and threat intelligence teams describe campaigns where adversaries focus on obtaining valid credentials, abusing login sessions, and hijacking login processes instead of exploiting unpatched vulnerabilities.
CrowdStrike’s 2026 Global Threat Report shows a sharp rise in cloud focused attacks. According to the report’s newly released 2026 findings on 2025 activity, cloud focused attacks increased by 37 percent, and state sponsored attackers driving these intrusions increased their activity by 266 percent. Valid account abuse accounts for roughly 35 percent of cloud incidents, underscoring that many attacks now start with a login rather than an exploit.
Mandiant’s M Trends 2026 report, based on 2025 incidents, underscores how quickly attackers can use stolen credentials. The report notes that the median time between initial access and passing that access to another attacker has fallen to just 22 seconds. Once an attacker gains a foothold using stolen identity data, they can immediately pass that access to other actors, compressing defenders’ window to detect and contain a breach.
Analysis of MFA fatigue campaigns published in early 2026, reflecting 2025 trends, shows attackers exploiting human overload rather than technical weaknesses. Organizations report sustained waves of push prompts and social engineering calls that pressure users into approving malicious sign ins. Even where multifactor authentication is present, adversaries look for ways to turn user behavior into a vulnerability.
Facing this identity focused threat environment, major vendors and agencies are reorienting their strategies around the idea that identity is the new perimeter. Microsoft’s Secure Future Initiative guidance positions phishing resistant authentication as essential for reducing credential based risk. As of mid 2025, Microsoft reported that 92 percent of employee productivity accounts were protected by phishing resistant methods, and 2026 guidance treats this as a baseline for modern enterprises rather than a stretch goal.
Okta’s 2026 guidance on phishing resistant authentication likewise recommends phishing resistant authentication as non-negotiable for high value accounts. They urge organizations to enroll administrators and sensitive users into hardware security keys, smart cards, or other device based methods, and to reduce reliance on SMS, email codes, and generic push notifications that can be abused in vishing (voice phishing) and MFA fatigue attacks.
CISA and aligned industry commentary describe phishing resistant multi factor authentication as the gold standard for high assurance access, and point to hardware security keys and certificate based login methods as primary mechanisms to achieve it. Phishing resistant authentication is treated as a foundational requirement in modern security frameworks, not an optional enhancement.
Despite this progress, there is a growing recognition that protecting accounts is not enough. Google’s early 2026 analysis of 2025 campaigns notes that state sponsored actors deliberately target personnel through personal devices, personal email accounts, and recruitment platforms, not just enterprise systems. Yet mainstream IAM platforms and standards still lack built in duress signals that allow a user to complete a login under threat while silently requesting help.
Against this backdrop, security leaders are being asked to make choices among several common authentication approaches, each with its own tradeoffs.
Passwords. Familiar and widely supported, but highly phishable, frequently reused across sites, vulnerable to credential stuffing (attackers using stolen passwords across multiple sites), and expensive to reset at enterprise scale.
SMS and email MFA. Adds a second factor beyond passwords, but phishable via fake login pages, exposed to SIM swapping (hijacking phone numbers), and often kept as a backup login method that undermines stronger methods.
Push based MFA. Convenient and user friendly, but susceptible to MFA fatigue and vishing, where attackers bombard users with prompts or call them to persuade approval.
Passkeys and FIDO2. Phishing resistant and passwordless by design, backed by major platforms. However, they require compatible hardware, create challenges around recovery and portability, and do not offer an inherent duress signal if a user is coerced.
Photolok. Photo based, phishing resistant, passwordless login that replaces static text credentials with user selected images. Includes 1 Time Photo and duress capabilities designed to protect the person as well as the account.
During periods of geopolitical escalation, these tradeoffs determine whether state sponsored actors can turn social engineering into valid logins.
This gap between where the industry is headed (phishing resistant, passwordless, tied to specific devices) and what attackers are exploiting (human behavior, coercion, and backup login methods) defines the identity crisis: enterprises are modernizing authentication but often still leave the person exposed.
Photolok is an emerging passwordless identity provider designed to meet 2026 industry standards for phishing resistant authentication while adding capabilities that protect the person, not just the account. Instead of typing usernames and passwords, users authenticate by selecting their account photos from a randomized photo panel.
Netlok positions Photolok as a solution that meets the 2026 industry standard for phishing resistant authentication and goes further by addressing coercion, visual credential theft, and person level safety.
Treat geopolitical escalation as an automatic trigger for stronger authentication. Tie specific geopolitical or sector advisories to predefined changes in authentication policy, such as enforcing phishing resistant methods for affected users, tightening session lifetimes, and increasing monitoring of high value accounts.
Measure phishing resistance, not just MFA coverage. Move beyond reporting “percentage of users with MFA” and explicitly track what share of workforce access uses phishing resistant methods versus passwords with legacy MFA. Focus first on administrators, developers, and business users who can move money, change configurations, or access sensitive data.
Assess whether your IAM stack protects the person. Review your identity and access vendors for capabilities that address the human layer: protections on personal devices and personal email, detection of unusual sign in behavior, and any mechanisms that allow users to signal duress during login. Identify where your current stack assumes the user is always safe and in control.
Model coercion and visual credential theft as explicit identity threats. Add scenarios involving shoulder surfing, screen recording, MFA fatigue, vishing, and physical coercion into your identity threat modeling. Ask, “If an employee is forced to log in in front of someone, or harassed with prompts until they approve, what options does our current authentication give them?”
Brief leadership on the shift from protecting accounts to protecting people. When you talk to executives and boards, frame identity risk as a human safety problem, not just a technical one. Explain that state sponsored actors now go after employees as individuals, often outside corporate networks, and that investing in phishing resistant, person aware authentication is part of protecting both company assets and staff.
Geopolitical tensions will continue to drive spikes in credential theft, identity abuse, and downstream attacks on enterprises, especially in sectors tied to defense, critical infrastructure, and technology supply chains. Newly released 2026 threat reports, documenting 2025 activity, reinforce that most intrusions now begin with some form of identity misuse, and that the window between credential theft and active exploitation is shrinking.
In response, agencies and major vendors are converging on phishing resistant, passwordless authentication as the standard for high value access. But phishing resistance alone does not solve for coercion, duress, and the reality that employees themselves are being targeted and pressured. To resolve this identity crisis, organizations need authentication that protects the person as well as the account — combining phishing resistant methods with features like visual shielding and duress signaling.
Request Your Personalized Demo
Kasey Cromer is Director of Customer Experience at Netlok.
[1] CrowdStrike. “2026 Global Threat Report: AI Accelerated Adversaries.” February 23, 2026. crowdstrike.com
[2] Palo Alto Networks Unit 42. “Global Incident Response Report 2026.” February 16, 2026. cyberscoop.com
[3] Industrial Cyber. “Identity Loopholes Drive Nearly 90% of Unit 42 Investigations.” February 19, 2026. industrialcyber.co
[4] Mandiant. “M Trends 2026 Report.” March 23, 2026. helpnetsecurity.com
[5] Google Cloud. “Threats to the Defense Industrial Base.” February 9, 2026. cloud.google.com
[6] Microsoft. “Phishing Resistant MFA (Secure Future Initiative).” August 2025. learn.microsoft.com
[7] Okta. “Why Basic MFA Isn’t Enough to Defeat Modern Phishing.” January 14, 2026. okta.com
[8] IDDataWeb. “Inside CISA’s Phishing Resistant MFA Playbook.” August 2025. iddataweb.com
[9] SentinelOne. “What Is Phishing Resistant MFA?” March 1, 2026. sentinelone.com
[10] The Hacker News. “9 Identity Security Predictions for 2026.” February 8, 2026. thehackernews.com
[11] Smarter MSP. “MFA Fatigue Continues to Be a Threat in 2026.” January 26, 2026. smartermsp.com
[12] Netlok. “How Photolok Works.” netlok.com
Identity Crisis: When Attackers Log In Instead of Break In
Kasey Cromer, Netlok | April 10, 2026 Executive Summary Geopolitical escalation reliably coincides w[...more]
Protecting the Person, Not Just the Account
Kasey Cromer, Netlok | March 31, 2026 Executive Summary Traditional authentication was designed to a[...more]
Why Passwords and Biometrics are Failing in 2026
Kasey Cromer, Netlok | March 18, 2026 Executive Summary The identity and authe[...more]
Pig Butchering Has Gone Big Time. Your Identity Layer Has to Catch Up.
Kasey Cromer, Netlok | February 28, 2026 Executive Summary “Pig butchering” refers[...more]
Your Workforce Runs on Apps. So Do Attackers.
Kasey Cromer, Netlok | February 23, 2026 Executive Summary Your employees rely on dozens of mo[...more]
When AI Becomes the Con Artist
Kasey Cromer, Netlok | February 12, 2026 Executive Summary Social engineering has always explo[...more]
Agentic AI in the Enterprise: The Security Guide Nobody Gave You
Kasey Cromer, Netlok | January 27, 2026 Executive Summary Autonomous AI agents are now executing cod[...more]
Workplace Security in 2026: When AI, Insiders, and Remote Work Collide
Kasey Cromer, Netlok | January 15, 2026 Executive Summary The uncomfortable truth about workplace se[...more]
How Insider Threats Bypass Security: Why Traditional Authentication Fails in the AI Era
Kasey Cromer, Netlok | January 5, 2026 Executive Summary Insider threats now cost an average of $17.[...more]
Member – Insider GovTech
FOLLOW US ON SOCIAL MEDIA
©2015-2026 Netlok. All rights reserved.