Account Takeover Evolves: Attackers Target Verification Steps as Passkeys Go Mainstream
As passkeys become the norm, cybercriminals are shifting from credential stuffing to compromising identity verification and recovery processes for account takeovers.

The landscape of account takeover (ATO) attacks is undergoing a significant transformation, driven by the widespread adoption of passkeys and passwordless authentication. For years, attackers relied heavily on credential stuffing – purchasing stolen passwords in bulk and using automated tools to test them against various online services. This method, while effective, is becoming obsolete as more users and organizations embrace more secure authentication methods.
The FIDO Alliance reports that 75% of global consumers now use passkeys on at least one account, and 68% of companies are implementing them for employee sign-ins. This shift means that the traditional value of stolen passwords has diminished, forcing attackers to seek new avenues for compromise. The focus is moving away from the initial login and towards the subsequent steps that verify a user's identity.
When primary authentication methods harden, fraud doesn't disappear; it merely relocates to the weakest remaining links in the security chain. These often include account recovery processes, device re-enrollment procedures, step-up verification for high-value transactions, and the ubiquitous "magic link" emails sent to confirm a user's identity. Attackers are increasingly targeting these verification layers, which can be bypassed through various means, such as intercepting magic links via compromised inboxes or exploiting unverified mobile deep links.
Compounding this shift is the increasing sophistication of generative AI. Tools that can create convincing deepfakes and synthetic identities are making impersonation fraud more prevalent and harder to detect. Veriff's Identity Fraud Report 2026 indicates that over 85% of observed fraud attacks involve impersonation, with AI-generated or altered media being 300% more likely in verification attempts compared to previous periods. This means that verification systems that rely solely on the authenticity of presented media are vulnerable to sophisticated AI-driven attacks.
In response to these evolving threats, ATO defense strategies are entering a new phase. Three key shifts are expected to shape future defenses over the next 12 to 18 months. Firstly, "intent binding" will become crucial, cryptographically linking a verified human action to the specific transaction or instruction being approved. This helps ensure that even if an identity is compromised, the attacker cannot authorize unauthorized actions.
Secondly, "network-effect data" will provide a stronger defensive advantage. By analyzing fraud patterns across millions of sessions, devices, and networks, organizations can detect coordinated attacks before they spread. This approach leverages scale and cross-analysis of person, document, device, and network signals for more robust threat detection.
Finally, regulatory pressure will continue to raise the baseline for identity assurance. Frameworks like eIDAS 2.0 and AML regulations are pushing organizations towards stronger, more standardized identity verification methods, while the phase-out of SMS-based OTPs accelerates the move away from easily interceptable authentication factors.
To adapt, organizations should prioritize making passwordless authentication and biometric liveness detection baseline requirements. They must also treat re-verification and step-up authentication as high-stakes events, applying risk-based checks rather than static ones. Planning for AI-resistant verification and intent binding is essential, assuming that presented media may be synthetic and designing controls to bind verified identity to verified intent. The future of ATO defense lies in proactively securing the verification step, not just the initial login.