Identity is the New Perimeter - Season 3 Episode 2

For years, the security industry built its defenses around the network perimeter — firewalls, VPNs, DMZs. But in 2026, that perimeter has fundamentally shifted. According to the latest Verizon DBIR and CrowdStrike Global Threat Report, identity-based attacks have officially overtaken email as the number one threat vector. Attackers are no longer trying to break through your firewall — they are logging in with legitimate credentials. In this episode of Security in 45, hosts Mike Veedock and Andres Sarmiento unpack why identity is the new perimeter, how modern attacks exploit MFA weaknesses, and what organizations must do to defend themselves.

What This Episode Covers

  • Why identity has replaced the network as the primary security boundary
  • Identity Governance and Administration (IGA) as a framework, not a product
  • Five modern identity attack techniques: push fatigue, token theft, OAuth abuse, session hijacking, and privilege escalation
  • The evolution of MFA from basic push notifications to phishing-resistant authentication
  • Practical defense strategies using continuous verification and identity behavior analytics
  • Cisco Duo, Persona, and the future of identity verification

Deep Dive

Identity is the New Perimeter

The traditional network perimeter — defined by firewalls, network segments, and VPN concentrators — assumed that threats came from outside and that internal traffic could be trusted. That model is broken. With cloud adoption, remote work, and SaaS applications, users routinely access corporate resources from outside the network. The new perimeter is identity itself: credentials, session tokens, OAuth grants, and API keys.

Every user session represents a potential attack surface. A single compromised credential can grant an attacker access to email, cloud infrastructure, source code repositories, and customer data — without ever touching the corporate network. This is why the zero trust model insists on verifying every access request regardless of where it originates.

IGA: Identity Governance and Administration

Before diving into attacks, it helps to understand the framework that organizations use to manage identity at scale. IGA — Identity Governance and Administration — is not a single product but a discipline that encompasses how organizations provision, manage, review, and decommission user identities across their environment.

A mature IGA practice answers critical questions: Who has access to what? Why do they have it? When was it last reviewed? Is it still appropriate? Without strong governance, organizations accumulate excessive privileges over time — a condition known as “privilege creep” — which dramatically expands the blast radius of any credential compromise.

Key components of IGA include:

  • Lifecycle management — automated provisioning and deprovisioning tied to HR systems
  • Access certification — periodic reviews where managers validate that access is still appropriate
  • Separation of duties — policies that prevent any single user from holding conflicting privileges
  • Role-based access control — grouping permissions into roles that align with job functions
  • Audit and compliance reporting — generating evidence for regulatory frameworks like NIST, SOX, and HIPAA

Modern Identity Attacks

Attackers have adapted their techniques to target identity infrastructure directly. Here are the five primary attack vectors discussed in this episode:

Push Fatigue (MFA Bombing)

Attackers who have already obtained a valid username and password send a barrage of MFA push notifications to the victim’s phone. The requests are often timed for late at night or early morning, when the user is tired and more likely to tap “Approve” just to make the notifications stop. Automated bots can sustain this pressure for hours, and some campaigns combine push bombing with social engineering — calling the victim and impersonating IT support, instructing them to approve the request.

Token Theft

This technique bypasses MFA entirely. Instead of intercepting the authentication flow, attackers steal the session token that is issued after successful authentication. Once they have a valid session token, they can replay it from any device, any location, without needing the user’s password or second factor. Token theft is particularly dangerous because it renders MFA irrelevant for the duration of the session.

Common token theft methods include adversary-in-the-middle (AiTM) phishing proxies, malware that extracts browser cookies, and exploiting applications that store tokens insecurely.

OAuth Abuse

OAuth is the protocol that allows users to grant third-party applications access to their accounts (think “Sign in with Google” or “Connect your Slack”). Attackers abuse OAuth by creating malicious applications that request broad permissions. Once a user grants consent, the attacker has persistent API access to the victim’s account — access that survives password changes and MFA resets because OAuth tokens are independent of the user’s primary credentials.

Session Hijacking

Related to token theft, session hijacking involves stealing active session cookies from a user’s browser. The attacker can then import these cookies into their own browser and assume the victim’s authenticated session. This works across most web applications because session cookies are the standard mechanism for maintaining authenticated state after login.

Privilege Escalation

Once inside an environment with a compromised identity, attackers enumerate available users and target accounts with elevated privileges — domain administrators, cloud infrastructure admins, and service accounts. Techniques include password spraying against admin accounts, exploiting misconfigured RBAC policies, and leveraging forgotten service accounts with excessive permissions.

MFA Evolution: Beyond Push Notifications

The attacks described above have driven a rapid evolution in MFA technology. The industry is moving away from simple push notifications toward phishing-resistant authentication methods:

  • FIDO2/WebAuthn — hardware security keys and platform authenticators that use public-key cryptography. The authentication is bound to the specific website, making phishing impossible because a fake site cannot trigger the key
  • BLE proximity authentication — the authenticating device (typically a phone) must be physically near the device being used, defeating remote session hijacking
  • Passwordless with biometrics — combining device-bound credentials with fingerprint or face recognition eliminates passwords entirely
  • Cisco Duo with Verified Push — requires users to enter a code displayed on the login screen into the Duo mobile app, defeating push fatigue because approving without the code is not possible
  • Persona for identity verification — provides social-engineering-proof identity resets by verifying the user’s actual identity through document verification and biometric matching, preventing help desk social engineering attacks

Identity Behavior Analytics

Even with strong authentication, organizations need continuous monitoring of identity-related signals to detect compromises that bypass initial authentication. Identity behavior analytics watches for anomalies including:

  • Impossible travel — a user authenticating from New York and London within minutes
  • Unusual token usage — sessions with abnormal duration, scope, or access patterns
  • Suspicious admin activity — privilege escalation, bulk data access, or configuration changes outside normal patterns
  • Service account anomalies — automated accounts deviating from their expected behavior patterns

Implementation Considerations

Organizations looking to strengthen their identity security posture should consider a phased approach:

  1. Inventory your identity surface — catalog all user accounts, service accounts, API keys, and OAuth grants across your environment. You cannot protect what you do not know exists
  2. Deploy phishing-resistant MFA — start with high-value targets (admins, finance, executives) and expand to all users. Cisco Duo’s Verified Push is a strong intermediate step before full FIDO2 deployment
  3. Implement device trust — require that devices meet security baselines (encryption, patching, EDR agent) before granting access. A legitimate credential on a compromised device is still a risk
  4. Establish continuous verification — move beyond authenticate-once-trust-forever. Re-evaluate access based on context changes: new location, new device, sensitive resource access, time-based policies
  5. Monitor identity signals — deploy identity behavior analytics and integrate signals into your XDR platform for correlation with endpoint and network telemetry
  6. Harden OAuth and API access — audit third-party OAuth grants, restrict which applications can request broad scopes, and implement token lifetime policies
  7. Prepare for identity-based incident response — ensure your IR playbooks cover credential compromise, session token revocation, and OAuth grant review

Key Takeaways

  • Identity has replaced the network as the primary security perimeter — credentials, tokens, and sessions are the new crown jewels
  • Traditional MFA (push notifications, SMS) is no longer sufficient against determined attackers
  • Push fatigue, token theft, OAuth abuse, session hijacking, and privilege escalation are the five primary identity attack vectors in 2026
  • Phishing-resistant MFA (FIDO2, Verified Push, BLE proximity) should be the baseline for all organizations
  • IGA is a framework, not a product — organizations need governance processes alongside technology
  • Continuous verification and identity behavior analytics are essential for detecting post-authentication compromises
  • Defense-in-depth applies to identity just as it does to network security — no single control is sufficient

Why This Matters

The shift from network-centric to identity-centric security represents one of the most fundamental changes in enterprise security architecture in the past decade. Every organization — regardless of size or industry — relies on digital identities to operate. As attackers increasingly target these identities with sophisticated techniques that bypass legacy MFA, the risk of credential-based breaches will only grow.

For IT professionals and security practitioners, this means re-evaluating long-held assumptions about what constitutes a secure environment. A strong firewall and network segmentation are still important, but they are no longer sufficient when the attacker can simply log in. The organizations that adapt their security programs to treat identity as the primary perimeter — with phishing-resistant authentication, continuous verification, and robust governance — will be far better positioned to defend against the threats of 2026 and beyond.

The resources mentioned in this episode provide essential context: the Verizon DBIR at verizon.com/business/resources/reports/dbir, the CrowdStrike Global Threat Report at crowdstrike.com/global-threat-report, Cisco Duo at duo.com, and Persona at withpersona.com.

Listen to the full episode on YouTube or subscribe via RSS.