By Josh Neame, CTO, BlueFort Security
Authentication has quietly become one of the most critical control points in modern public sector security. It’s also one of the most frequently bypassed.
Access to systems is no longer confined to a fixed network perimeter. Users connect from multiple locations, across devices, and often through third-party services. In this environment, identity has effectively become the new control plane – the point at which trust is established and access is granted.
Yet while access models have evolved, the way organisations establish that trust has not always kept pace. We have modernised how users connect to systems, but not always how we verify who – or what – is connecting.
The Primary Attack Vector Has Shifted
The drive for digital transformation has created a gap that has become one of the most actively exploited areas in modern cyber attacks. Rather than attempting to breach hardened infrastructure, attackers focus on obtaining valid credentials and using them to access systems in a way that appears legitimate. Cyber attacks are increasingly identity-driven and in many cases, no ‘break-in’ is required.
Industry research consistently highlights this shift. Year after year, the Data Breach Investigations Report (DBIR) published by Verizon continues to show that the use of stolen credentials is the most common initial access vector in successful breaches. In the 2025 DBIR, credentials abuse (yet again) was the leading known initial attack vector, above exploitation of vulnerabilities and phishing. Similarly, Microsoft’s Digital Defense Report 2025 found that identity-based attacks rose by 32% in the first half of 2025.
The pattern is clear: attackers are no longer breaking in, they’re logging in.
Why Passwords and Legacy MFA Are No Longer Enough
The UK’s National Cyber Security Centre (NCSC) has been issuing guidance to UK businesses for some years now emphasising the importance of going ‘beyond passwords’ and protecting accounts and identities as a primary defence against compromise. For many organisations, the response to this shift has been the adoption of multi-factor authentication (MFA). This is an important and necessary control, and its widespread deployment has significantly improved baseline security.
However, it’s clear that passwords and legacy MFA alone are no longer sufficient. Passwords remain inherently vulnerable to phishing, reuse, and credential stuffing attacks. More importantly, attackers have adapted to MFA itself. Techniques such as MFA fatigue – where users are bombarded with authentication prompts until one is approved – and adversary-in-the-middle attacks, which intercept authentication flows in real time, are now widely used. The result is that organisations can meet policy compliance requirements for MFA and still be vulnerable to compromise.
These limitations mean there is a growing need for phishing-resistant authentication methods. As ever, the ‘Whac-A-Mole’ nature of cybersecurity means that once a control is in place, the risk will evolve around it.
Security, Productivity and the Human Factor
For public sector organisations, addressing this is a nuanced task. When I speak with public sector IT leaders, the challenge is rarely about recognising the need for stronger authentication, but how to implement it without disrupting critical services or introducing unnecessary friction for users. Whether in the NHS, local government or central departments, access to systems must remain fast, reliable, and scalable.
Every additional authentication step, prompt or restriction has the potential to impact productivity. In high-pressure environments – such as clinical settings or frontline services – even small delays can have meaningful consequences. At the same time, user behaviour is a critical factor. Social engineering attacks continue to exploit trust, urgency, and familiarity, and even well-implemented controls can be undermined by a single approval or interaction.
This creates a persistent balancing act: strengthening identity security while preserving usability.
Beyond the Login: An Expanding Attack Surface
Compounding the challenge is the fact that authentication risk no longer begins and ends at login. Modern environments include a growing number of identities beyond traditional users – including service accounts, APIs and machine-to-machine interactions or non-human identities.
What’s more, once a user is authenticated, access is often maintained through session tokens that can themselves become targets for attackers. This creates an expanded attack surface that is not always fully covered by traditional MFA controls.
The increasing use of token theft and session hijacking techniques, allowing attackers to bypass authentication entirely once initial access has been achieved, is further evidence that securing the login event alone is no longer enough. Trust must extend beyond initial authentication and be continuously validated.
Authentication Modernisation and the Limits of Compliance
For many UK public sector organisations, frameworks such as the NCSC’s Cyber Assessment Framework (CAF) provide a structured approach to improving cyber resilience. CAF includes specific expectations around identity and access control, including the use of MFA to protect access to systems and data. This represents an important baseline and a necessary step toward improving security posture.
However, as threat techniques evolve, it is becoming clear that baseline compliance does not always equate to effective risk reduction. MFA is referenced specifically in CAF – which is a positive step forward – but while it is a critical control, as we’ve seen above it does not address the full range of modern identity-based attacks. It does not inherently protect against phishing-resistant requirements, token compromise, or the broader challenge of securing all identities across complex environments. CAF defines what good looks like at a control level – but doesn’t fully account for how those controls are being bypassed in practice.
Authentication modernisation therefore, is not about replacing one control with another. It is about rethinking how trust is established and maintained. This includes exploring approaches such as phishing-resistant authentication methods, device-based trust, and risk-based access decisions that consider context as well as identity. It also means extending protection beyond users to encompass service accounts and other non-human identities.
Importantly, this shift does not necessarily require wholesale platform replacement. In many cases, it is about building on existing investments in a way that better reflects how attacks actually occur.
Closing the Gap Between Control and Risk
Public sector organisations have made significant progress in strengthening authentication. Password policies have improved, MFA adoption has increased, and identity is firmly recognised as a critical component of security strategy. But there is still a gap – and with identity-based attacks on the rise (still) this gap needs addressing quickly.
The controls that organisations rely on are often designed around how authentication is expected to work, not how it is actively being bypassed. Attackers, meanwhile, continue to evolve and adapt, exploiting weaknesses in trust models rather than technical vulnerabilities.
The question is no longer whether authentication is in place, but whether it reflects how attacks actually occur. Closing this gap is not about compliance, it’s about genuine risk reduction.
Tech Talk Tuesday
Join me for my next Tech Talk Tuesday ‘Authentication Modernisation: Reducing Risk Beyond Passwords’ where I’ll explore this topic in more detail.
I’ll look at what authentication modernisation really means, why identity has become the primary attack vector, and how modern authentication approaches address today’s threats. Importantly, we’ll also look at what practical steps you can take today to modernise your organisation’s authentication without adding complexity or cost.
