The Credential Problem:
Why What We're Relying On to Stay Secure Is Already Broken
By Mykhailo Magal, PhD, Head of Research and Development, Iothic Ltd.
Authentication is the front door to every system you own. And for most organizations, that door is held shut with a combination lock that a reasonably motivated teenager could crack. Not because the people managing it are careless. Because the underlying architecture was never built to handle what the threat landscape has become.
Passwords came first. Then multi-factor authentication arrived as the fix. Then came biometrics, certificate-based systems, smart cards, and hardware tokens. Each one was positioned as the answer. None of them actually solved the problem. They just moved it around.
Here's what's actually happening under the hood, and why it matters.
Passwords: A Design Problem, Not a Discipline Problem
The instinct is always to blame users. Weak passwords, recycled passwords, writing them on sticky notes. But that's the wrong frame entirely. The real issue is that passwords are static credentials stored somewhere on a server, in a database, or in memory, and anything stored can be stolen.
Credential stuffing attacks don't require sophistication. They require a leaked database and a script. The 2023 FBI Internet Crime Report attributed over $2.9 billion in losses to phishing-based credential theft. That number doesn't account for the downstream costs of incident response, breach notification, regulatory exposure, and reputational damage. The aggregate is considerably worse.
Brute force attacks, pass-the-hash, and credential replay aren't exotic techniques. They're commodity tools, available to anyone willing to spend a few hours on the right forums. Password complexity requirements don't stop them. Periodic rotation doesn't stop them. Better user training doesn't stop them. Because the vulnerability isn't behavioural. It's structural.
MFA: Better, But Not the Wall Everyone Thinks It Is
Multi-factor authentication was a genuine improvement. Requiring something you know and something you have raised the bar meaningfully for opportunistic attacks. For a while, it worked well enough.
Then attackers adapted. SIM swapping became widespread, allowing threat actors to redirect SMS-based one-time codes to a device they control. MFA fatigue attacks, where users receive repeated push notification prompts until one is accepted out of frustration, are now a documented, repeatable technique. Real-time phishing proxies intercept TOTP codes mid-session, rendering time-limited tokens useless before they expire.
And that's before we get to the operational burden. Maintaining MFA infrastructure, token distribution, device management, user provisioning, and helpdesk support for lockouts runs organizations somewhere north of $1 million annually per organization at scale. That cost doesn't disappear because MFA is now considered baseline. It compounds.
The deeper issue is that MFA is still fundamentally a layer on top of the same credential model. It makes theft harder. It doesn't make theft impossible, and it doesn't remove the underlying stored secret that makes theft meaningful in the first place.
Certificate-Based Authentication: Centralized Trust Is a Single Point of Failure
PKI-based authentication moved away from passwords by using cryptographic certificates issued by a central authority. In theory, this is significantly more robust. In practice, it introduces a different category of risk: the certificate authority itself.
Compromise a CA, and you compromise every certificate it has issued. The 2011 DigiNotar breach demonstrated exactly this. A single compromised authority led to fraudulent certificates for dozens of major domains, enabling man-in-the-middle attacks at scale. It took the company down entirely within months of disclosure.
Beyond outright compromise, certificate management introduces substantial operational complexity. Certificate expiration, revocation propagation, and lifecycle management across distributed systems are operationally demanding. Mismanaged certificates are a persistent source of unplanned outages and security gaps, and in environments where edge systems or OT devices don't maintain consistent connectivity to central authorities, the whole model starts to break down functionally.
Kerberos environments, which underpin most Active Directory deployments, have their own version of this problem. The Key Distribution Center is a crown jewel. If an attacker compromises the KDC and obtains the KRBTGT account hash, they can forge Kerberos tickets for any user, any service, with no time limit. Golden Ticket attacks have been used by sophisticated threat actors in real-world intrusions. It's not theoretical.
The Common Thread: Static Credentials and Centralized Trust
Every authentication method described above, passwords, MFA tokens, certificates, and Kerberos tickets share one structural characteristic: something of value is stored, and anything stored can be found, copied, and reused.
Passwords are stored on servers. Hashes are stored in memory. Certificates persist on devices. Kerberos tickets have lifetimes measured in hours. The attacker doesn't need to break the cryptography. They just need to get to the credential before it expires. And with lateral movement tools that operate in minutes, that window is more than sufficient.
The average cost of a credential-based breach sits around $5 million USD per incident, according to IBM's 2024 Cost of a Data Breach report. That figure accounts for detection, containment, and recovery, not the long-term costs of regulatory action, litigation, and customer attrition. For critical infrastructure operators and defence contractors, the stakes extend well beyond financial impact.
The issue isn't that organizations are using these methods poorly. The issue is that the methods themselves have structural limitations that improvements in policy or user behaviour can't resolve.
What the Next Generation of Authentication Looks Like
The shift that actually addresses this problem is architectural rather than incremental. Instead of storing credentials and trying to protect them, the approach is to eliminate them entirely.
Session-specific cryptographic keys, generated fresh for every authentication event and never reused or stored, remove the fundamental asset that credential-based attacks target. There's nothing to steal, because nothing persists. A captured key from one session is useless for the next one.
Combine that with decentralized authentication, where no single authority can be compromised to issue fraudulent access, and the attack surface changes fundamentally. There's no KDC to Golden Ticket. No CA to compromise. No hash database to exfiltrate.
Quantum-resistant cryptography matters here too. Current encryption standards, RSA, ECC, and the algorithms underpinning most existing PKI, are vulnerable to attacks from sufficiently powerful quantum hardware. The timeline on that is debated, but the "harvest now, decrypt later" strategy is already in use by sophisticated adversaries. Data encrypted today can be stored and decrypted once the hardware is available. Transitioning to NIST-approved post-quantum algorithms, like CRYSTALS-Kyber, closes that exposure before it becomes acute.
The operational benefits are real, too. Eliminating password management infrastructure, reducing helpdesk load from MFA lockouts, and removing certificate lifecycle complexity aren't minor efficiencies. For large organizations, the cost reduction is material.
Authentication is still treated, in most organizations, as an infrastructure problem to be managed rather than a design problem to be solved. The layering of additional controls on top of a fundamentally flawed model produces incrementally better outcomes at steadily increasing cost.
The credential model is broken. The question isn't whether to move beyond it. The question is how long it takes for each organization to realize that the answer isn't another layer.