The Old Playbook Is Dying
For years, account takeover (ATO) followed a predictable script. Attackers bought stolen credentials in bulk, ran them through automated tools, and waited for matches. Credential stuffing was cheap, scalable, and for defenders, relatively well understood.
That era is ending. Not because attackers gave up, but because the front door finally got harder to kick in.
Passkeys are now mainstream. Major platforms like Apple, Google, and Microsoft have rolled out passwordless authentication at scale. The old credential-stuffing attack — hammering login forms with reused passwords — no longer works against passkey-protected accounts. So attackers adapted.
Where the ATO Battleground Shifted
The new ATO battleground in 2026 is the verification step itself. Attackers realized that even if they can’t steal a passkey, they can still intercept or bypass the verification process — the SMS code, the email link, the push notification, or the biometric check. That’s where the real action is now.
This isn’t theoretical. In early 2025, a coordinated campaign targeted SIM swapping at three major US carriers, netting access to thousands of accounts protected by SMS-based two-factor authentication. The attackers didn’t break the passkey; they intercepted the verification code sent to the compromised phone number.
Why Verification Became the Weak Link
Passkeys eliminate password theft, but they don’t eliminate the verification step. Every authentication flow still needs to confirm the user is who they claim to be. That confirmation — the one-time code, the biometric scan, the device prompt — is now the primary target.
- SMS-based codes are vulnerable to SIM swapping and SS7 attacks.
- Email-based verification is only as strong as the email account’s security.
- Push notifications can be intercepted by malware on the device.
- Biometric checks are harder to bypass but not impossible with deepfake technology or stolen biometric data.
Each method has its own weaknesses. Attackers are now specializing in exploiting those specific cracks rather than trying to crack the passkey itself.
Real-World Examples of the New Attack Pattern
In late 2025, researchers at Kaspersky documented a phishing campaign that didn’t target passwords at all. Instead, it tricked users into approving a fraudulent push notification on their authenticator app. The attackers sent a fake login alert, the user approved it thinking it was legitimate, and the attacker gained access — bypassing the passkey entirely.
Another case: a financial services firm in London saw a spike in ATO attempts in Q1 2026. The attackers had obtained phone numbers through a data broker breach and were systematically requesting password resets. The verification code went to the attacker’s SIM, not the user’s. The passkey never came into play.
These aren’t isolated incidents. They represent a structural shift in the threat landscape. The ATO battleground has moved from the password field to the verification step.
What This Means for Defenders in 2026
Organizations that invested heavily in passkey adoption may feel a false sense of security. Passkeys are excellent at preventing credential stuffing, but they don’t protect the verification channel. Defenders need to rethink their authentication architecture with this new reality in mind.
Here are three practical steps to harden the verification step:
- Eliminate SMS-based verification where possible. Move to app-based authenticators or hardware security keys. SMS is convenient but increasingly risky.
- Add behavioral signals to the verification flow. Check for unusual device fingerprints, location anomalies, or time-of-day mismatches before sending a verification code. If something feels off, require a second verification method.
- Implement step-up authentication for sensitive actions. A simple verification code might be fine for logging into a news site, but changing a password or initiating a money transfer should require a separate, stronger verification.
The verification step is the new front line. Treat it that way.
The Bigger Picture: Authentication in 2026
Passkeys solved one problem — password theft — but created a new one: the verification step became the single point of failure. Attackers follow the path of least resistance. When the front door gets harder, they check the side windows.
This doesn’t mean passkeys were a mistake. Far from it. They’ve eliminated the most common and cheapest attack vector. But cybersecurity is a game of whack-a-mole. Close one hole, and attackers find another.
The verification step is that next hole. It’s the ATO battleground in 2026, and defenders who ignore it will find themselves playing catch-up. The passkey era is here. The verification era is just beginning.