Identity Is the Primary Attack Surface. The Data Confirms It

A new incident response report from Palo Alto Networks Unit 42 — drawn from 750 real-world cases — finds that identity-based techniques drove 65 percent of initial intrusions. Identity played a role in nearly 90 percent of all breaches, from initial access through lateral movement and data exfiltration. This is not a technology failure. It is an architecture failure. And it has a precise solution.

65 Percent of Initial Intrusions Begin at Authentication

Unit 42 analyzed 750 incidents and found identity techniques were the dominant entry point. Social engineering accounted for roughly one-third of initial compromises. The remainder involved compromised credentials, brute force, overly permissive access policies, and insider abuse.

Sam Rubin, SVP of Consulting and Threat Intelligence at Unit 42, noted that once an attacker has a valid identity, they effectively have everything — and that enterprises continue to struggle distinguishing legitimate activity from adversarial activity using the same credentials.

The reason is structural. When authentication succeeds with valid credentials, downstream controls see an authorized user. Logs confirm successful logins. Detection tools have no signal to act on, because technically, nothing has been broken. The system is operating as designed. That is the core of the problem.

Identity Is the Entire Attack Chain

Unit 42's data shows identity is not simply the initial entry point. It is operative throughout the breach lifecycle. After gaining access, attackers move laterally using stolen tokens and session cookies, escalate privileges through compromised accounts, and exfiltrate data via authenticated sessions that appear fully authorized. Detection-based controls cannot reliably differentiate an adversary operating with valid credentials from a legitimate employee. The only reliable control is preventing the authentication from succeeding in the first place.

The Architecture Has a Known Gap

The Unit 42 findings do not implicate firewalls or endpoint detection. They locate the vulnerability precisely: identity. And the weakness is architectural.

Access policies are inconsistently applied across cloud and on-premises environments. Privileged accounts are over-provisioned. Machine identities and AI agents are expanding the attack surface faster than governance can track. Legacy MFA — built on codes, push approvals, and user judgment — was not designed to withstand AI-generated phishing or real-time relay attacks.

Social engineering, credential theft, and MFA bypass are now faster, cheaper, and more scalable than software exploitation. The industry has provided attackers with a rational path of least resistance.

Why Legacy Authentication Cannot Close This Gap

SMS codes are intercept-able. Push approvals are subject to fatigue. Authenticator applications can be phished in real time. Each of these vectors is represented in the Unit 42 data.

If 65 percent of initial intrusions are identity-based, and identity is implicated in nearly 90 percent of breaches overall, the logical question is direct: why are high-stakes environments still relying on authentication that can be socially engineered?

Cryptographic Biometric Identity Closes the Authentication Layer

Token's Biometric Assured Identity platform addresses this at the architecture level. Token does not rely on codes, push notifications, or user judgment. Every authentication enforces three properties simultaneously, in hardware: a live biometric fingerprint match, a cryptographic key pair bound to the exact registered domain, and physical proximity to the endpoint being accessed.

There is no shared secret to steal. No code to relay. No fallback that bypasses biometric verification.

During authentication, the domain issues a cryptographic challenge. Token signs that challenge only when all three conditions are met — verified biometric, confirmed domain match, confirmed physical presence. If any element of that chain is spoofed or proxied, authentication does not succeed.

Phishing fails at the domain binding layer. MFA fatigue has no surface to exploit. Session relay has no credential to replay. Credential theft becomes structurally irrelevant.

Applied to the Unit 42 dataset: every identity-based initial intrusion in their analysis would have been stopped at the authentication layer. No verified identity. No access. No lateral movement.

Machine Identities Require the Same Standard

Unit 42 also identifies machine identities and AI-driven automation as a growing component of the attack surface. As organizations deploy service accounts, APIs, and AI agents at scale, the number of unverified identity endpoints expands proportionally.

Every unverified identity is a potential entry point. Detection-based controls cannot scale to match that expansion. Cryptographic identity assurance can — because it operates at the level of the individual authentication event, not the aggregate.

The Architecture Question for Security Leaders

Unit 42 has now provided quantitative confirmation of what Token's architecture was designed to address: identity is the primary attack surface, and the gap is in authentication design, not detection capability.

For organizations still relying on knowledge-based or push-based authentication for privileged access, the Unit 42 data presents a straightforward architectural question: what would it take to make authentication itself the control that cannot be bypassed?

Token's answer is Biometric Assured Identity. Cryptographically bound to the domain. Enforced at the hardware level. Verified against the individual — not the device, not the credential, not the session.