Protecting the Person, Not Just the Account

Kasey Cromer, Netlok | March 31, 2026

Executive Summary

Traditional authentication was designed to answer one question: should this login succeed? It was not designed to ask whether the person behind the login is safe. In 2026, that gap is becoming a liability.

Attackers are no longer just stealing credentials. They are threatening employees in person, harvesting login data by watching screens, and exploiting the sheer complexity of enterprise identity systems to slip through undetected. The threats have become personal, but the defenses have not kept pace.

This blog examines three 2026 realities that 1) demands a “protect the person, not just the account” mindset; 2) explains why traditional authentication falls short, and; 3) outlines what security leaders can do now to close the gap.

Three 2026 Realities Security Leaders Must Address

1. Protecting the person and account

1. Duress and Coercion Are Now Identity Problems
   
   For years, physical safety and digital security lived in separate categories. For the past several years, they have been converging. Front line employees, clinicians, and field staff increasingly work in situations where physical aggression intersects with critical systems access.
   
   CENTEGIX’s Healthcare Safety Trends Report 2026 found that 46 percent of all staff duress alerts in 2025 and early 2026 stemmed from aggressive or physically threatening behavior by patients, family members, or other staff. Nearly half of the time someone activates a panic feature because the person in front of them has become a direct threat. Campus Safety’s January 2026 coverage shows hospitals rolling out wearable duress buttons tied into real time location systems so staff can summon help discreetly.
   
   If almost half of duress alerts involve physical aggression, then some fraction of those situations involve demands to unlock doors, access records, or complete transactions. A nurse or teller facing a credible threat has two bad options: refuse and escalate risk, or comply and silently hand an attacker legitimate access. There is no third path built into today’s authentication systems.
   
   
2. Device Theft and Shoulder Surfing Feed Credential Exposure
   
   The more common pattern in 2026 is quieter than overt threats: attackers stealing or visually harvesting access from phones and laptops, then using that foothold to move through enterprise systems.
   
   Crisis24 reports that around 1.4 million mobile phones were stolen across the United States in 2023, highlighting the scale of device theft entering the 2025 and 2026 period. Kensington’s 2025 device security research found that 23 percent of respondents worry about visual hacking such as people reading sensitive information over their shoulders, and 43 percent are concerned about unauthorized access to company data on their devices.
   
   SpyCloud’s 2026 Identity Exposure Report found over 642.4 million exposed credentials from 13.2 million credential stealing malware infections in 2025, an average of 50 exposed user credentials per infection. Many came from compromised devices employees used for both personal and enterprise access. The mechanics are clear: if a login factor appears on a screen or can be observed, an attacker can capture and reuse it.
   
3. Enterprise Login Complexity Has Become a Security Risk
   
   Beyond overt threats and stolen devices, 2026 identity data shows a quieter problem: the sheer number of identities and login experiences that humans and systems must manage has exploded.
   
   1Password’s March 2026 report states that in 2025, there were between 82 and 144 machine identities (service accounts, automated credentials, AI tools) for every employee in the average enterprise. GitGuardian’s State of Secrets Sprawl 2026 reports that credentials for AI services are accelerating faster than any other category, with 81 percent growth from 2024 to 2025 in AI related secrets exposed on public GitHub.
   
   On the human side, Avatier content drawing on Ponemon Institute research states that the average employee manages between 70 and 80 passwords. Password resets account for 20 to 50 percent of all help desk calls, with each reset costing between 70 and 100 dollars. Thales’ 2026 Data Threat Report finds that credential theft is the leading attack technique against cloud infrastructure, with 67 percent of organizations studied, seeing credential theft increasing.
   
   Human users are overwhelmed with passwords while enterprises average 82 to 144 machine identities per employee. That combination makes traditional authentication both unmanageable and unsafe at scale.

2. Why Traditional Authentication Falls Short

Traditional authentication systems were built to verify identity, not to protect the person behind it. They have no mechanism for an employee to signal that they are being coerced. They rely on credentials that can be observed, captured, and replayed. They add friction through multiple factors without reducing the underlying exposure.

The core assumption that the person logging in is doing so freely and privately, no longer holds in many real world scenarios. When a teller is threatened, when a phone is stolen, when someone watches you type your password in an airport, traditional MFA does nothing to help.

3. How Photolok Addresses the “Protect the Person” Gap

Photolok Passwordless IdP was designed with these realities in mind. It replaces passwords with photo based authentication that addresses coercion, observation, and complexity at the identity layer:

• Simplified authentication. Photos are easy to remember, select, and replace. Point and click navigation with autosave eliminates password resetting costs and help desk tickets. Photolok integrates with existing identity providers including Okta Workforce, consolidating login experiences rather than adding another layer of friction.

• 1 Time Photo. Uses a temporary photo that is removed from the account after one use. If someone is using a camera or looking over your shoulder, the photo they capture cannot be reused to access the account later. This strips replay value from stolen credentials.

• Duress Photo. Lets users select a designated photo that completes login while sending a silent alarm to IT security in real time. If the account owner feels they are in danger or being forced to give access to a bad actor, they can notify security without the attacker knowing. This is authentication with a built in panic button.

Figure: Traditional authentication offers only two paths during coercion. Photolok creates a third.

Because Photolok sits at the identity provider and authentication layer, it complements existing security controls without requiring a redesign of downstream systems.

What Security Leaders Should Do Now

Establish duress protocols across security, IT, HR, and physical safety teams. Coercion scenarios do not fit neatly into IT incident response. Work with HR, legal, and workplace safety stakeholders to define what happens when an employee signals distress during authentication. Who gets notified? What access gets constrained? How is the employee protected?

Add coercion and device theft scenarios to incident response playbooks. Most playbooks cover phishing and malware. When an employee is physically threatened, the first priority is personal safety, followed by immediately disabling their account access and coordinating across security, HR, and physical safety teams. When a laptop is stolen with active sessions, response must happen in minutes: log out all devices, reset passwords, and remotely erase the device. Document the response steps now, before you need them.

Implement a credential reset policy after travel or public exposure. Employees who work in airports, conferences, coffee shops, or client sites are at elevated risk for shoulder surfing. Consider requiring credential rotation or one time use authentication for sensitive systems after travel.

Review remote wipe and device lockdown procedures. When a phone or laptop is stolen, how quickly can you revoke access? Test your identity provider integrations to ensure you can lock out a compromised device within minutes, not hours.

Evaluate whether your authentication gives employees any way to protect themselves. Ask a simple question: if an employee is being coerced right now, does your authentication system give them any option other than compliance or refusal? If the answer is no, explore solutions that build human safety into the authentication flow.

The Bottom Line

In 2026, identity is personal. Attackers target people, not just accounts, through coercion, device theft, and the noise of sprawling identity systems. Traditional authentication was built to decide whether a login should succeed, not whether the human behind it is safe.

The organizations that adapt will be those that treat “protect the person, not just the account” as a design principle for every authentication decision they make.

Request Your Personalized Demo

About the Author

Kasey Cromer is Director of Customer Experience at Netlok.

Sources

[1] CENTEGIX. “Healthcare Safety Trends Report 2026.” centegix.com

[2] Campus Safety. “How Wearable Panic Buttons Will Improve Hospital Workplace Safety in 2026.” campussafetymagazine.com

[3] Crisis24. “Increasing Rates of Phone Thefts Worldwide Pose Significant Data Security Risks.” crisis24.com

[4] Kensington. “Study Highlights Prevalence of Device Theft and the Impacts on Data Security.” kensington.com

[5] SpyCloud. “2026 Identity Exposure Report.” prnewswire.com

[6] 1Password. “Credential Sprawl: How AI Increases the Risks.” 1password.com

[7] GitGuardian. “The State of Secrets Sprawl 2026.” gitguardian.com

[8] Avatier. “Passwordless Security Based Systems.” avatier.com

[9] Thales. “2026 Data Threat Report.” cpl.thalesgroup.com

[10] Netlok. “How Photolok Works.” netlok.com