🟠 High | Source: The Hacker News
Attackers are shifting focus from credential stuffing to exploiting identity verification steps — such as MFA prompts, passkey recovery flows, and account reset mechanisms — as passkeys become mainstream and the traditional ‘front door’ gets harder to compromise. This marks a strategic pivot in account takeover (ATO) tactics where the verification layer itself becomes the primary attack surface. Cloud-hosted identity services and SaaS platforms are increasingly in scope as attackers target the weakest link in the authentication chain.
Security Architect’s Take: Audit and harden all account recovery and identity verification flows in your cloud IAM, SSO, and SaaS platforms — pay particular attention to fallback mechanisms such as SMS-based recovery, helpdesk reset procedures, and OAuth re-authorisation flows, as these are now primary ATO vectors. Consider implementing phishing-resistant MFA enforced at the policy level and ensure your threat detection covers anomalous verification attempts, not just failed logins.
Original advisory: The Verification Step Is the New ATO Battleground in 2026