April 7, 2026

Identity Security Starts Before Login

by
Nametag
North Korea Blog Post Header
press@nametag.co

Get in touch with our PR team.

Download media kit

Logos and graphics to help you cover Nametag.

Workforce Impersonation Report

How AI-enabled impersonation is redefining identity security and shaping the future of enterprise trust.

Download the report

TL;DR 

  • Identity security is strongest at login, but trust is established earlier — when identities are created, recovered, or updated
  • Traditional factors (know, have, are) verify access to an account, not the human behind it
  • As authentication has improved, attackers have shifted upstream into onboarding, recovery, and support workflows
  • Biometrics and devices confirm consistency, but depend on who was enrolled at the start
  • Adding “something you prove” helps ensure identities are tied to a real, verified human from the beginning
  • Without that, even the strongest authentication controls can end up protecting the wrong identity

Identity security begins when a person’s identity is first created and enrolled in your systems. This early moment shapes every authentication decision that follows and plays a central role in workforce impersonation risk. Increasingly, it’s also where attackers focus.

For decades, identity security has followed a simple model built on three factors. These factors anchor authentication and help organizations reduce risk at the point of login. 

They are: 

  • Something you know, such as a password or PIN
  • Something you have, such as a device or security
  • Something you are, such as a biometric like a face scan or fingerprint

Over time, verification has improved as we added new security measures like MFA, passwordless methods and broader use of biometrics. These advances have made the login step much stronger by verifying access to an identity.

However, they don’t provide a complete picture of the human behind that identity. Knowing which account is acting isn’t the same as knowing which verified human is behind it.

How these three factors show up today

The three-factor model still frames how most organizations think about security. What has changed is how each factor behaves in a world of remote work, distributed teams, and AI-driven fraud.

Something you know is losing ground

Passwords and other knowledge-based checks are commonly used to help verify identity within organizations. But, they are becoming increasingly misaligned with modern attacks as they are easy for bad actors to steal, reuse or guess. This places most of the burden on the user.

In many organizations, these checks are also becoming a drag on time and capacity. As deepfakes and AI-driven impersonation improve, security teams respond by tightening review, adding manual steps, or requiring certain changes to be handled in person. The intent is caution, but the effect is that high-friction, low-confidence checks consume hours of staff time without meaningfully reducing identity risk.

Something you have is moving to devices and keys 

When it comes to “something you have,” organizations have largely moved away from one-time codes and shifted the focus to the devices themselves. Laptops that unlock with a fingerprint, phones that use face recognition, and hardware keys like YubiKeys now act as the primary proof that a user should be allowed in.

These devices are strong signals, but they only show that the device is present, not that the right person is using it. If the device becomes the main factor, the system is effectively trusting whoever is holding it at that moment.

The goal is not to distrust devices, but to anchor them to stronger proof of who they belong to, especially when a new identity is created, a role changes, or an account is recovered.

Something you are is getting smarter

Biometrics were introduced to bring identity closer to the person instead of the password or device. Face scans, fingerprints, and voice recognition are now built into the same devices people already use to work and log in.

As deepfakes and spoofing techniques improve, biometric systems are adapting. Many organizations now rely on liveness checks, stronger device binding, and tighter controls around how biometric templates are stored and used. These changes make it harder for attackers to replay a static image or synthetic recording and present it as a real user.

But like the other factors, biometrics still inherit whatever decision was made at the start. If the wrong person is verified and enrolled once, a very strong biometric check will faithfully recognize that same wrong person every time they return.

Why the landscape now needs something you prove

Each of these factors has become stronger at the point of login. MFA layers multiple signals. Passwordless reduces reliance on weak credentials. Devices and biometrics create high confidence that an authorized account is accessing the system.

But when all three factors work well together, attackers move upstream to where identities are created and recovered. They aim to establish themselves as legitimate workforce members before authentication controls ever come into play. 

This is where an additional layer becomes important: something you prove. A way to require clear evidence that a real, legitimate human is behind an identity before it is trusted in your systems.

In practice, this can include: 

  • ID checks paired with liveness to confirm a real person stands present
  • Document scans that detect synthetic forgeries or reused fakes
  • Risk-based proofing that scales up for remote hires, privileged roles, or unusual channels

These steps tie every credential, device signal, and biometric template back to a verified human. When authentication shines, attackers don't fight it—they exploit where trust begins. Close that gap, and you ensure strong login controls protect the right identities, not just any identity that slipped through.

Extending Identity Security

Identity security has evolved from passwords to a sophisticated stack of devices, biometrics, and continuous signals. These controls are highly effective at protecting access.

But when attackers can enter as trusted workforce members, no amount of login strength can compensate for weak proof of who is behind the identity.

Extending the model helps close that gap:

Factor What it delivers
Know Less friction and phishing exposure
Have Phishing-resistant device signals
Are Liveness + behavioral confidence
Prove Verified human from first contact

This shift is already playing out in workforce impersonation attacks, which target the moments where identity is created, recovered, or elevated. When those moments rely on weak or inconsistent checks, even the strongest authentication stack — MFA, ZTNA, PAM — can end up protecting the wrong identity.

For many organizations, this raises a practical set of questions:

  • How are identities verified when they are first created or re-established?
  • Where do manual reviews add friction without improving confidence?
  • What level of proof is required for different roles and risk levels?

Identity security starts where trust is created. Strong authentication protects accounts. Something you prove ensures those accounts belong to humans you chose to trust. Learn more about workforce impersonation across the employee lifecycle in our 2026 Workforce Impersonation Report. 

Secure your helpdesk against social engineering and impersonators.
Learn more about Nametag
Right Arrow Blue
We use cookies to provide, improve, and promote our services. By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage and assist in our marketing efforts. Visit our Privacy Policy to learn more.
Decline
Accept All Cookies