60% of Cyberattacks Break Identity — Is Identity First a Bad Idea?

WinMagic CEO Thi Nguyen-Huu was recently featured in the March 2026 edition of Cyber Defense Magazine, challenging a foundational assumption in modern cybersecurity.  

For years, the industry has moved away from network perimeters toward identity-based security. Zero Trust architectures reinforce this shift by requiring identity verification before granting access. At the same time, identity attacks have become the dominant threat. Today, 60% of cyberattacks succeed by breaking identity. 

This reality raises an important question: Is Identity First a bad idea? The answer is no. Identity First remains the right direction. But the industry may have overlooked a more basic issue: Which identity? Identity itself was never clearly defined.

Most security systems verify the user, yet grant access to the device or session. When verification and access refer to different identity objects, the security model becomes inconsistent. This mismatch is one of the reasons identity-based attacks continue to succeed.

Over the years, the industry attempted to strengthen sessions by adding layers such as tokens, channel binding, and new standards designed to secure post-login access. These technologies improve individual steps, but they do not resolve the underlying architectural problem.

The article proposes a clearer way to think about identity in the online world.

In the article, Mr. Nguyen-Huu argues that digital identity must represent the full entity performing an action, not just the user. That entity includes three elements:

  • the actor performing the action
  • the platform where the action occurs
  • the conditions that keep the platform trusted

When identity is defined this way, the identity being verified is the same identity receiving access.

This also clarifies the role of the endpoint. Every online interaction begins on an endpoint, where these elements can be observed together. The endpoint can therefore uphold identity continuously as long as the required conditions remain valid.

In this model, Zero Trust becomes simpler to implement because identity assurance can remain accurate without repeated authentication prompts or additional user interaction.

Sometimes the simple answer is closer than we think.

The full article, “60% of Cyberattacks Are Identity Based — Is Identity First a Bad Idea?”, appears in the March 2026 edition of Cyber Defense Magazine (pages 259–265).

Previous Post
What Comes Next for Passkeys?
Next Post
How Should Businesses “Disable SSO” Without Destroying Productivity?
keyboard_arrow_up