Why Passwords and MFA Are No Longer Enough: The Case for Identity Threat Detection
Every week, another headline confirms what security professionals have known for years: attackers no longer “hack in,” they log in. According to recent threat intelligence reports, roughly 70% of breaches now originate from compromised credentials. Not zero-day exploits, not sophisticated malware, just stolen or abused identities.
For small and mid-sized businesses, this shift demands a fundamental rethink of how identity security works. Managing who has access is only half the battle. Detecting when that access is being misused is the other half, and most organizations are completely blind to it.
IAM Does One Job Well, but It Is Not Enough
Identity and Access Management (IAM) answers a straightforward question: who is allowed to access what? It handles provisioning, role assignments, single sign-on, and multi-factor authentication. When configured properly, IAM reduces the attack surface by ensuring that employees only reach the resources they need.
But IAM has a critical blind spot. Once a user authenticates successfully, IAM assumes the session is legitimate. It has no mechanism to detect whether the person behind that session is actually the authorized user or an attacker who stole their credentials ten minutes ago.
Think of IAM as a building’s keycard system. It controls who can open which doors. But once someone walks through a door with a valid badge, the system stops watching. If that badge was cloned, nobody notices.
MFA Is Necessary, but Attackers Have Adapted
Multi-factor authentication was supposed to solve the credential theft problem. For a while, it did. But attackers have developed reliable techniques to bypass MFA entirely:
- MFA fatigue (push bombing): The attacker triggers dozens of authentication prompts on the victim’s phone, often at 2 AM, until the exhausted user taps “Approve” just to make it stop. This technique was behind the 2022 Uber breach and remains effective today.
- Adversary-in-the-middle (AiTM) attacks: Tools like EvilGinx3 and Tycoon 2FA create phishing proxies that sit between the user and the real login page. The user completes MFA normally, but the attacker captures the authenticated session token. From the identity provider’s perspective, the login was perfectly legitimate.
- Session hijacking: Rather than stealing passwords, attackers steal browser cookies or session tokens after authentication is complete, bypassing MFA altogether.
The uncomfortable truth is that MFA, while still essential, has become a speed bump rather than a wall. Organizations that rely on it as their primary identity defense are operating with a false sense of security.
ITDR: Watching What Happens After the Login
Identity Threat Detection and Response (ITDR) picks up exactly where IAM leaves off. Instead of controlling access at the gate, ITDR continuously monitors identity-related behavior for signs of compromise or abuse.
ITDR platforms analyze patterns such as:
- Unusual login locations or impossible travel: A user authenticates from Milan, then from Singapore twenty minutes later.
- Privilege escalation anomalies: An account that has never requested admin access suddenly starts modifying security policies.
- Lateral movement patterns: A single identity begins accessing resources across multiple systems in rapid succession, a hallmark of post-compromise reconnaissance.
- Session anomalies: Changes in device fingerprint, IP address, or browser characteristics mid-session that suggest token theft.
Behavioral Analytics vs. Rule-Based Alerts
Traditional security tools rely on static rules: “Alert if login occurs from country X” or “Flag if password changes more than three times per day.” These rules generate enormous volumes of false positives, burying real threats in noise.
ITDR takes a different approach by building behavioral baselines for each identity. It learns what “normal” looks like for every user, then flags deviations. Organizations deploying behavioral identity analytics report a 60 to 80 percent reduction in false positives compared to rule-based alerting. For lean IT teams managing security alongside their other responsibilities, that reduction is transformative.
How IAM, ITDR, EDR, and XDR Work Together
These are not competing technologies. They are complementary layers of defense:
| Layer | What It Does | Where It Watches |
|---|---|---|
| IAM | Controls access and authentication | Identity provider, directories |
| ITDR | Detects identity-based threats post-authentication | Identity telemetry, session data |
| EDR | Detects threats on individual endpoints | Laptops, servers, workstations |
| XDR | Correlates signals across all layers | Network, cloud, email, identity, endpoints |
An attacker who steals a session token might not trigger EDR (no malware is involved). IAM sees a valid login. But ITDR detects the behavioral anomaly, and XDR correlates it with suspicious network activity to confirm the threat. Remove any layer and you create a blind spot.
Compliance and Insurance Are Raising the Bar
Two external forces are making identity threat detection increasingly non-optional for European SMBs.
NIS2 directive requirements: Organizations in scope must detect and report significant incidents within 24 hours. Without behavioral monitoring on identities (the most common attack vector), meeting that detection window is extremely difficult. You cannot report what you cannot see.
Cyber insurance questionnaires: In 2026, insurers are explicitly asking whether organizations have behavioral analytics capabilities on identity systems. A “no” answer does not just raise premiums; it can lead to claim denials after an incident. If your identity monitoring consists entirely of “we have MFA enabled,” expect pushback from underwriters.
Practical First Steps for SMBs
You do not need to deploy an enterprise SIEM to start improving identity security. Consider these steps:
- Audit your current MFA implementation. Are you using phishing-resistant methods (FIDO2, hardware keys) or still relying on SMS and push notifications?
- Enable identity-focused logging. Ensure your identity provider exports detailed sign-in logs, including device info, location, and session data.
- Evaluate ITDR capabilities in your existing stack. Many EDR and XDR platforms now include identity monitoring modules. You may already have access to features you are not using.
- Review your incident response plan. Can your team realistically detect and respond to credential-based attacks within 24 hours?
The Bottom Line
IAM tells you who has the keys. ITDR tells you when someone is using those keys in ways they should not. In a threat landscape where 70% of breaches start with identity compromise, having one without the other leaves a gap that attackers exploit daily.
The question is not whether your organization will face an identity-based attack. The question is whether you will detect it before the damage is done.
Need support on this topic? Contact us for a free consultation, let’s assess your company’s situation together.
Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.