The next breach isn't a password: passkeys push account-takeover downstream
Stolen-credential attacks are losing traction as passkeys spread, but the weak link has migrated to recovery flows, magic links and identity verification — exactly where the AI-savings story is also failing to deliver.

At 11:46 UTC on 8 July 2026, the security outlet The Hacker News flagged a quiet migration inside the account-takeover economy: as passkeys displace passwords on the login screen, attackers are not abandoning the field. They are walking one layer down. The next weak link, the post argued, is not logging in. It is proving you are who you say you are afterwards — through account recovery, magic links, step-up checks, and identity verification.
That single observation reframes a year of cybersecurity reporting. For two decades the industry's centre of gravity was the password: how to store it, hash it, rotate it, breach it. Passkeys — the FIDO2 cryptographic credentials backed by Apple, Google, Microsoft and a widening list of banks — were supposed to end that era by making a stolen string of characters useless against a device-resident key. The empirical record suggests they are working. The frontier has simply moved.
What is actually shifting
Account takeover, in industry shorthand ATO, has long been a commodity business: bulk-credential lists from old breaches, automated replay against login endpoints, profits skimmed from card top-ups, loyalty balances and crypto wallets. Where the password was the choke point, attackers could monetise at scale with relatively unsophisticated tooling. The migration described by The Hacker News points to three choke points rising in importance.
First, account recovery — the email-reset, phone-recovery, security-question flow that fires when a user has forgotten a password, lost a device, or wants to add a new authenticator. Recovery was always an afterthought, designed for the rare case, but in a passkey world it is the moment a phishing kit or a coerced help-desk call can substitute for a stolen secret. Second, magic-link and one-time-code delivery, the email or SMS that grants a fresh session. Those channels depend on the inbox or the SIM — both of which are attackable separately, through provider compromise, SIM-swap fraud, or simply by socially engineering the carrier. Third, identity verification — the selfie match, the document scan, the liveness check that fintechs and crypto exchanges use to onboard and to re-authenticate after a flagged transaction. As the login step gets harder, the verification step becomes the easier target.
The shift is consequential because each of those downstream layers sits in a different part of the stack. Recovery is run by the application team. Magic links depend on email and SMS providers. Identity verification is outsourced to a handful of vendors — Persona, Onfido, Veriff, Jumio and others — whose APIs sit behind a single integration. An attacker who understands which layer is thinnest can pick the cheapest route to the same prize: a hijacked account.
The corporate-IT version of the same story
The pattern is not unique to consumer apps. The same dynamic shows up in enterprise identity, where the corporate IT team has spent five years rolling out phishing-resistant authenticators and is now watching attackers move to the help desk. The most-cited 2025 incident, a breach at a major UK retailer that began with a help-desk social-engineering call impersonating a real employee, is the template: the attacker did not break cryptography. They persuaded a person following a script.
The lesson for security teams is uncomfortable. The threat model that justified the budget — credential theft, password reuse, phishing of the login page — is being defunded by its own success. The threat model that is replacing it — recovery flows, help-desk procedure, vendor-side identity proofing — sits in operational teams that have not been asked to own it. The defender's centre of gravity has to move too.
AI ROI is not pulling its weight
A second wire on 8 July 2026 sharpened the picture. At 01:31 UTC, Unusual Whales circulated a striking number from a Bain survey: only 4% of global respondents said their organisations had achieved AI-related cost savings of more than 30%. The post linked to Unusual Whales's own write-up of the Bain finding, headlined "Bain AI circular bet ROI disappoints."
That figure matters here because identity verification is one of the categories where AI spending has been heaviest. Document forgery detection, liveness scoring, deepfake-spotting, anomaly detection on recovery traffic — all have been pitched as AI-first products, all have absorbed meaningful budget, and all have underperformed when measured against the metric executives care about, which is whether the AI-driven check actually catches the attack. Bain's 4% number does not name identity verification specifically. But it names the broader pattern: heavy capital deployment into AI, modest realised return, and a widening gap between vendor claims and what customers see on their own dashboards.
The two stories are not parallel. They are the same story told from two angles. Security teams are pouring money into the layer that passkeys were meant to make redundant — login authentication — while the threat migrates downstream to the layer where AI-pitching vendors have the most product surface and the least independently measured efficacy.
What defenders and vendors can still do
The defensive playbook for the post-passkey era is not mysterious; it is just unfashionable. Recovery flows need rate limits that account for behaviour, not just IP and device fingerprint, because the attacker is operating from inside the legitimate user's normal surface. Magic-link delivery needs a channel that is not the same channel the attacker is targeting — that means moving critical recovery codes into a second, slower medium (postal, in-person) for high-value accounts, an idea the banking sector has used for decades under the name "out-of-band confirmation." Identity verification needs continuous monitoring rather than point-in-time checks: a selfie match at onboarding does not protect against a synthetic identity that passes the check and then behaves normally for six months before draining the account.
The vendor market is responding in places. Several identity-proofing providers now publish quarterly transparency reports on attack-attempt volumes and detection rates; that is a step. But the most useful pressure is the boring one: ask the vendor for the false-negative rate on the specific attack vector you care about, not the headline accuracy number from their marketing deck.
Stakes and what remains uncertain
If the migration described by The Hacker News holds, the security industry will spend the second half of the decade arguing about recovery UX rather than password UX, and regulators — already circling around SIM-swap fraud and synthetic identity — will get a sharper target. The upside is real: the password itself is finally losing its monopoly on the login screen, and the cryptographic primitive behind passkeys genuinely does what it says on the tin. The downside is that the attackers' cost-per-attempt is moving sideways, not down, and the defences on the new layer are five years behind.
What remains genuinely uncertain is whether the 4% figure from Bain generalises. Bain surveyed global respondents across industries; the thread context does not specify the sample size or the methodology in the snippets we read. A separate reading — that AI ROI is concentrated in a small minority of firms with the data infrastructure to absorb it — would soften the headline without contradicting the number. Either way, the structural implication for security buyers is the same: the AI-pitching vendor at the verification layer is selling a product whose payoff is not yet visible in the aggregate data, even as the attack surface that product is meant to protect is the one attackers are moving toward.
What this publication takes from the two wires together is a single picture: passkeys are doing their job, AI is not yet doing its, and the contested layer in 2026 is the human one between them.
Desk note: Monexus is treating the two 8 July wires — The Hacker News on passkey-era ATO migration and Unusual Whales's write-up of the Bain AI-ROI figure — as adjacent parts of the same shift in where attackers and budgets sit, rather than as two unrelated security and enterprise-tech stories.
Wire provenance
This editorial synthesis draws on the following public wire/social posts:
- https://t.me/thehackernews
- https://t.me/DailyNation
- https://www.nist.gov/itl/applied-cybersecurity/national-center-of-excellence/identity-and-access-management