From 2025 to 2026: Identity Security Insights and Priorities

In 2025, no industry was immune to cyberattack disruption. Threat actors became more sophisticated, supply-chain compromises increased in scale, and the impact of identity security breaches became far more visible beyond the IT department. As we move into 2026, identity is becoming the foundation of cybersecurity strategy and a core element of resilience. Specops’ recent live roundtable examined the identity and password security trends that shaped 2025, and the priorities organizations must focus on in the year ahead.

Led by Darren James, Senior Product Manager, Specops, panelists included:

• Darren Siegel, Security Engineer Team Lead, Specops
• Clay Kirkland, Product Specialist, Specops
• Nasser Arif, Cyber Security Manager, LNWUH NHS Trust
• Franklin Ramsey, Cyber Security & System Engineer, Aultman Health System

Below are some of the biggest identity security challenges in 2026 covered during the round-table, which you can now watch on demand.

Boards are realising why identity and access management is important

The Marks and Spencers (M&S) service desk attack disrupted operations nationwide and caused statutory pre-tax profits for the first half of the year to fall 99%, from £391.9 million to £3.4 million. The M&S breach was just one of many high-profile attacks in 2025 that forced senior leaders across industries to confront a critical question: “What will happen to us if we’re attacked?”

Identity security is now being seen as an organization-wide risk. But, while leadership is increasingly receptive, security teams still face the challenge of presenting the risks in a way that translates technical threats into clear operational impact. Getting companywide buy-in is essential to implementing the changes needed to strengthen cyber resilience.

Third-party risk is now one of the biggest identity threats

Over the past several years, attacks targeting supply chains and third-party vendors have increased steadily, a trend that has continued into 2025. Threat actors are increasingly focusing on suppliers as an indirect route into larger organizations, exploiting gaps in security oversight and the implicit trust many enterprises place in their partners. These attacks often succeed because third-party environments are subject to less rigorous verification, making them an attractive entry point. Common attack vectors include:

• Compromised software updates delivered through trusted vendors.
• Exploited vulnerabilities in widely deployed systems such as on-premises SharePoint.
• Cloud misconfigurations stemming from skills gaps or hasty migrations.
• Business email compromise involving credential theft or session hijacking.

Vendor security can no longer be taken for granted. As part of vendor security assessments, security teams should be asking a consistent and well-defined set of questions to understand the level of risk third-party relationships introduce. Here are some of the questions our panellists recommended:

• How does the vendor independently verify its security controls?
• When was the last third-party audit or penetration test, and who performed it?
• Does the vendor rotate testing firms to avoid repeated blind spots?
• Is customer data segregated or commingled with other clients’ data?
• Can the vendor provide evidence of compliance with standards such as ISO 27001?

‘It’s this open dialogue and relationship-building you have to do with suppliers, because it’s a two-way relationship […] It’s not just about bringing something in and hoping it works, it’s about understanding exactly how things work before you implement.’

Nasser Arif, Cybersecurity Manager for London North West University Healthcare (LNWUH) NHS Trust, commenting on this approach

Regulations tightened for industries handling personal data

Recent regulatory updates across multiple regions are reinforcing the need for stronger authentication controls and more structured oversight of third-party suppliers. Frameworks such as NIST, HITRUST, NHS DSPT, the NCSC Cyber Assessment Framework, are all raising expectations around identity security and vendor governance. While some regulations remain principles-based and allow flexibility in how controls are implemented, others are becoming increasingly prescriptive, particularly in highly regulated sectors such as healthcare.

For example, in the UK, the NHS recently updated its Data Security Protection Tool Kit compliance guidelines, to add more refined evidence requirements and strengthen areas like governance, risk management, asset registers, and supplier contracts. This included mandatory multi-factor authentication (MFA) for access to critical systems and tighter requirements around supplier security.

Regulations rarely remain static, requiring organizations to put measures in place that allow them to adapt as new compliance requirements emerge. This necessitates continuous monitoring and clear visibility across the attack surface, combined with forward planning to identify and remediate security gaps before they result in compliance shortfalls.

Passwordless authentication presents new opportunities and challenges

By 2025, meaningful progress had been made toward passwordless authentication. Passkeys gained broader platform support, biometric security continued to mature, and more organizations began exploring device-based trust models. These developments point to a future where reliance on traditional passwords may be reduced. However, optimism around passwordless adoption must be balanced with realism about current limitations and operational readiness.

MFA remains one of the most effective defenses against credential-based attacks, yet deploying it at scale is rarely straightforward. Throughout 2025, many organizations found that successful MFA implementation depended as much on human and operational factors as on the underlying technology, particularly when balancing security requirements against usability and adoption.

Common challenges in deploying consistent universal MFA across an organization include:

• Staff without corporate mobile phones.
• Reluctance to install work apps on personal devices.
• Clinical or high-security environments where phones are prohibited.
• Safety concerns around physical tokens.
• Shared workstations that limit biometric use.
• Legacy systems unable to support modern MFA.

Flexibility through the use of multiple MFA options is therefore essential, allowing organizations to accommodate different roles, risk levels, and working patterns. Equally important is encouraging users to adopt new behaviors without perceiving MFA as an added burden. Many employees already use MFA in their personal lives, such as for online banking or email, and reinforcing this familiarity can help position secure authentication as a natural extension of existing habits that protect both personal information and organizational data.

While MFA is a critical component of identity security, not all authentication factors reliably confirm that the person behind the keyboard, Teams call, or phone is who they claim to be. Email- and SMS-based factors can be intercepted, and push-based authentication is vulnerable to fatigue attacks, where repeated prompts lead to a single mistaken approval. In these scenarios, it only takes one error for an attacker to gain access, highlighting the limits of relying on MFA alone without considering factor strength and context.

Will the password become redundant in 2026?

In 2025, biometrics and identity-based verification methods became more widely adopted as stronger ways to confirm the presence of a real individual, while zero trust and device identity approaches placed greater emphasis on validating not only who is authenticating, but also the device being used. Conditional access and zero trust architectures can significantly reduce risk when implemented well, but they require ongoing management rather than one-time deployment. User experience remains critical, as authentication that feels slow or intrusive encourages workarounds that ultimately undermine security.

Despite these advances, passwords are unlikely to disappear in the near term. Practical constraints such as shared device environments, including fast-paced hospital settings, and continued reliance on legacy applications limit how quickly passwordless approaches can be adopted. Rather than a clean replacement, 2026 is more likely to reflect a gradual transition, with organizations reducing reliance on passwords by introducing passkeys for selected user groups while reinforcing password policies and authentication controls for systems that cannot yet support passwordless models.

Cybersecurity cultures plays a key role in tackling sophisticated attacks

As attacks become more sophisticated, the oldest defensive measure, user training, is becoming increasingly important rather than less. Threat groups such as Scattered Spider have drawn attention for their use of advanced social engineering techniques, particularly in targeting service desks to bypass technical controls. At the same time, AI is lowering the barrier to entry for large-scale phishing and vishing campaigns, enabling attackers to generate convincing emails and increasingly realistic voice, and in some cases video, impersonations.

Preventing these attacks requires more than technical safeguards alone. Organizations need to foster a strong cybersecurity culture supported by regular, practical training that reflects real-world attack scenarios. Training that uses concrete examples helps staff recognize social engineering tactics and understand how seemingly routine interactions can be exploited. It also reinforces the broader impact of these attacks, which can extend beyond financial and reputational harm. In 2024, it was confirmed that a ransomware attack affecting NHS blood services at London hospitals and GP surgeries contributed to the death of an individual, underscoring the real-world consequences of security failures.

How Specops supports robust identity security

Building a compliant and resilient identity security posture in 2026 doesn’t need to be complex. Specops helps organizations reduce identity risk by strengthening authentication controls for both passwords and devices where attacks most often begin. Specops Password Policy allows businesses to set and enforce custom password policies across on-premises and hybrid environments, while continuously checking passwords against a database of more than 5.5 billion known breached credentials. This prevents users from choosing passwords already being used in real-world attacks and significantly reduces the risk of account compromise.

For organizations that want a quick view of their current password exposure, Specops Password Auditor offers a free assessment that highlights vulnerabilities and presents the results in a clear, easy-to-understand report. Together, these tools help security teams understand their risk, take practical action, and build stronger identity and password security as part of a broader cybersecurity strategy. To learn more, contact Specops or explore additional insights on the Specops blog.