Identities, both human and machine, occupy a unique position: they are simultaneously the foundation of cybersecurity and its weakest link.

Strictly speaking, the identity is the entity, while credentials are proof of the identity. In practice, there is little distinction between the two terms and their use, and we will use them indiscriminately in our discussion here.

The foundational purpose of security is to ensure that only authorized and authenticated identities should access computers, their functions and their data. It is not a stretch to suggest that secure computing is based on secure identities, and that failure to secure identities is the root cause of most computer compromise.

“In 2025, identity will remain both a cornerstone of security and one of its biggest vulnerabilities,” says Avery Pennarun, CEO at Tailscale. “Whether we’re talking about human users or machine identities, the complexity of managing them securely is increasing at an unprecedented pace.”

So far, we have failed to implement secure identities, because we haven’t kept pace with the increasing sophistication and techniques of our adversaries. For human identities, the go-to default remains a username (often a hardly secret email address) and a password (often simple, easy to guess, and infrequently changed).

We have improved identity management, but we have not stopped stolen, forged or brute forced identity theft and misuse. The number of compromises that can be traced back to identities is testament to that. And the full extent of an identity-based attack could start from a single set of credentials.

“Identity-based attacks are increasingly sophisticated, with adversaries leveraging stolen credentials to launch cross-domain attacks that span identity, cloud, endpoint, data, and AI models. These attacks leave minimal traces in any single domain, as adversaries are legitimately logging in rather than breaking in, making them harder to detect,” warns Cristian Rodriguez, field CTO for the Americas at CrowdStrike.

“2024 saw some of the biggest and costliest attacks– all because the attacker had access to compromised credentials,” confirms Justin Fier, SVP of red team operations at Darktrace. “Essentially, they had the key to the front door. As an industry, we still haven’t fully addressed the identity challenge, and it’s getting increasingly complex.”

In 2025, protecting identities will remain among the biggest priorities for security teams. “While identity-based attacks are a familiar problem, the sophistication and proliferation of them are increasing the risk significantly,” says Brian Donohue, principal security specialist at Red Canary.

The question is whether the attacker or the defender will be more successful in 2025.

Broadly speaking, identities fall into two categories: human identities and machine identities. Human identities (discussed in this section) serve two primary purposes: access to employers’ computer systems, and access to social services. Criminals use the former to gain initial access into computer networks to position themselves for large scale financial gain (such as the theft and onward sale of proprietary information, or direct extortion such as ransomware, or both), and for BEC style fraudulent wire transfers. 

They use the latter primarily for fraud against the individual (to open fraudulent accounts, make fraudulent purchases, and generally steal personal as opposed to business property). The two attack types overlap when a business compromise results in the large-scale theft of personal information later used for fraud against individuals. Criminals will increase their activities in all these areas.

For attacks against companies, the primary problem is the increasing complexity of business systems, made worse by the increase in cloud and SaaS services. “Enterprises often lack centralized visibility and control over their identities, especially in distributed SaaS environments,” warns Yoni Shohet, CEO and co-founder of Valence Security.

“Decentralized administration means business units or even individual employees can create unmanaged SaaS accounts or third-party integrations,” he continues. “In many cases, organizations assume that by implementing single sign-on (SSO) with an identity provider (IdP) such as Okta or Entra ID, their identities are secure; but they are left blind to potential local accounts, service accounts, and more that are locally defined in the SaaS application itself. In addition, many organizations don’t actually enforce MFA across all identities due to contractors, service accounts, shared accounts…”

These practices are ongoing, so criminal activity will keep pace. The initial access could come from pre-stolen credentials made available by an access broker (possibly through infostealer malware, which will also increase in 2025), or by direct phishing and / or spear phishing.

“Phishing attacks are becoming increasingly more targeted, using highly personalized tactics driven by social engineering and AI-enhanced data scraping,” warns James Scobey, CISO at Keeper Security. “Cybercriminals are not only relying on stolen credentials, but also on social manipulation, to breach identity protections… As attackers grow more sophisticated, the need for stronger, more dynamic identity verification methods – such as MFA and biometrics – will be critical to defend against these increasingly nuanced threats.”

But therein lies another problem, since not all MFAs are made equal nor implemented adequately (see MFA Isn’t Failing, But It’s Not Succeeding: Why a Trusted Security Tool Still Falls Short).

Joshua Sheetz, VP of software engineering and support at IDScan.net

On the personal side, “The threat to human identities will continue to evolve, particularly as new technologies emerge, and fraudsters become more sophisticated. In 2025, we expect to see an increase in synthetic identity fraud, which has already been flagged as the fastest-growing type of fraud according to reports from TransUnion,” says Joshua Sheetz, VP of software engineering and support at IDScan.net. 

“The creation of fake identity documents is easier than ever before, while new methodologies are making digital and physical ID forms harder to detect. That said, the identity verification sector is working at pace to bring new solutions to market, many powered by AI, to meet the demand for more robust verification.”

He also worries that a challenging economic climate, including rising interest rates and unemployment, may cause more people to resort to identity theft “as a means of financial survival”. He expects the use of state instigated ‘mobile IDs’ (six states in 2024 and eight more slated for 2025) to increase but be hampered by their complexity. “The technology will need to be simplified for broader adoption, championing a higher degree of control and ease for the individual to prove they are who they say they are,” he says.

The EU Digital Identity Wallet, required by the European Digital Identity Framework, is to be offered by member states by 2026. It is another good identity idea that may be too complex for most users to adopt and use securely. CISOs are paid to protect employee identities; people are not paid to protect their own.

Human identity theft will remain one of the biggest threats for 2025.

Apart from direct human access, computer machine processes also need to interact with other machine processes. Numerous overlapping but subtly different terms are used to define these identities: machine identities, non-person entities (NPEs), and non-human identities (NHIs). For simplicity we will refer to all as ‘machine identities’, so we may concentrate on the difference between people and computer identities.

As enterprise computing has become more complex, so has the need for components within that complexity to interact securely in real time grown. The security comes from machine identities, provided so that the interaction may be verified as authorized. However, the growth of machine identities is massive, visibility of them is poor, and security for them is often lacking.

Elad Luz, head of research at Oasis Security, says bluntly, “We anticipate that attackers will shift more of their focus to machine identities, which are often secured by only a single factor and therefore present an easier target.”

Scobey expands on this point. “Bad actors will always find the weakest vector to exploit, and that point is increasingly moving to machine identities. MFA for machine identities has never been a fully solved problem, with static factors like certificates largely being used, as opposed to the more dynamic factors we’ve adopted for human MFA.”

Visibility is also limited. Jaishree Subramania, VP of product marketing at SailPoint, adds, “Organizations currently rely on manual governance which often lacks the real-time visibility required to effectively monitor and manage machine identities, creating dangerous security vulnerabilities as these identities are prone to overprovisioning, mismanagement, and unauthorized access.”

Kevin Bocek, chief innovation officer at Venafi

Weak security and poor governance are then compounded by the number of machine identities in use. “Machine identities now outnumber human identities by 45 to 1. And this gap is expected to widen, set to reach 100 to 1 soon,” says Kevin Bocek, chief innovation officer at Venafi.

Finally, we must consider the increasing complexity of the machine identities across multi-cloud and hybrid cloud environments. “In these complex environments, machine identities (such as API keys, certificates, tokens, cloud instances, gMSA accounts, and containers) must be properly authenticated, authorized, and managed to ensure secure operations across on-premises and cloud environments,” says Ely Kahn, VP of product management at SentinelOne.

“Attackers are increasingly zeroing in on machine identities, particularly in cloud native and development environments. For instance, groups such as IntelBroker recently claimed to be selling stolen machine identities and developer assets from both Cisco and Nokia. Meanwhile, the rapid adoption of cloud-native technologies and AI are fueling the growing complexity and speed at which identities like TLS and SPIFFE are being created and deployed to critical systems,” continues Bocek.

And don’t forget the quantum threat. “At the same time, the machine identity landscape is shifting. Shortening lifecycles for machine identities are making management more demanding, while the rise of quantum encryption is pushing organizations to consider their post-quantum readiness.”

There is little doubt that machine identities will be a continuing and probably increasing pain point for security teams in 2025.

The identity ecosphere is becoming more complex, and attackers are getting more sophisticated. That is a trend that will continue. The big change in 2025, however, will be the effect and use of artificial intelligence, both for attacks against identities, and defense of identities. Which side will be more successful is yet to be determined – but an AI-wielding attacker will almost certainly defeat a defender that isn’t using AI.

The most immediate attack will involve AI enhanced social engineering (see also Cyber Insights 2025: Social Engineering Gets Wings). “Gen-AI will play a dual role in the identity threat landscape in 2025. On one side, it will empower attackers to create more sophisticated deepfakes – whether through text, voice or visual manipulation – that can convincingly mimic real individuals,” warns Scobey. 

“These AI-driven impersonations are poised to undermine traditional security measures, such as voice biometrics or facial recognition, which have long been staples in identity verification. Employees will, more and more frequently, get video and voice calls from senior leaders in their organization, telling them to grant access to protected resources rapidly. As these deepfakes become harder to distinguish from reality, they will be used to bypass even the most advanced security systems.”

On the flip side, gen-AI also offers potential for bolstering defenses. “Security teams can harness AI’s ability to analyze massive datasets and detect patterns in real-time, identifying anomalies that could be indicative of identity fraud. AI-driven tools can enhance behavioral biometrics and continuous authentication by examining user actions over time, flagging deviations that might indicate impersonation,” he adds – while warning that AI can still miss nuanced context or make incorrect conclusions based on incomplete information.

Deepfakes won’t be limited to online, comments Andy Sheldon, SVP for North America at Deduce. “With the level of sophistication and pace of innovation in synthetic media creation, it will be impossible to tell whether a government-issued ID is real or even if the human who is holding it up is real. Worse, all this added friction to keep out fraudsters will lead to a terrible user experience, leading to a dramatic increase in abandonment rates and a material impact on a business’s bottom line.”

Online, he worries about the ability of AI to scale these attacks against identity. “Sophisticated and well-funded fraudsters, often associated with state bad actors, will use gen-AI technologies to combine breached data, such as that announced in 2024 by AT&T, with aged and geo-located email addresses and legitimate phone numbers delivered by low-cost phone plans.”

Subsequently, he continues, “AI will be used to orchestrate online activities that effectively mimic the online behavior of legitimate users. Using AI techniques, identities will be tailored to look just like the most ideal new customer. Financial services companies running customer acquisition ads for college freshmen? No problem. Here is an army of them all looking like college freshmen, virtually clicking on the acquisition ads and successfully running the gauntlet of legacy fraud prevention and IDV checks to open an account.”

Gen-AI will give the attacker the ability to impersonate a physical identity to steal the computer credentials of that person, at scale and speed, and then to use those credentials for fraud or system compromise at scale and speed. We don’t know to what extent this will unfold in 2025, but we shouldn’t bet against it.

At the same time, gen-AI will give defenders better tools to detect traditional and AI-assisted identity threats. The biggest problem overall is that AI will increase the dollar-cost of cybersecurity. Smaller and less-resourced companies may not be persuaded to pay that cost – and in those cases, will be more susceptible to AI-powered identity theft.

There is one new ID technology that offers much, has been slow to deliver, but is now showing signs of growth: decentralized blockchain ID for human identities. Most people’s perception of a blockchain is based on the Bitcoin blockchain model; and that any implementation that does not conform with the permissionless, uncontrolled distribution and no central authority model is, of necessity, inadequate. That is short-sighted since there are many workable models that provide far better online security than centralized databases.

Ely Kahn, VP of product management at SentinelOne

“Blockchain technology is increasingly being considered for identity management, offering a decentralized approach that could address many concerns related to data privacy and control. Decentralized identity systems, where individuals own and control their credentials through digital wallets, could become more common as DLT technology continues to be more accessible,” suggests Sheetz.

Kahn agrees. “In 2025, decentralized identity systems may significantly reduce the risk of large-scale breaches by eliminating centralized identity data repositories. These systems will rely on cryptographic methods to verify identity without needing traditional centralized databases, potentially making identity management more secure.”

“However,” continues Sheetz, “for blockchain-based identity management to become widely adopted, significant infrastructure and standardization must take place. In the short term, we foresee gradual adoption, but the full realization of blockchain-based identity management as a mainstream solution may take several more years to develop.”

It is relatively easy to see how blockchains could be used by individual companies for their own employees’ identities to use within their own organizations; but that barely scratches the potential. It still means, for example, that human identity stores are repeated, almost ad nauseam, across industry. One central identity controlled by the user that would be accepted anywhere is the dream nut that is difficult to crack.

The EU’s Digital Identity Wallet is an imaginative attempt. It uses the mobile phone for identity storage and is therefore as distributed as is possible. The phone is owned by the individual, who therefore retains control of his or her personal identity details, and what aspects of that identity can be given to different… oh dear, just the government. That’s a shame and is likely to limit take-up and value. 

As Sandy Carter, COO at Unstoppable Domains comments, “The problem is that, to ordinary users, digital identities sound like ‘medicine’ for a condition they’re not even sure they suffer from. People simply aren’t convinced of the benefits of digital ID; it sounds complicated and hard to master; and often, people simply don’t trust those who are urging them hardest to adopt.”

Sandy Carter, COO at Unstoppable Domains

Carter believes we need to take a lesson from the gaming world. “The way to get people engaged is not to lecture them, but to create a need. This is exactly what’s happening in the web3 gaming space, where digital assets play a crucial role in the gameplay, user experience and, most importantly, fostering community.”

She adds, “The successful example of the gaming sector is just one reason I’m confident 2025 will be a transformative year for digital identities. But we need to learn the right lessons. To onboard people at scale, we need to show them how the technology brings them real, direct benefits; ideally, digital IDs should be introduced in such a seamless way that people adopt the technology (both in principle and in practice) without really noticing it.”

The distributed digital human ID based on blockchain technology is possible but has a long way to go. The biggest problem is a lack of what it is meant to provide: trust. People don’t trust governments, governments don’t trust other countries’ governments, and businesses don’t trust each other. So, while there may be pockets of blockchain IDs popping up in 2025, the dream of a universal distributed blockchain ID system is likely to remain just a dream for several years.

“Zero trust is no longer just a concept; it’s a practical necessity,” says Pennarun. “The traditional perimeter-based approach to security – where devices or users within a network were implicitly trusted – has become obsolete. In its place, zero-trust principles require that every interaction, whether human or machine, be explicitly authenticated and authorized.”

But Brandyn Fisher, senior manager of cybersecurity at Centric Consulting warns, “You can never truly have zero trust. At some point, some level of trust is necessary, and wherever there’s trust, there’s potential for abuse.”

This is the weak point of zero trust and identities. An authorized identity is trusted and therefore allowed. But what if the identity is authorized but in some way compromised – such as a fake North Korean employee, or another Jack Teixeira, or previously stolen and ‘brokered’ to an attacker? “Malicious actors can still do significant damage to an organization within their approved and authenticated boundary,” comments Marcus Fowler, CEO at Darktrace Federal.

His suggestion is to add ‘continuously’ to the ‘never trust, always verify’ zero trust mantra. “To circumvent the remaining security gaps in a zero-trust architecture and mitigate increasing risk of insider threats, organizations will need to integrate a behavioral understanding dimension to their zero trust approaches.”

So, while identities are the cornerstone of security, they cannot simply be created and used – they must be protected from loss (distributed wallets offer great promise for human identities but will be difficult to implement); and they must also be prevented from misuse or abuse. Machine identities are more difficult, although they become easier to protect with techniques such as short-lived tokens, automated rotation or just-in-time generation on demand.

In short, identities must be securely created and protected, continuously validated, limited in use by zero trust principles, and then continuously monitored by (probably AI-enhanced) behavioral analysis.

Cybersecurity fundamentally remains the CIA triad: retaining confidentiality, integrity and availability. Simplifying this even further, it is based on ensuring that only authentic entities can access and then perform authorized actions. This in turn is based on identity. All cybersecurity is based on secure identity.

Historically, we have failed to use identity safely (not everywhere, but sufficient to say that the identity issue remains a problem). In 2025, this issue will become more complex, driven largely by the increasing use and complexity of machine identities, and the increasing scale and sophistication of social engineering attacks against human identities.

“As identity threats become more sophisticated,” comments Kahn, “organizations will need more than strong authentication – they will need an integrated, proactive strategy for managing identity risk at scale, across multiple platforms, and in real-time.”

Identity is a continuing and increasing challenge.